FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
colivero
Staff
Staff
Article
This article describes the behaviors of Differentiated Services Code Points (DSCP) for traffic between two computers through an IPSec tunnel provided by two FortiGate units.
Internal Notes
Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is disabled, FortiGate units treat traffic as if the DSCP value is set to the default (00), and do not change IP packets' DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

When applying both a DSCP value and IPSec encryption, FortiGate units apply the DSCP value to the differentiated services (formerly TOS) field in the first word of the IP header, for both the original IP packet and the encapsulating IPSec packet. The typical first word of an IP header, with the default DSCP value, is 4500:

    - 4 for IPv4
    - 5 for a length of five words
    - 00 for the default DSCP value

The IPSec packet's DSCP field can be changed for traffic initiating a session (forward) or for reply traffic (reverse). Each direction can be separately enabled and configured in the firewall policy.

Note: Changes to DSCP values in a firewall policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

Example:  

In this example, an ICMP ping is executed between PC A and PC B. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration excerpts:

config system interface
   edit "to_fgt_B"
      set vdom "root"
      set ip 10.222.221.2 255.255.255.255
      set type tunnel
      set remote-ip 10.222.221.1
      set interface "wan1"
   end
config router static
   edit 0
      set device "to_fgt_B"
      set dst 10.161.0.0 255.255.254.0
   end
config vpn ipsec phase1-interface
   edit "to_fgt_B"
      set interface "wan1"
      set localid "fgt_A"
      set dpd enable
      set nattraversal enable
      set proposal 3des-sha1 3des-md5
      set remote-gw 10.145.0.75
      set psksecret ENC
   end
config vpn ipsec phase2-interface
   edit "phase2_to_fgt_B"
      set pfs enable
      set phase1name "phase1_to_fgt_B"
      set proposal 3des-sha1 3des-md5
      set replay enable
   end
config firewall policy
   edit 0
      set srcintf "wan2"
      set dstintf "to_fgt_B"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-forward enable
      set diffserv-reverse enable
      set diffservcode-forward 101110
      set diffservcode-rev 101101

   end

The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):

- DSCP 000000 is TOS field 0x00
- DSCP 101101 is TOS field 0xb4
- DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.

DSCP (1).jpeg
Contributors