FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff
Article Id 190483
Description
This article describes how to apply CoS marking for the self-originated traffic

Solution
CoS mapping on the FortiOS can be configured on a firewall policy.
Any traffic matching that specific policy will be marked with the appropriate CoS values.

CoS carking have to be configured via cli for a specific firewall policy:
# config firewall {policy | policy6}
    set vlan-cos-fwd <int>
    set vlan-cos-rev <int>
end
In some cases CoS marking have to be applied for the FortiOS self-originated traffic.

It can be achieved by flowing steps.

1) Configure two vdoms on the Fortigate: One in transparent mode (TRANSPARENT_VDOM) and the second in NAT mode (we can use the root_vdom).

2) Configure inter VDOM links between these two VDOMS . Do not configure IP addressing in this step.

3) Assign PORT1interface to root VDOM.

4) Assign WAN interface to the TRANSPARENT_VDOM.

5) Place the root VDOM behind the TRANSPARENT_VDOM, so the root VDOM will be connecting to the Internet via TRANSPARENT_VDOM. The network diagram should be like this:
LAN----root vdom-[inter vdom interface] --- [inter vdom interface]-TRANSPARENT_VDOM-----Internet_gateway
6) Let`s assume that ISP have provided a static public IP address and it has to assigned to the FortiGate. With our current setup, that public IP address will have to be assigned to the inter VDOM interface on the root VDOM.
Public IP address is x.y.z.5/30
Default gateway is x.y.z.6/30
Diagram with IP addressing should be like:
LANβ€”[port1:10.0.0.1/24]- root vdom – [inter vdom interface:x.y.z.5/30] – [inter vdom interface:no_ip_address]-TRANSPARENT_VDOM-[wan1:no_ip_address]---[ x.y.z.6/30]-Internet_gateway
7) Create a firewall policy on the TRANSPARENT_VDOM, which would allow traffic from the Inter VDOM link to the WAN interface.

8) Configured CoS marking on that firewall policy.

9) Once it is done, switch to the root VDOM, and configure the policies from the LAN to the inert VDOM link in order to provide Internet connectivity for the LAN.

10) Be sure to check, if the root VDOM is the management VDOM , so all the self-originated traffic will be egressing the root VDOM.

Contributors