Description
This article provides some examples regarding the use of TOS and DSCP code forwarding in a firewall policy.
It expands on the article available here.
Scope
Understanding basic scenarios regarding traffic prioritization in FortiGate.
Solution
ToS/DSCP: 8bit ToS field in IP header = 6bit DSCP + 2bit unused.
DSCP code is a 6bit identification code used to prioritize the traffic.
Additional data about the standard codes used is not vendor-specific. Here is another article that describes these codes in more detail.
FortiGate handles DSCP markings in a few places:
- Firewall policies (described in this article).
- Firewall traffic-shaper.
- Firewall shaping-policy.
It can happen that all 3 marking settings can be applied to the same traffic.
Priority is as follows:
- Firewall policy (least priority).
- Traffic shaping-policy overrides firewall policy.
- Traffic-shaper overrides both traffic shaping-policy and firewall policy.
Firewall policy handles the marking only (allow/deny/change it).
Traffic shaper / shaping policy is actually the one prioritizing the traffic (dropping if needed).
