Technical Tip: Injection of DSCP markings on FortiGate's self generated traffic

Consider a scenario where a network administrator has the following topology:

There are multiple spoke devices connected to the Hub FGT via an MPLS network. The administrator wants to prioritize IKE traffic generated via the spoke devices across the ISP's network by injecting DSCP markings on the particular IKE packets.

To do so, the below configuration needs to be applied:

config firewall shaper traffic-shaper

    edit "QoS_Marking"
        set diffserv enable
        set diffservcode 010101
    next
end

config firewall shaping-policy
    edit 1
        set traffic-type local-out
        set service "IKE"
        set traffic-shaper "QoS_Marking"
        set srcaddr "all"
        set dstaddr "all"
    next
end

By performing packet sniffing, it is possible to observe that IKE packets generated by spoke have the DSCP that has been specifically applied:

Internet Protocol Version 4, Src: 10.10.10.10, Dst: 20.20.20.20
Differentiated Services Field: 0x54 (DSCP: Unknown, ECN: Not-ECT)
0101 01.. = Differentiated Services Codepoint: Unknown (21)