Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
icianci
Staff
Staff

Created on ‎11-25-2025 01:44 AM

Article Id 420317

Technical Tip: VLAN CoS marking with firewall policy and traffic shaping policy

Description This article describes how to configure VLAN CoS Marking in various scenarios.
Scope FortiOS.
Solution

To affect how network devices, such as switches, handle traffic, VLAN CoS (Class of Service) marking gives Ethernet frames inside an 802.1Q tagged frame a priority number (0–7).

VLAN CoS Marking can be configured in different ways. Here is how to configure it, referring to FortiOS v7.6.4 and the newest releases.

  • Configure VLAN CoS marking in a firewall policy:

 

config firewall policy
    edit 1
        set vlan-cos-fwd <value>
    next
end

 

All traffic matching the policy will be correctly marked with CoS equal to <value>.

 

  • Configure VLAN CoS marking in a traffic shaping policy:

 

config firewall shaping-policy
    edit 1
        set traffic-shaper "MARKING"
    next
end

config firewall shaper traffic-shaper
    edit "MARKING"
        set cos-marking enable
        set cos <3-bit_binary>   <--  VLAN CoS bit pattern, 3-bit binary (000 - 111). 

    next
end

 

All traffic matching the traffic shaping policy will be marked with CoS equal to <3-bit_binary>.

As explained in the documentation, VLAN CoS matching on a traffic shaping policy, anything defined in the firewall shaping-policy takes precedence over anything configured in the firewall policy if a specific session matches both the firewall policy and the firewall shaping-policy.

 

But, it is important to understand that firewall shaping-policy overrides firewall policy configuration, even if CoS is not enabled in the shaper. If traffic matches a traffic shaping policy, even if CoS is not configured in it, CoS marking will not work.

 

This is true when traffic is offloaded. If traffic matches the firewall policy, it is not offloaded; firewall shaping policy does not override firewall policy configuration if CoS is not enabled in the shaper.

Here is an example (for disabling offloading, consider this documentation Technical Tip: FortiGate Disable Hardware Acceleration:

 

config firewall policy
    edit 1
        set auto-asic-offload disable
        set vlan-cos-fwd 5

        set traffic-shaper "MARKING"
    next
end

 

config firewall shaper traffic-shaper
    edit "MARKING"
        set cos-marking disable
    next
end

 

In this case, traffic will be marked with CoS equal to 5, according to the firewall policy.
98
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.