FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ycho
Staff
Staff
Description
This article describes how DSCP values are processed on platforms(SOC3/SOC4) with NP6 Chip.

In NP6 Platforms, Although the Diffserv setting is disabled, the DSCP value of the IPv6 packet passing through the IPSec VPN tunnel changes to default value (CS0, Traffic type:0x00) when NP offload is enabled.
Also If NP is disabled, the DSCP value (traffic type:0xdc, unknown) of the inbound traffic remains the same even if it's outbound through the IPSec VPN tunnel.

Scope
For all NP6 platforms (include np6/SOC3/SOC4).

Solution
When IPsec is offloaded to NP6, ESP packets are always sent with DF=0:
- Irrespective of the DF-bit for the inner plaintext packets.
- Irrespective of the 'ipv4-df' setting.
[Inner_traffic / ipv4-df / Result for ESP-packets]
df=0 / disable / df=0
df=1/ disable / df=0
df=0 / enable / df=0
df=1 / enable / df=0
All the NP6 platforms (include np6/SOC3/SOC4) cannot support to keep the not fragmented flag after sessions offloading.
This issue is fixed on all NP7 platforms.

Contributors