I've done some research on posts (non fortinet forums) that list the DSCP bits coming from comcast to the local modem/installation as the lowest priority (0x08) and that to fix this I've typically seen commands to make iptables essentially convert those dscp bits to 0x00 to unclassify the incoming traffic and process it without that interference.
Has anyone ever implemented this with FortiGate, if they are even affected?
I unfortunately do not have a unit and an open comcast connection to play around with.
This is the command I've seen recommended to implement, if it helps:
Interesting. I've been told by someone at Comcast that they intentionally give low priority to basic internet service traffic. The reasoning used was that they want you to buy the services from them. Thus, streaming video and voice perform badly unless you buy it from them.
I don't see how manipulating DSCP bits will help you tho. If they are on their game, they will reset those bits on any of your outbound traffic. The inbound traffic is already trumped by traffic they prioritized. The only prioritization you will be able to achieve is between your device and the first hop towards the internet. from there they most likely reset the bits based on various parameters.
I would really be surprised if a ispcarrier will honor DSCP markups fully across all boundaries. Typically unless you have QoS contract, they don't s trust anything and once you leave one carrier domain, your TOS/DSCP bits will probably be remarked imho. QoS and tos/dscp across the internet is not a 100% reliable means.
But to answer your question you can toggle whatever DSCP you want per policy-id, it's quite simple.
( e.g forward direction )
config firewall policy edit 47 set srcintf "port1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "ANY" set logtraffic enable set diffserv-forward enable set diffservcode-forward 000001 nextend
The DSCP bits are those being sent FROM the comcast, so would be the receiving end from customer perspective. I do realize that any outgoing data would be rewritten through their equipment. I'm talking about incoming data from a client/customer viewpoint being set with that DSCP so that devices (some, not all) end up prioritizing that traffic as low in their QoS/WMM and it causes problems.
Office is closing in 5 mins, so haven't had time to look further into this, but there may be something (at the CLI level) for traffic shaping (also Differentiated Services) that you may be able to play around with to reset the DSCP bits.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.