DSCP matching in firewall policies - migrating from Cisco to FG

aousien · ‎02-01-2022

Hello ,

I am migrating some firewalls rules from a Cisco router to a FortiGate, any hints on how to convert the rules below matching on the precedence and dscp ?

I found tos-mask under config firewall policy in fortigate, but what this value should be for ef and cs4 ?

thanks in advance , below are the commands on cisco router that I am wanting to migrate to FG

permit udp X.X.X.X 0.255.255.255 any precedence flash
permit udp 1X.X.X.X 0.255.255.255 any precedence flash-override
permit udp any any dscp ef
permit udp any any dscp cs4

AlexC-FTNT · ‎02-01-2022

TOS and DSCP are different markings. You are probably looking for this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differentiated-Services-Code-Point-DSCP-ma...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Toshi_Esumi · ‎02-02-2022

The KB Alex pointed you to is for "marking". For "matching", you can use tos/tos-mask with 6.2 or above.

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/159007/dscp-matching-shaping

In those exacmples, FortiGate A is "marking", and FortiGate B is "matching". The tos/tos-mask is 8bit value in HEX. So my interpretation is

EF(101110)=tos byte(10111000)=0xB8

so,

set tos 0xb8

set tos-mask 0xfc

If I'm wrong, somebody, please correct me.

Toshi

DSCP matching in firewall policies - migrating from Cisco to FG

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website