ToIP traffic that is already marked with a DSCP (EF) value will pass through my firewall. I need the firewall to keep that value and not modify it. That keep the same input value as output. On the other hand, I also need you to prioritize it internally. If I don't do any configuration and just let traffic through, I'm not sure if the firewall keeps the value or resets it to zero. Can you help me?
"If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field."
Thank you very much
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can verify the DSCP values are staying on egress by doing a packet capture on the ingress and egress interfaces and check the packet header on both to make sure they stay the same.
As far as prioritizing the traffic in the Fortigate, the Traffic shaping section of the admin guide will outline different ways to do this. You can setup Global traffic prioritization for three priority levels or if you want more granular control you can create traffic shaping policies.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/297431/traffic-shaping
You can verify the DSCP values are staying on egress by doing a packet capture on the ingress and egress interfaces and check the packet header on both to make sure they stay the same.
As far as prioritizing the traffic in the Fortigate, the Traffic shaping section of the admin guide will outline different ways to do this. You can setup Global traffic prioritization for three priority levels or if you want more granular control you can create traffic shaping policies.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/297431/traffic-shaping
Thank you very much for your help. I understand that if what I want is that the traffic that is already marked with DSCP EF be kept (without remarking) and prioritized in the firewall, it would be worth the global command:
set traffic-priority DSCP
set traffic-priority-level high
With these commands all the traffic that enters the firewall with DSCP 46 will be prioritized as high and will leave with DSCP 46 through the exit port.
If you do:
set traffic-priority DSCP
set traffic-priority-level high
this will prioritize all traffic as high. You will want to set that as the default medium or change it to low. You can then set matching DSCP values to priority queues based on this:
config system dscp-based-priority edit <id> set ds <0-63> set priority (high | medium | low) next end
Thanks for you reply ¡¡¡ I don't really need to configure different queues. I don't care if they are all high since all the traffic will enter with EF marking, there are no more types of DSCP markings in my network and I think it will be the easiest.
I have seen that with the command that I have put all the queues are high and it is enough for me.
To answer to your original question here is a quick lab:
Generating traffic from R2 to R3 with DSCP EF (46), and doing a pcap on interface Port1 and Port2:
You can tell it´s the exact same packet as is has the same IPv4 identification 0x0023 (35), it´s just been nated as it exits port1, and it has kept the DSCP field.
The policy has diffserv-forward and reverse disabled:
diffserv-forward : disable
diffserv-reverse : disable
These commands are used if you need to remark the traffic, if you enable it, you´ll have the option to remark the traffic that hits the policy with the DSCP values you want.
Hope that´s helpful.
Yes, it's just what I need. That the packet maintains the marking when it passes through the firewall and the firewall, in turn, prioritizes it. So I think everything is clear and it has been very helpful. Directly I do not have to do anything in the policies through which the traffic passes and the DSCP will maintain its origin marking since the policies, by default, have the commands that you indicate disabled.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.