- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Netflow DSCP field showing N/A
Hi,
We are using Netflow to monitor the Fortigates. In the flow record there is a field for DSCP.
Some records show the correct marking, like 0 (best effort) or 46 (EF). But there are also records showing "N/A". Any idea why that is ?
One would suggest when there is no marking it is clasified as "0" best effort.
Regards,
Alex
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
- Labels:
-
FortiGate
Created on 03-28-2022 07:38 AM Edited on 07-27-2022 07:42 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Alex,
as far as I could find, the DCSP field will be empty if traffic originates on FortiGate itself:
Let us know if you're having traffic with no DCSP field that does NOT originate on the FortiGate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all!
I wanted to add to AlexW's comment. We are seeing NetFlow/IPFIX records from the FortiGates where the record is giving DSCP values outside of the correct range. For example, when inspecting the IPFIX records in a packet capture some of the records are showing conversations marked with DSCP values of 64 or 255. The DSCP IPFIX field ID being used by the FortiGate is field ID 98 which is the "PostIpDiffServCodePoint" according to the IANA spec. The valid range for DSCP is 0-63.
As a result, our collector is showing these values as "N/A". This is for traffic being routed through the FortiGate.
We are also seeing examples of the DSCP value showing correct data like 0 (BEST EFFORT) or 46 (EF). But some are outside of the valid range...
Any additional thoughts?
Thank you in advance!