Hi,
We are using Netflow to monitor the Fortigates. In the flow record there is a field for DSCP.
Some records show the correct marking, like 0 (best effort) or 46 (EF). But there are also records showing "N/A". Any idea why that is ?
One would suggest when there is no marking it is clasified as "0" best effort.
Regards,
Alex
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 03-28-2022 07:38 AM Edited on 07-27-2022 07:42 AM
Hey Alex,
as far as I could find, the DCSP field will be empty if traffic originates on FortiGate itself:
Let us know if you're having traffic with no DCSP field that does NOT originate on the FortiGate.
Hello all!
I wanted to add to AlexW's comment. We are seeing NetFlow/IPFIX records from the FortiGates where the record is giving DSCP values outside of the correct range. For example, when inspecting the IPFIX records in a packet capture some of the records are showing conversations marked with DSCP values of 64 or 255. The DSCP IPFIX field ID being used by the FortiGate is field ID 98 which is the "PostIpDiffServCodePoint" according to the IANA spec. The valid range for DSCP is 0-63.
As a result, our collector is showing these values as "N/A". This is for traffic being routed through the FortiGate.
We are also seeing examples of the DSCP value showing correct data like 0 (BEST EFFORT) or 46 (EF). But some are outside of the valid range...
Any additional thoughts?
Thank you in advance!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.