Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eric
New Contributor

QoS configuration (advanced)

Hello, I currently use a QoS configuration on a Cisco device and I wish to move this function on a Fortigate firewall (Fortigate 200B v5.2.0). On the Cisco device, QoS is defined as following: - services class are defined:  GOLD (trafic to prioritize) / OTHER (trafic to "unprioritize") / SILVER (all other trafic) / (policy-map) - the network traffic is selected by ACL (access-list). - each ACL is associated to a service class (class-map) - dedicated ACL are apply on interfaces On the Fortigate firewalll, I would like to know how to define the same QoS policy with following requirements: - for a simple managing, I wouldn't like manage several QoS profile on the rules. - Is it possible to configure a global QoS policy in other place than rule filter configuration ? - on each rule, I would like to manage only a global QoS policy. - this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ? Thank you for your advises and your help. Regards, Eric

1 Solution
ewaizel
New Contributor II

To check the active priorities in ver 5.2 you can use:

 

diagnose sys traffic-priority list

 

Here is the output produced by this (after adjusting all to low with some specific cases for medium or high).

 

Traffic priority type is set to DSCP (DiffServ).

00:low    01:low    02:low    03:low    04:low    05:low    06:low    07:low

08:low    09:low    10:low    11:low    12:low    13:low    14:low    15:low

16:low    17:low    18:low    19:low    20:low    21:low    22:low    23:low

24:low    25:low    26:low    27:low    28:low    29:low    30:low    31:low

32:low    33:low    34:medium 35:low    36:low    37:low    38:low    39:low

40:high   41:low    42:low    43:low    44:low    45:low    46:high   47:low

48:low    49:low    50:low    51:low    52:low    53:low    54:low    55:low

56:high   57:low    58:low    59:low    60:low    61:low    62:low    63:low

 

Note: in version 5.0 the equivalent command is the following. By default queue 1 (medium priority) is used.

diagnose sys tos-based-priority list

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

View solution in original post

9 REPLIES 9
ewaizel
New Contributor II

Eric

Did you find a solution to your request? I'm having a similar requirement.

emnoc
Esteemed Contributor III

I would like to know how to define the same QoS policy with following requirements: - for a simple managing, I wouldn't like manage several QoS profile on the rules. - Is it possible to configure a global QoS policy in other place than rule filter configuration ? - on each rule, I would like to manage only a global QoS policy. - this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ?

 

I know of no way to manager QoS in a global context. You need to apply the QoS per rules and order  the fw-policy to ensure the classification takes place.

 

Qs;

 

  1: do you need ONLY classification

 

  2: do you need shaping-policy

  3: can you do #1 at your hand-off if a switch is in place

 

Since the firewall is a firewall , you will have to apply something to a policy regardless. So I don't know of anything outside of cisco ASA & juniper SRX  that has a global or interface QoS in a scheduler ( shaper ) or classifier.

 

Maybe you should ask your FTNT-sales teams for a feature request.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ewaizel
New Contributor II

I just published another post related to what I can read in between lines.

 

From the Fortinet documentation I can read:

"If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values".

If this is the case, I understand we can define different global values for ToS or DSCP and an associated priority for each and as a consequence affect globally which queue is used.  Why is this not considered an option?

emnoc
Esteemed Contributor III

yes if you set  "set traffic-priority tos" than you can use TOS,  BUT you need to set the  tos values. Everything by default is set as  value0 and high.

 

 

config system tos-based-priority edit 1   set tos 0   set priority low  next

edit 2 set tos 5 set priority high next end

 

But this might not be a good approach if your end-users TPOS value was  trusted they could all set the  value to   tos 5 in the above example and hit the high-PQ.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ewaizel
New Contributor II

Emnoc, I appreciate your feedback.

I can tell you in my case I already have a clearly defined QoS trust boundary. My switches and routers are in charge of doing all the trusting or re-markings of DSCP values. I just need the FW to trust these and queue according to the DSCP values; as simple as that.

 

So you acknowledge this approach can fly. The only problem I'm finding is the lack of commands to monitor the egress queues.

 

FYI, I'm following a DSCP approach present in ver 5.2.

By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.

These are my commands and case you have comments.

 

config system global

   set traffic-priority dscp

   set traffic-priority-level low

end

 

config system dscp-based-priority

    edit 46

        set ds 46

        set priority high

    next

end

emnoc
Esteemed Contributor III

By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.

 

Just curious how are determining the above?  ( a diag or get cmd )

 

One problem with FGT, they have no show commands that let you see the servicing of a low medium or high queue and piss-poor documentation on a PQ if it even exists.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ewaizel
New Contributor II

To check the active priorities in ver 5.2 you can use:

 

diagnose sys traffic-priority list

 

Here is the output produced by this (after adjusting all to low with some specific cases for medium or high).

 

Traffic priority type is set to DSCP (DiffServ).

00:low    01:low    02:low    03:low    04:low    05:low    06:low    07:low

08:low    09:low    10:low    11:low    12:low    13:low    14:low    15:low

16:low    17:low    18:low    19:low    20:low    21:low    22:low    23:low

24:low    25:low    26:low    27:low    28:low    29:low    30:low    31:low

32:low    33:low    34:medium 35:low    36:low    37:low    38:low    39:low

40:high   41:low    42:low    43:low    44:low    45:low    46:high   47:low

48:low    49:low    50:low    51:low    52:low    53:low    54:low    55:low

56:high   57:low    58:low    59:low    60:low    61:low    62:low    63:low

 

Note: in version 5.0 the equivalent command is the following. By default queue 1 (medium priority) is used.

diagnose sys tos-based-priority list

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

emnoc
Esteemed Contributor III

Thanks that was helpful  info. Here'sa  5.2.3  firewall with TOS set.

 

FIERDALTX01 (global) # diagnose sys traffic-priority list

Traffic priority type is set to TOS. 00:medium 01:medium 02:medium 03:medium 04:medium 05:medium 06:medium 07:medium 08:medium 09:medium 10:medium 11:medium 12:medium 13:medium 14:medium 15:medium

  

Thanks

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Dustin
New Contributor III

I have a related question in OS 5.4.

 

In Policy Rules > ToS you can set Bit pattern and Bit mask. It looks like Hex values but I'm not sure what to set. 

 

I'm looking to prioritize traffic for VoIP so I would want Minimum Delay and Maximum Reliability but would I set that value as a pattern or mask? Would I use traditional ToS manipulation (like 0x14) or as CoS/DSCP (like 0xB8)?

 

Thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors