Hello, I currently use a QoS configuration on a Cisco device and I wish to move this function on a Fortigate firewall (Fortigate 200B v5.2.0). On the Cisco device, QoS is defined as following: - services class are defined: GOLD (trafic to prioritize) / OTHER (trafic to "unprioritize") / SILVER (all other trafic) / (policy-map) - the network traffic is selected by ACL (access-list). - each ACL is associated to a service class (class-map) - dedicated ACL are apply on interfaces On the Fortigate firewalll, I would like to know how to define the same QoS policy with following requirements: - for a simple managing, I wouldn't like manage several QoS profile on the rules. - Is it possible to configure a global QoS policy in other place than rule filter configuration ? - on each rule, I would like to manage only a global QoS policy. - this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ? Thank you for your advises and your help. Regards, Eric
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To check the active priorities in ver 5.2 you can use:
diagnose sys traffic-priority list
Here is the output produced by this (after adjusting all to low with some specific cases for medium or high).
Traffic priority type is set to DSCP (DiffServ).00:low 01:low 02:low 03:low 04:low 05:low 06:low 07:low08:low 09:low 10:low 11:low 12:low 13:low 14:low 15:low16:low 17:low 18:low 19:low 20:low 21:low 22:low 23:low24:low 25:low 26:low 27:low 28:low 29:low 30:low 31:low32:low 33:low 34:medium 35:low 36:low 37:low 38:low 39:low40:high 41:low 42:low 43:low 44:low 45:low 46:high 47:low48:low 49:low 50:low 51:low 52:low 53:low 54:low 55:low56:high 57:low 58:low 59:low 60:low 61:low 62:low 63:low
Note: in version 5.0 the equivalent command is the following. By default queue 1 (medium priority) is used.
diagnose sys tos-based-priority list1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1Eric
Did you find a solution to your request? I'm having a similar requirement.
I would like to know how to define the same QoS policy with following requirements: - for a simple managing, I wouldn't like manage several QoS profile on the rules. - Is it possible to configure a global QoS policy in other place than rule filter configuration ? - on each rule, I would like to manage only a global QoS policy. - this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ?
I know of no way to manager QoS in a global context. You need to apply the QoS per rules and order the fw-policy to ensure the classification takes place.
Qs;
1: do you need ONLY classification
2: do you need shaping-policy
3: can you do #1 at your hand-off if a switch is in place
Since the firewall is a firewall , you will have to apply something to a policy regardless. So I don't know of anything outside of cisco ASA & juniper SRX that has a global or interface QoS in a scheduler ( shaper ) or classifier.
Maybe you should ask your FTNT-sales teams for a feature request.
PCNSE
NSE
StrongSwan
I just published another post related to what I can read in between lines.
From the Fortinet documentation I can read:
"If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values".
If this is the case, I understand we can define different global values for ToS or DSCP and an associated priority for each and as a consequence affect globally which queue is used. Why is this not considered an option?
yes if you set "set traffic-priority tos" than you can use TOS, BUT you need to set the tos values. Everything by default is set as value0 and high.
config system tos-based-priority edit 1 set tos 0 set priority low next
edit 2 set tos 5 set priority high next end
But this might not be a good approach if your end-users TPOS value was trusted they could all set the value to tos 5 in the above example and hit the high-PQ.
PCNSE
NSE
StrongSwan
Emnoc, I appreciate your feedback.
I can tell you in my case I already have a clearly defined QoS trust boundary. My switches and routers are in charge of doing all the trusting or re-markings of DSCP values. I just need the FW to trust these and queue according to the DSCP values; as simple as that.
So you acknowledge this approach can fly. The only problem I'm finding is the lack of commands to monitor the egress queues.
FYI, I'm following a DSCP approach present in ver 5.2.
By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.
These are my commands and case you have comments.
config system global set traffic-priority dscp set traffic-priority-level lowend config system dscp-based-priority edit 46 set ds 46 set priority high next
end
By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.
Just curious how are determining the above? ( a diag or get cmd )
One problem with FGT, they have no show commands that let you see the servicing of a low medium or high queue and piss-poor documentation on a PQ if it even exists.
Ken
PCNSE
NSE
StrongSwan
To check the active priorities in ver 5.2 you can use:
diagnose sys traffic-priority list
Here is the output produced by this (after adjusting all to low with some specific cases for medium or high).
Traffic priority type is set to DSCP (DiffServ).00:low 01:low 02:low 03:low 04:low 05:low 06:low 07:low08:low 09:low 10:low 11:low 12:low 13:low 14:low 15:low16:low 17:low 18:low 19:low 20:low 21:low 22:low 23:low24:low 25:low 26:low 27:low 28:low 29:low 30:low 31:low32:low 33:low 34:medium 35:low 36:low 37:low 38:low 39:low40:high 41:low 42:low 43:low 44:low 45:low 46:high 47:low48:low 49:low 50:low 51:low 52:low 53:low 54:low 55:low56:high 57:low 58:low 59:low 60:low 61:low 62:low 63:low
Note: in version 5.0 the equivalent command is the following. By default queue 1 (medium priority) is used.
diagnose sys tos-based-priority list1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1Thanks that was helpful info. Here'sa 5.2.3 firewall with TOS set.
FIERDALTX01 (global) # diagnose sys traffic-priority list
Traffic priority type is set to TOS. 00:medium 01:medium 02:medium 03:medium 04:medium 05:medium 06:medium 07:medium 08:medium 09:medium 10:medium 11:medium 12:medium 13:medium 14:medium 15:medium
Thanks
PCNSE
NSE
StrongSwan
I have a related question in OS 5.4.
In Policy Rules > ToS you can set Bit pattern and Bit mask. It looks like Hex values but I'm not sure what to set.
I'm looking to prioritize traffic for VoIP so I would want Minimum Delay and Maximum Reliability but would I set that value as a pattern or mask? Would I use traditional ToS manipulation (like 0x14) or as CoS/DSCP (like 0xB8)?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.