Hello,
I need a working example of setting two firewall shaping-policies to match DSCP EF and AF43 respectively. I don't understand how to use the commands set tos-mask and set tos as explained in CLI ref. for 6.2 (the examples and the documentation is pure crap IMHO). I'm thinking of using set tos-mask 0xc0 and set tos 0xb8 for EF and set tos 0x98. Do you think this is correct or should I use different values?
Thanks
Andreas
That setting is for DSCP based priority queuing you can see under
diag sys traffic-priority list
However, if didn't change the global setting to DSCP, it's setting priority based on TOS values.
xxx-fg1 # diag sys traffic-priority list Traffic priority type is set to TOS. 00:medium 01:medium 02:medium 03:medium 04:medium 05:medium 06:medium 07:medium 08:medium 09:medium 10:medium 11:medium 12:medium 13:medium 14:medium 15:medium
And if incoming packets are marked with DSCP, not TOS, I'm not sure how they would be queued. To avoid the confusion/complexity, I would recommend you change the setting to use DSCP. Probably it wouldn't change the problem you're concerning about now though.
Toshi
Created on 03-28-2022 11:14 AM Edited on 03-28-2022 12:20 PM
I am using shaping profiles (type queueing) with max, guaranteed bw and priorities. Profiles are consisted of shaping policies that should match dscp marked packets using tos/tos mask. I'm not using any other criteria here. Profiles are applied on interfaces using "set egress-shaping-profile".
Whlie using cmd "diagnose netlink intf-class list" i can see some classes matching while others don't. So, packets marked with af31 match the policy with a tos of 0x68 and mask 0xfc which increments counter "Sent packets" using the above cmd. Packets marked EF with tos 0xb8 and mask 0xfc do not increment the above counter.
Im thinking on reverting this from dscp matching to plain source destination port match which seems to work although all tests are not conducted in a congestive state.
PS. Global setting is on DSCP values
I wouldn't be able to speak of anything with shaping profiles. When we examined traffic-shaping with FortiOS 5.4, probably about 5-6 years ago, the profiles didn't work with VPN (site-to-site) w/ or w/o split-tunneling. So we exclusively use shaping-policies.
I heard interface base shaping works more reliably now but I don't know if any limitations still exist.
Toshi
You are right. I am on 6.4 and by the looks of it and the TAC person, this may be a bug that seems to be triggered when the traffic matching the shaping profile is passed through a policy that has hardware acceleration on. When you disable acceleration traffic matches on shaping profile.
I saw you mentioned you used queuing for your per int. shaping. I'm rather new to Fortigate, but is NPU offloading the same a hardware acceleration. If that is case it appears NPU offloading is not possible with WRED/queuing enabled:
Traffic shaping with queuing using a traffic shaping profile
This is working for me. Critical High Medium
set tos-mask 0xe0 # 101 mask first 3 bits
set tos 0xa0 CS5 and EF
set tos-mask 0xe0 #mask first 3 bits
set tos 0x80 #100 CS4 AF41 AF42 AF43
set tos-mask 0xe0 #mask first 3 bits
set tos 0x60 #011 CS3 AF31 AF32 AF33
set tos-mask 0xe0 #mask first 3 bits
set tos 0x40 #010 CS2 AF21 AF22 AF23
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.