Hello,
I need a working example of setting two firewall shaping-policies to match DSCP EF and AF43 respectively. I don't understand how to use the commands set tos-mask and set tos as explained in CLI ref. for 6.2 (the examples and the documentation is pure crap IMHO). I'm thinking of using set tos-mask 0xc0 and set tos 0xb8 for EF and set tos 0x98. Do you think this is correct or should I use different values?
Thanks
Andreas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Looks like they changed QoS again with 6.2 (last time was 5.4). I need to read the documentation through again and more importantly test it before upgrading our entire FGT fleet and new deployment to 6.2. Thank you for a wakeup call.
At this moment, my guess is similar to yours but if I want to match those all 6 bits in the tos byte, like 0xb8 (101110xx), I would use tos-mask 0xfc (11111100). But I might be completely wrong.
I strongly recommend you open a ticket with TAC to get the right answer, including other part of QoS operation w/ 6.2.
We probably wouldn't need to use this DSCP matching unless they eliminated the system level DSCP mapping. But who knows. We'll likely open multiple tickets ourselves to figure them out.
Based on my research so far, looks like they're trying to consolidate/unify terminology/syntax related to TOS/DSCP to TOS only. ex) They changed the syntax for firewall policy/SD-WAN rule from dscp-match/dscp-value/dscp-negate to tos-mask/tos/tos-negate with 6.2. There is no explanation at Traffic Shaping section of 6.2 cookbook (no handbook available yet) but at SD-WAN/DSCP matching section
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/159007/dscp-matching-shaping
So my assumption in the previous post seems to be correct and when you need to match/handle DSCP bits (upper 6bits), you need to mask the TOS byte (8bits) and use [DSCP value x 4] to match what you're looking for. I have a ticket opened related to this at TAC. So I'll verify this and update this thread.
Hi Toshi,
Yes, I know this document. It confused me more than it clarified things to me... Let me know how it goes with the ticket you opened.
Thanks
Andreas
it's totally depending on what exactly you need to do for your specific situation (almost every QoS needing situation is unique), but to me below is the most important page in the traffic shaping section of the Cookbook.
The architecture has two clasification/prioritization points in a FGT: ingress point and after when shaping-policies are examined. And both classification points affect to which one of 6 queues each packet is queued at the egress interface. This was never explained before anywhere until 6.0 handbook, which I found out after I read your original post (again, thanks).
You might just need to do ingress classification only and skip all shaping-policy part if your requirements of QoS isn't so specific unless it's in multi-vdom environment. This part is system global setting.
All I want to do is to simply match DSCP EF and AF43. I'm not sure how the set tos-mask works and the original documentation did not help me at all to understand this either. The examples were confusing too...
The documentation says: "tos-mask <mask_value> Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00)."
What do I understand with that? NOTHING...
It's simply reiterating how bitwise operation would work. Exactly in the same way with subnet-mask works. For DSCP, you need to match the top 6 bits. So in binary the mask need to be "11111100" (=0xfc).
The main question is what you want to do (how you want to queue) with the matching. EF and AF43 packets into Queue0? The rest to be in Queue 2? Without setting any guaranteed bandwidth to other types of traffic? Then I wouldn't use shaping-policy, but do everything at ingress point. I'm assuming you don't have multiple vdoms.
config sys global set traffic-priority dscp set traffic-priority-level low (=2) <- default is high (=0). you need to change it. end config sys dscp-based-priority edit 46 set ds 46
set priority high (=0) <- default value next
edit 38
set ds 38
set priority high (=0)
next end
an update: I'm still working with Level3 TAC person and testing FGT's behavior with tos/tos-mask in shaping-policies. So far it's not working as either of us expects.
My problem with tos/tos-mask not working as expected was because I didn't disable SIP session-helper/ALG. Now it's working as configured (It added us another reason not to use the session-helper/ALG).
My original config was confirmed. The tos/tos-mask in shaping-policy is 8 bit TOS Byte, not 4 bit TOS filed. So if you're matching with DSCP codes, tos-mask needs to be 0xfc(11111100). Then tos can be 0xb8 (EF for RTP), 0x68 (AF31 for SIP), or other values.
However, you need to be aware of FGT's QoS operation; initial prioritization at ingress, 0 - 2, 0(high) is the default, which you can change per incoming DSCP code under "config sys dscp-based-priority" after specifying "config sys global/set traffic-priority dscp", and policy-based (with shaping-policy+shaper) priority adjustment, +1 - +2.
So if you just want to put specific traffic like EF and AF31 to the highest priority queue (0) only based on incoming DSCP codes while putting the rest into a lower queue, you should do it at the global dscp-based-priority. Because that's the only way to put them in queue0. If you use shaping-policies instead, the highest is queue1 (initial '0' +1). But that method is still valid because you can keep the relative priorities between traffic types (DSCP codes) if you match 'tos' and set priorities properly.
Hello there.
I have a wan link and my packets are already marked with DSCP earlier, closer to the source.
By implementing shaping profiles with shaping policies that match dscp values with tos and tos mask (0xfc) i try to give maximum and guaranteed bw to certain flows crossing the wan link.
The problem is that it seems tos and tos mask do not always match to my marked packets. Is it possible that i have to enable "config sys global/set traffic-priority dscp" ? I do not want to do global prioritisation just make the profiles work.
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.