fortigate Differentiated Services

Differentiated Services

Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

The FortiGate unit applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

4 for IPv4
5 for a length of five words
00 for the default DSCP value

You can change the packet’s DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) and enable each direction separately and configure it in the security policy.

Changes to DSCP values in a security policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

DSCP is enabled using the CLI command:

config firewall policy edit <policy_number>

…

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

end

For more information on the different DCSP commands, see the examples below and the CLI Reference. If you only set diffserv-forward and diffserv-reverse without setting the corresponding diffvercode values, the FortiGate unit will reset the bits to zero.

For a list of DSCP values and their ToS equivalents see Differentiated Services on page 2491. DSCP values can also be defined within a shared shaper as a single value, and per-IP shaper for forward and reverse directions.

Fo In rti te Ga r

rti

DSCP examples

Fo Po rti r Ga

t P

iGG

For all the following DSCP examples, the FortiGate and client PC configuration is the following diagram and used firewall-based DSCP configurations.

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through a FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffservcode-forward 101110

end

As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values used map to the following hexadecimal

ToS field values, which are observable by a sniffer (also known as a packet tracer):

DSCP 000000 is TOS field 0x00
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1

User 2

4500

45b8

4500

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY”

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP values in map to the following hexadecimal ToS field values, which are observable by a sniffer (also known as a packet tracer):

DSCP 000000 is TOS field 0x00
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1

User 2

4500

45b8

45bc

4500

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, and FortiGate B changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

DSCP 000000 is TOS field 0x00
DSCP 101101 is TOS field 0xb4
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
DSCP 101111 is TOS field 0xbc

User 1

User 2

4500

45b8

45bc

45b4

4500

Example

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

DSCP 000000 is TOS field 0x00
DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the example traffic originates from the FortiGate unit itself, and therefore does not match that security policy.
DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
DSCP 101111 is TOS field 0xbc

If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1 User 2

4500 4500 45b8 45b8

45bc

4500

ToS and DSCP traffic mapping

There are two types of traffic mapping: Type of Service (ToS) or DSCP (Differentiated Services Code Point). Only one method can be used at a time, with ToS set as the default method. You can set the type used and attributes in the CLI.

To set ToS or DSCP traffic mapping

config system global

set traffic-priority {tos | dscp}

set traffic-priority-level {low | medium | high }

end

Mapping of DSCP and ToS hexadecimal values for QoS

Service Class DSCP Bits DSCP Value ToS Value ToS Hexidecimal

Network Control 111000 56-63 224 0xE0

Internetwork Con-

trol 110000 48-55 192 0xC0

Critical – Voice

Data (RTP)

Flash Override

Video Data

Flash Voice Con- trol

Immediate Deterministic (SNA)

Priority Con- trolled Load

Routine – Best

Effort

101110 46 184 0xB8

101000 40 160 0xA0

100010 34 136 0x88

100100 36 144 0x90

100110 38 152 0x98

100000 32 128 0x80

011010 26 104 0x68

011100 28 112 0x70

011110 30 120 0x78

011000 24 96 0x60

010010 18 72 0x48

010100 20 80 0x50

010110 22 88 0x58

010000 16 64 0x40

001010 10 40 0x28

001100 12 48 0x30

001110 14 56 0x38

001000 8 32 0x20

000000 0 0 0x00

Routine – Penalty

Box 000010 2 8 0x08

Fortinet GURU

FortiGate Guides and MORE!

Tag Archives: fortigate Differentiated Services

Differentiated Services