Helpful ReplyQoS configuration (advanced)

Author
eric
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/23 00:46:26
  • Status: offline
2015/06/23 04:25:54 (permalink)
0

QoS configuration (advanced)

Hello,

I currently use a QoS configuration on a Cisco device and I wish to move this function on a Fortigate firewall (Fortigate 200B v5.2.0).

On the Cisco device, QoS is defined as following:
- services class are defined:  GOLD (trafic to prioritize) / OTHER (trafic to "unprioritize") / SILVER (all other trafic) / (policy-map)
- the network traffic is selected by ACL (access-list).
- each ACL is associated to a service class (class-map)
- dedicated ACL are apply on interfaces

On the Fortigate firewalll,
I would like to know how to define the same QoS policy with following requirements:
- for a simple managing, I wouldn't like manage several QoS profile on the rules.
- Is it possible to configure a global QoS policy in other place than rule filter configuration ?
- on each rule, I would like to manage only a global QoS policy.
- this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ?

Thank you for your advises and your help.

Regards,

Eric
#1
ewaizel
Bronze Member
  • Total Posts : 6
  • Scores: 6
  • Reward points: 0
  • Joined: 2015/11/30 14:21:39
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 10:44:16 (permalink)
0
Eric
Did you find a solution to your request? I'm having a similar requirement.
#2
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 12:45:19 (permalink)
0

I would like to know how to define the same QoS policy with following requirements:
- for a simple managing, I wouldn't like manage several QoS profile on the rules.
- Is it possible to configure a global QoS policy in other place than rule filter configuration ?
- on each rule, I would like to manage only a global QoS policy.
- this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ?

 
I know of no way to manager QoS in a global context. You need to apply the QoS per rules and order  the fw-policy to ensure the classification takes place.
 
Qs;
 
  1: do you need ONLY classification
 
  2: do you need shaping-policy
  3: can you do #1 at your hand-off if a switch is in place
 
Since the firewall is a firewall , you will have to apply something to a policy regardless. So I don't know of anything outside of cisco ASA & juniper SRX  that has a global or interface QoS in a scheduler ( shaper ) or classifier.
 
Maybe you should ask your FTNT-sales teams for a feature request.
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#3
ewaizel
Bronze Member
  • Total Posts : 6
  • Scores: 6
  • Reward points: 0
  • Joined: 2015/11/30 14:21:39
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 14:05:39 (permalink)
0
I just published another post related to what I can read in between lines.
 
From the Fortinet documentation I can read:
"If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth,
and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with
your configured values".


If this is the case, I understand we can define different global values for ToS or DSCP and an associated priority for each and as a consequence affect globally which queue is used.  Why is this not considered an option?
#4
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 14:19:03 (permalink)
0
yes if you set  "set traffic-priority tos" than you can use TOS,  BUT you need to set the  tos values. Everything by default is set as  value0 and high.
 
 

config system tos-based-priority
edit 1
  set tos 0
  set priority low
 next
edit 2
set tos 5
set priority high
next
end

 
But this might not be a good approach if your end-users TPOS value was  trusted they could all set the  value to   tos 5 in the above example and hit the high-PQ.
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
ewaizel
Bronze Member
  • Total Posts : 6
  • Scores: 6
  • Reward points: 0
  • Joined: 2015/11/30 14:21:39
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 17:17:50 (permalink)
5 (1)
Emnoc, I appreciate your feedback.
I can tell you in my case I already have a clearly defined QoS trust boundary. My switches and routers are in charge of doing all the trusting or re-markings of DSCP values. I just need the FW to trust these and queue according to the DSCP values; as simple as that.
 
So you acknowledge this approach can fly. The only problem I'm finding is the lack of commands to monitor the egress queues.
 
FYI, I'm following a DSCP approach present in ver 5.2.
By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.
These are my commands and case you have comments.
 
config system global
   set traffic-priority dscp
   set traffic-priority-level low
end
 
config system dscp-based-priority
    edit 46
        set ds 46
        set priority high
    next
end
#6
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: QoS configuration (advanced) 2015/12/03 20:48:00 (permalink)
0

By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.

 
Just curious how are determining the above?  ( a diag or get cmd )
 
One problem with FGT, they have no show commands that let you see the servicing of a low medium or high queue and piss-poor documentation on a PQ if it even exists.
 
Ken

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
ewaizel
Bronze Member
  • Total Posts : 6
  • Scores: 6
  • Reward points: 0
  • Joined: 2015/11/30 14:21:39
  • Status: offline
Re: QoS configuration (advanced) 2015/12/04 09:40:40 (permalink) ☄ Helpfulby emnoc 2015/12/04 10:49:39
5 (1)
To check the active priorities in ver 5.2 you can use:
 
diagnose sys traffic-priority list
 
Here is the output produced by this (after adjusting all to low with some specific cases for medium or high).
 
Traffic priority type is set to DSCP (DiffServ).
00:low    01:low    02:low    03:low    04:low    05:low    06:low    07:low
08:low    09:low    10:low    11:low    12:low    13:low    14:low    15:low
16:low    17:low    18:low    19:low    20:low    21:low    22:low    23:low
24:low    25:low    26:low    27:low    28:low    29:low    30:low    31:low
32:low    33:low    34:medium 35:low    36:low    37:low    38:low    39:low
40:high   41:low    42:low    43:low    44:low    45:low    46:high   47:low
48:low    49:low    50:low    51:low    52:low    53:low    54:low    55:low
56:high   57:low    58:low    59:low    60:low    61:low    62:low    63:low
 
Note: in version 5.0 the equivalent command is the following. By default queue 1 (medium priority) is used.
diagnose sys tos-based-priority list
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
#8
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: QoS configuration (advanced) 2015/12/04 10:49:25 (permalink)
0
Thanks that was helpful  info. Here'sa  5.2.3  firewall with TOS set.
 
FIERDALTX01 (global) # diagnose sys traffic-priority list
Traffic priority type is set to TOS.
00:medium 01:medium 02:medium 03:medium 04:medium 05:medium 06:medium 07:medium
08:medium 09:medium 10:medium 11:medium 12:medium 13:medium 14:medium 15:medium
  
Thanks

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#9
Dustin
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/12/22 17:04:17
  • Status: offline
Re: QoS configuration (advanced) 2016/01/15 21:57:22 (permalink)
0
I have a related question in OS 5.4.
 
In Policy Rules > ToS you can set Bit pattern and Bit mask. It looks like Hex values but I'm not sure what to set. 
 
I'm looking to prioritize traffic for VoIP so I would want Minimum Delay and Maximum Reliability but would I set that value as a pattern or mask? Would I use traditional ToS manipulation (like 0x14) or as CoS/DSCP (like 0xB8)?
 
Thanks
#10
Jump to:
© 2018 APG vNext Commercial Version 5.5