I would like to know how to define the same QoS policy with following requirements: - for a simple managing, I wouldn't like manage several QoS profile on the rules. - Is it possible to configure a global QoS policy in other place than rule filter configuration ? - on each rule, I would like to manage only a global QoS policy. - this feature seems not describe in the documentation, is it possible to do that ? May be in CLI configuration mode with dedicated commands ?

I know of no way to manager QoS in a global context. You need to apply the QoS per rules and order  the fw-policy to ensure the classification takes place.

Qs;

  1: do you need ONLY classification

  2: do you need shaping-policy

  3: can you do #1 at your hand-off if a switch is in place

Since the firewall is a firewall , you will have to apply something to a policy regardless. So I don't know of anything outside of cisco ASA & juniper SRX  that has a global or interface QoS in a scheduler ( shaper ) or classifier.

Maybe you should ask your FTNT-sales teams for a feature request.

I just published another post related to what I can read in between lines.

From the Fortinet documentation I can read:

"If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values".

If this is the case, I understand we can define different global values for ToS or DSCP and an associated priority for each and as a consequence affect globally which queue is used.  Why is this not considered an option?

yes if you set  "set traffic-priority tos" than you can use TOS,  BUT you need to set the  tos values. Everything by default is set as  value0 and high.

config system tos-based-priority edit 1   set tos 0   set priority low  next

edit 2 set tos 5 set priority high next end

But this might not be a good approach if your end-users TPOS value was  trusted they could all set the  value to   tos 5 in the above example and hit the high-PQ.

Emnoc, I appreciate your feedback.

I can tell you in my case I already have a clearly defined QoS trust boundary. My switches and routers are in charge of doing all the trusting or re-markings of DSCP values. I just need the FW to trust these and queue according to the DSCP values; as simple as that.

So you acknowledge this approach can fly. The only problem I'm finding is the lack of commands to monitor the egress queues.

FYI, I'm following a DSCP approach present in ver 5.2.

By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.

These are my commands and case you have comments.

end

By default I find all flows are considered medium priority. I changed this to low. Few flows are then classified with a higher priority. For example DSCP=EF.

Just curious how are determining the above?  ( a diag or get cmd )

One problem with FGT, they have no show commands that let you see the servicing of a low medium or high queue and piss-poor documentation on a PQ if it even exists.

Ken

Thanks that was helpful  info. Here'sa  5.2.3  firewall with TOS set.

FIERDALTX01 (global) # diagnose sys traffic-priority list

Traffic priority type is set to TOS. 00:medium 01:medium 02:medium 03:medium 04:medium 05:medium 06:medium 07:medium 08:medium 09:medium 10:medium 11:medium 12:medium 13:medium 14:medium 15:medium

Thanks

I have a related question in OS 5.4.

In Policy Rules > ToS you can set Bit pattern and Bit mask. It looks like Hex values but I'm not sure what to set. 

I'm looking to prioritize traffic for VoIP so I would want Minimum Delay and Maximum Reliability but would I set that value as a pattern or mask? Would I use traditional ToS manipulation (like 0x14) or as CoS/DSCP (like 0xB8)?

Thanks