- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Working example is set-tos needed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working example is set-tos needed
Hello,
I need a working example of setting two firewall shaping-policies to match DSCP EF and AF43 respectively. I don't understand how to use the commands set tos-mask and set tos as explained in CLI ref. for 6.2 (the examples and the documentation is pure crap IMHO). I'm thinking of using set tos-mask 0xc0 and set tos 0xb8 for EF and set tos 0x98. Do you think this is correct or should I use different values?
Thanks
Andreas
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like they changed QoS again with 6.2 (last time was 5.4). I need to read the documentation through again and more importantly test it before upgrading our entire FGT fleet and new deployment to 6.2. Thank you for a wakeup call.
At this moment, my guess is similar to yours but if I want to match those all 6 bits in the tos byte, like 0xb8 (101110xx), I would use tos-mask 0xfc (11111100). But I might be completely wrong.
I strongly recommend you open a ticket with TAC to get the right answer, including other part of QoS operation w/ 6.2.
We probably wouldn't need to use this DSCP matching unless they eliminated the system level DSCP mapping. But who knows. We'll likely open multiple tickets ourselves to figure them out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on my research so far, looks like they're trying to consolidate/unify terminology/syntax related to TOS/DSCP to TOS only. ex) They changed the syntax for firewall policy/SD-WAN rule from dscp-match/dscp-value/dscp-negate to tos-mask/tos/tos-negate with 6.2. There is no explanation at Traffic Shaping section of 6.2 cookbook (no handbook available yet) but at SD-WAN/DSCP matching section
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/159007/dscp-matching-shaping
So my assumption in the previous post seems to be correct and when you need to match/handle DSCP bits (upper 6bits), you need to mask the TOS byte (8bits) and use [DSCP value x 4] to match what you're looking for. I have a ticket opened related to this at TAC. So I'll verify this and update this thread.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
Yes, I know this document. It confused me more than it clarified things to me... Let me know how it goes with the ticket you opened.
Thanks
Andreas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's totally depending on what exactly you need to do for your specific situation (almost every QoS needing situation is unique), but to me below is the most important page in the traffic shaping section of the Cookbook.
The architecture has two clasification/prioritization points in a FGT: ingress point and after when shaping-policies are examined. And both classification points affect to which one of 6 queues each packet is queued at the egress interface. This was never explained before anywhere until 6.0 handbook, which I found out after I read your original post (again, thanks).
You might just need to do ingress classification only and skip all shaping-policy part if your requirements of QoS isn't so specific unless it's in multi-vdom environment. This part is system global setting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All I want to do is to simply match DSCP EF and AF43. I'm not sure how the set tos-mask works and the original documentation did not help me at all to understand this either. The examples were confusing too...
The documentation says: "tos-mask <mask_value> Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00)."
What do I understand with that? NOTHING...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's simply reiterating how bitwise operation would work. Exactly in the same way with subnet-mask works. For DSCP, you need to match the top 6 bits. So in binary the mask need to be "11111100" (=0xfc).
The main question is what you want to do (how you want to queue) with the matching. EF and AF43 packets into Queue0? The rest to be in Queue 2? Without setting any guaranteed bandwidth to other types of traffic? Then I wouldn't use shaping-policy, but do everything at ingress point. I'm assuming you don't have multiple vdoms.
config sys global set traffic-priority dscp set traffic-priority-level low (=2) <- default is high (=0). you need to change it. end config sys dscp-based-priority edit 46 set ds 46
set priority high (=0) <- default value next
edit 38
set ds 38
set priority high (=0)
next end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an update: I'm still working with Level3 TAC person and testing FGT's behavior with tos/tos-mask in shaping-policies. So far it's not working as either of us expects.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My problem with tos/tos-mask not working as expected was because I didn't disable SIP session-helper/ALG. Now it's working as configured (It added us another reason not to use the session-helper/ALG).
My original config was confirmed. The tos/tos-mask in shaping-policy is 8 bit TOS Byte, not 4 bit TOS filed. So if you're matching with DSCP codes, tos-mask needs to be 0xfc(11111100). Then tos can be 0xb8 (EF for RTP), 0x68 (AF31 for SIP), or other values.
However, you need to be aware of FGT's QoS operation; initial prioritization at ingress, 0 - 2, 0(high) is the default, which you can change per incoming DSCP code under "config sys dscp-based-priority" after specifying "config sys global/set traffic-priority dscp", and policy-based (with shaping-policy+shaper) priority adjustment, +1 - +2.
So if you just want to put specific traffic like EF and AF31 to the highest priority queue (0) only based on incoming DSCP codes while putting the rest into a lower queue, you should do it at the global dscp-based-priority. Because that's the only way to put them in queue0. If you use shaping-policies instead, the highest is queue1 (initial '0' +1). But that method is still valid because you can keep the relative priorities between traffic types (DSCP codes) if you match 'tos' and set priorities properly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there.
I have a wan link and my packets are already marked with DSCP earlier, closer to the source.
By implementing shaping profiles with shaping policies that match dscp values with tos and tos mask (0xfc) i try to give maximum and guaranteed bw to certain flows crossing the wan link.
The problem is that it seems tos and tos mask do not always match to my marked packets. Is it possible that i have to enable "config sys global/set traffic-priority dscp" ? I do not want to do global prioritisation just make the profiles work.
Thank you
Related Posts
- ZTNA not working. Help please. 34 Views
- FortiClient EMS Server update port only... 63 Views
- Cisco Trunk port to Fortiswitch 286 Views
- Hub-Spoke With Redundant Tunnels 75 Views
- Fortinet Firewall shows 100Mbps (100%) bandwidth... 193 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.