Re: Working example is set-tos needed
My problem with tos/tos-mask not working as expected was because I didn't disable SIP session-helper/ALG. Now it's working as configured (It added us another reason not to use the session-helper/ALG).
My original config was confirmed. The tos/tos-mask in shaping-policy is 8 bit TOS Byte, not 4 bit TOS filed. So if you're matching with DSCP codes, tos-mask needs to be 0xfc(11111100). Then tos can be 0xb8 (EF for RTP), 0x68 (AF31 for SIP), or other values.
However, you need to be aware of FGT's QoS operation; initial prioritization at ingress, 0 - 2, 0(high) is the default, which you can change per incoming DSCP code under "config sys dscp-based-priority" after specifying "config sys global/set traffic-priority dscp", and policy-based (with shaping-policy+shaper) priority adjustment, +1 - +2.
So if you just want to put specific traffic like EF and AF31 to the highest priority queue (0) only based on incoming DSCP codes while putting the rest into a lower queue, you should do it at the global dscp-based-priority. Because that's the only way to put them in queue0. If you use shaping-policies instead, the highest is queue1 (initial '0' +1). But that method is still valid because you can keep the relative priorities between traffic types (DSCP codes) if you match 'tos' and set priorities properly.