Example
In this example, an ICMP ping is executed between User 1and FortiGate B, through a FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ANY
set diffserv-forward enable
set diffservcode-forward 101110
end
As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values used map to the following hexadecimal
TOS field values, which are observable by a sniffer (also known as a packet tracer):
• DSCP 000000 is TOS field 0x00
• DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
If you performed an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network interfaces. The right-most two digits of each IP header are the TOS field, which contains the DSCP value.
