DSCP marking in firewall shaping policies

Use the diffserv-forward and diffserv-reverse fields in firewall shaping policies to perform DSCP marking in firewall shaping policies to change the DSCP tag on egress traffic. Traffic is allowed or blocked according to the Differentiated Services Code Point (DSCP) values in the incoming packets. When DSCP marking on firewall shaper traffic-shaper and firewall shaping-policy both apply to the same session, shaper traffic-shaper overrides shaping-policy.

The following CLI variables in config firewall shaping-policy are used to mark the packets:

diffserv-forward {enable | disable}	Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).
diffservcode-forward <dscp_value>	The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.
diffserv-reverse {enable | disable}	Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).
diffservcode-rev <dscp_value>	The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

Example

A FortiProxy has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011. To configure the FortiProxy:

config firewall shaping-policy
    edit 1
        set name "QA Team 50MB"
        set service "ALL"
        set dstintf "port3"
        set traffic-shaper "50MB/s"
        set traffic-shaper-reverse "50MB/s"
        set diffserv-forward enable
        set diffserv-reverse enable
        set srcaddr "QA"
        set dstaddr "all"
        set diffservcode-forward 100000
        set diffservcode-rev 000011
    next
end