Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rules-policies-firewall-DSCP

DSCP value

The firewall only marks outgoing IPv4 or IPv6 traffic with the Differentiated Services Code Point (DSCP) value configured in the firewall rule so upstream routers in the path can prioritize traffic. It doesn't classify the traffic for prioritization.

Behavior

The firewall's behavior regarding DSCP values is as follows:

  • The firewall doesn't mark the DSCP value of reply traffic.
  • The firewall doesn't mark traffic coming from the firewall itself.
  • When incoming traffic already has a DSCP value, the firewall overwrites it with the DSCP value configured in the firewall rule.

DSCP values

Decimal DSCP Description
0 Default Best Effort
8 CS1 Class 1 (CS1)
10 AF11 Class 1, Gold (AF11)
12 AF12 Class 1, Silver (AF12)
14 AF13 Class 1, Bronze (AF13)
16 CS2 Class 2 (CS2)
18 AF21 Class 2, Gold (AF21)
20 AF22 Class 2, Silver (AF22)
22 AF23 Class 2, Bronze (AF23)
24 CS3 Class 3 (CS3)
26 AF31 Class 3, Gold (AF31)
28 AF32 Class 3, Silver (AF32)
30 AF33 Class 3, Bronze (AF33)
32 CS4 Class 4 (CS4)
34 AF41 Class 4, Gold (AF41)
36 AF42 Class 4, Silver (AF42)
38 AF43 Class 4, Bronze (AF43)
40 CS5 Class 5 (CS5)
46 EF Expedited Forwarding (EF)
48 CS6 Control (CS6)
56 CS7 Control (CS7)

Example

An ICMP echo request is sent from a host to a public DNS server with an IP address of 8.8.8.8. A firewall rule with a DSCP value of 26-Class 3, Gold (AF31) is applied to the outgoing traffic for the ICMP service.

Network diagram.

The firewall rule configuration is as follows:

  • Source zones: LAN
  • Source networks and devices: Any
  • Destination zones: WAN
  • Destination networks: Any
  • Services: ICMP
  • DSCP marking: 26-Class 3, Gold (AF31)

Behavior

The firewall marks the DSCP field for the outgoing traffic. A packet capture on the firewall's WAN interface shows that the outgoing traffic is marked as DSCP: AF31. The upstream routers on the path then apply the DSCP value marked by the firewall.

Incoming traffic is marked as DSCP: CS0 (Default). This is expected behavior since the firewall rule marks the DSCP value only for outgoing traffic and not for reply traffic.

Traffic flow.

More resources