Configure QoS

Previous

Next

Follow these steps to configure Quality of Service (QoS), which includes creating a
QoS profile, creating a QoS policy, and enabling QoS on an interface.

1. Identify the traffic you want to manage with QoS.

This example shows how to use QoS to limit web browsing.

Select

ACC

to view the

Application Command Center

page. Use the settings and charts on the

ACC

page to view trends and traffic related to Applications, URL filtering, Threat
Prevention, Data Filtering, and HIP Matches.

Click any application name to display detailed application information.

2. Identify the egress interface for applications that you want to receive QoS
treatment.

The egress interface for traffic depends on the traffic flow. If you are shaping
incoming traffic, the egress interface is the internal-facing interface. If you
are shaping outgoing traffic, the egress interface is the external-facing
interface.

Select

Monitor

Logs

Traffic
to view the Traffic logs.

To filter and only show logs for a specific application:

o If an entry is displayed for the application, click the underlined link in

the Application column then click the Submit icon.
o If an entry is not displayed for the application, click the Add Log icon
and search for the application.

The

Egress I/F

in the traffic logs displays each application’s egress interface. To display the

Egress I/F

column if it is not displayed by default:

o Click any column header to add a column to the log:

o Click the spyglass icon to the left of any entry to display a detailed log
that includes the application’s egress interface listed in the Destination
section:
3. Add a QoS policy rule.

A QoS policy rule defines the traffic to receive QoS treatment. The firewall
assigns a QoS class of service to the traffic matched to the policy rule.

Because QoS is enforced on traffic as it egresses the firewall, your QoS policy
rule is applied to traffic after the firewall has enforced all other security policy
rules, including Network Address Translation (NAT) rules. If you want to apply
QoS treatment to traffic based on source, you must specify the post-NAT
source address in a QoS policy rule (do not use the pre-NAT source address).

1. Select

Policies

QoS

and

Add

a new policy rule.

2. On the

General

tab, give the QoS Policy Rule a descriptive

Name

3. Specify traffic to receive QoS treatment based on

Source

Destination

Application

Service/URL Category
 , and

DSCP/ToS

values (the

DSCP/ToS

settings allow you to Enforce QoS Based on DSCP Classification).

For example, select the

Application

, click

Add

, and select

web-browsing

to apply QoS to web browsing traffic.

4. (

Optional

) Continue to define additional parameters. For example, select

Source

and

Add

Source User

to provide QoS for a specific user’s web traffic.

5. Select

Other Settings

and assign a

QoS Class
 to traffic matching the policy rule. For example, assign Class 2 to the
user1’s web traffic.

6. Click

OK

4. Add a QoS profile rule.

A QoS profile rule allows you to define the eight classes of service that traffic
can receive, including priority, and enables QoS Bandwidth Management.

You can edit any existing QoS profile, including the default, by clicking the
QoS profile name.

0. Select

Network

Network Profiles

QoS Profile

and

Add

a new profile.

1. Enter a descriptive

Profile Name

2. Set the overall bandwidth limits for the QoS profile rule:
▪ Enter an

Egress Max

value to set the overall bandwidth allocation for the QoS profile
rule.

▪ Enter an

Egress Guaranteed
 value to set the guaranteed bandwidth for the QoS Profile.

3. Any traffic that exceeds the Egress Guaranteed value is best effort and
not guaranteed. Bandwidth that is guaranteed but is unused continues
to remain available for all traffic.
4. In the Classes section, specify how to treat up to eight individual QoS
classes:
1. Add

a class to the QoS Profile.

2. Select the

Priority

for the class: real-time, high, medium, or low.

3. Enter the

Egress Max

and

Egress Guaranteed

bandwidth for traffic assigned to each QoS class.

5. Click

OK

In the following example, the QoS profile rule Limit Web Browsing limits Class
2 traffic to a maximum bandwidth of 50Mbps and a guaranteed bandwidth of
2Mbps.
5. Enable QoS on a physical interface.

Part of this step includes the option to select clear text and tunneled traffic
for unique QoS treatment.

Check if the firewall model you’re using supports enabling QoS on a

subinterface by reviewing a summary of the Product Specifications.

0. Select

Network

QoS

and

Add

a QoS interface.

1. Select
 Physical Interface

and choose the

Interface Name

of the interface on which to enable QoS.

In the example, Ethernet 1/1 is the egress interface for web-browsing

traffic (see Step 2).

2. Set the

Egress Max

bandwidth for all traffic exiting this interface.

It is a best practice to always define the Egress Max value for a QoS
interface. Ensure that the cumulative guaranteed bandwidth for the
QoS profile rules attached to the interface does not exceed the total
bandwidth allocated to the interface.

3. Select

Turn on QoS feature on this interface

4. In the Default Profile section, select a QoS profile rule to apply to all

Clear Text

traffic exiting the physical interface.

5. (

Optional

) Select a default QoS profile rule to apply to all tunneled traffic exiting
the interface.

For example, enable QoS on ethernet 1/1 and apply the bandwidth and
priority settings you defined for the QoS profile rule Limit Web Browsing (Step
4) to be used as the default settings for clear text egress traffic.
6. (

Optional

) Continue to define more granular settings to provide QoS for Clear

Text and Tunneled Traffic. Settings configured on the

Clear Text Traffic

tab and the

Tunneled Traffic

tab automatically override the default profile settings for clear text and
tunneled traffic on the Physical Interface tab.

▪ Select

Clear Text Traffic

and:

▪ Set the

Egress Guaranteed

and

Egress Max

bandwidths for clear text traffic.

 ▪ Click

Add

and apply a QoS profile rule to enforce clear text traffic

based on source interface and source subnet.

PA-3200 Series, PA-5200 Series, PA-7000 Series only

) You must also select a destination interface when

configuring a QoS policy rule if the rule is applied to a
specific subinterface.

▪ Select

Tunneled Traffic

and:

▪ Set the

Egress Guaranteed

and

Egress Max

bandwidths for tunneled traffic.

▪ Click

Add

and attach a QoS profile rule to a single tunnel interface.

7. Click

OK

6. Commit your changes.

Click

Commit
 .

7. Verify a QoS configuration.

Select

Network

QoS

and then

Statistics

to view QoS bandwidth, active sessions of a selected QoS class, and active
applications for the selected QoS class.

For example, see the statistics for ethernet 1/1 with QoS enabled:

Class 2 traffic limited to 2Mbps of guaranteed bandwidth and a maximum

bandwidth of 50Mbps.

Continue to click the tabs to display further information regarding

applications, source users, destination users, security rules and QoS rules.