Focus
Focus
Table of Contents

Policies > QoS

Add QoS policy rules to define the traffic that receives specific QoS treatment and assign a QoS class for each QoS policy rule to specify that the assigned class of service applies to all traffic matched to the associated rule as it exits a QoS-enabled interface.
QoS policy rules pushed to a firewall from Panorama are shown in orange and cannot be edited at the firewall level.
Additionally, to fully enable the firewall to provide QoS:
Refer to Quality of Service for complete QoS workflows, concepts, and use cases.
Add
a new rule or clone an existing rule and then define the following fields.
QoS Policy Rule Settings
General Tab
Name
Enter a name to identify the rule (up to 63 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter an optional description.
Tag
If you need to tag the policy,
Add
and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
Group Rules by Tag
Enter a tag with which to group similar policy rules. The group tag allows you to view your policy rule base based on these tags. You can group rules based on a
Tag
.
Audit Comment
Enter a comment to audit the creation or editing of the policy rule. The audit comment is case-sensitive and can have up to 256 characters, which can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive
View previous
Audit Comments
for the policy rule. You can export the Audit Comment Archive in CSV format.
Source Tab
Source Zone
Select one or more source zones (default is
any
). Zones must be of the same type (Layer 2, Layer 3, or virtual wire).
Source Address
Specify a combination of source IPv4 or IPv6 addresses for which the identified application can be overridden. To select specific addresses, choose
select
from the drop-down and do any of the following:
  • Select this option next to the appropriate addresses and/or address groups in the Available column, and click
    Add
    to add your selections to the Selected column.
  • Enter the first few characters of a name in the search field to list all addresses and address groups that start with those characters. Selecting an item in the list enables this option in the Available column. Repeat this process as often as needed, and then click
    Add
    .
  • Enter one or more IP addresses (one per line), with or without a network mask. The general format is:
    <ip_address>
    /
    <mask>
  • To remove addresses, select them (Selected column) and click
    Delete
    or select
    any
    to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click
New Address
. To define new address groups, select Objects > Address Groups.
Source User
Specify the source users and groups to which the QoS policy will apply.
Negate
Select this option to have the policy apply if the specified information on this tab does NOT match.
Destination Tab
Destination Zone
Select one or more destination zones (default is
any
). Zones must be of the same type (Layer 2, Layer 3, or virtual wire).
Destination Address
Specify a combination of source IPv4 or IPv6 addresses for which the identified application can be overridden. To select specific addresses, choose
select
from the drop-down and do any of the following:
  • Select this option next to the appropriate addresses and/or address groups in the Available column, and
    Add
    your selections to the Selected column.
  • Enter the first few characters of a name in the search field to list all addresses and address groups that start with those characters. Selecting an item in the list enables this option in the Available column. Repeat this process as often as needed, and then click
    Add
    .
  • Enter one or more IP addresses (one per line), with or without a network mask. The general format is:
    <ip_address>
    /
    <mask>
    .
  • To remove addresses, select them (Selected column) and click
    Delete
    or select
    any
    to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click
New Address
.
Negate
Select this option to have the policy apply if the specified information on this tab does not match.
Application Tab
Application
Select specific applications for the QoS rule. To define new applications or application groups, select
Objects
Applications
.
If an application has multiple functions, you can select the overall application or individual functions. If you select the overall application, all functions are included, and the application definition is automatically updated as future functions are added.
If you are using application groups, filters, or container in the QoS rule, you can view details on these objects by holding your mouse over the object in the Application column, click the down arrow and select
Value
. This enables you to easily view application members directly from the policy without having to go to the
Objects
tab.
Service/URL Category Tab
Service
Select services to limit to specific TCP and/or UDP port numbers. Choose one of the following from the drop-down:
  • any
    —The selected applications are allowed or denied on any protocol or port.
  • application-default
    —The selected applications are allowed or denied only on their default
    ports defined by Palo Alto Networks
    . This option is recommended for allow policies.
  • Select
    —Click
    Add
    . Choose an existing service or choose
    Service
    or
    Service Group
    to specify a new entry.
URL Category
Select URL categories for the QoS rule.
  • Select
    Any
    to ensure that a session can match this QoS rule regardless of the URL category.
  • To specify a category, click
    Add
    and select a specific category (including a custom category) from the drop-down. You can add multiple categories. Refer to Objects > External Dynamic Lists for information on defining custom categories.
DSCP/TOS Tab
Any
Select
Any
(default) to allow the policy to match to traffic regardless of the Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined for the traffic.
Codepoints
Select
Codepoints
to enable traffic to receive QoS treatment based on the DSCP or ToS value defined a packet’s IP header. The DSCP and ToS values are used to indicate the level of service requested for traffic, such as high priority or best effort delivery. Using codepoints as matching criteria in a QoS policy allows a session to receive QoS treatment based on the codepoint detected at the beginning of the session.
Continue to
Add
codepoints to match traffic to the QoS policy:
  • Give codepoint entries a descriptive
    Name
    .
  • Select the
    Type
    of codepoint you want to use as matching criteria for the QoS policy and then select a specific
    Codepoint
    value. You can also create a
    Custom Codepoint
    by entering a
    Codepoint Name
    and
    Binary Value
    .
Other Settings Tab
Class
Choose the QoS class to assign to the rule, and click
OK
. Class characteristics are defined in the QoS profile. Refer to Network > Network Profiles > QoS for information on configuring settings for QoS classes.
Schedule
  • Select
    None
    for the policy rule to remain active at all times.
  • From the drop-down, select
    Schedule
    (calendar icon) to set a single time range or a recurring time range during which the rule is active.
Target Tab (
Panorama only
)
Any (target all devices)
Enable (check) to push the policy rule to all managed firewalls in the device group.
Devices
Select one or more managed firewalls associated with the device group to push the policy rule to.
Tags
Add
one or more tags to push the policy rule to managed firewalls in the device group with the specified tag.
Target to all but these specified devices and tags
Enable (check) to push the policy rule to all managed firewalls associated with the device group except for the selected device(s) and tag(s).

Recommended For You