Enabling a QoS profile on the egress interface of the
traffic identified for QoS treatment completes a QoS configuration.
The ingress interface for QoS traffic is the interface on which
the traffic enters the firewall. The egress interface for QoS traffic
is the interface that traffic leaves the firewall from. QoS is always
enabled and enforced on the egress interface for a traffic flow.
The egress interface in a QoS configuration can either be the external-
or internal-facing interface of the firewall, depending on the flow
of the traffic receiving QoS treatment.
For example, in an enterprise network, if you are limiting employees’
download traffic from a specific website, the egress interface in
the QoS configuration is the firewall’s internal interface, as the
traffic flow is from the Internet, through the firewall, and to
your company network. Alternatively, when limiting employees’ upload
traffic to the same website, the egress interface in the QoS configuration
is the firewall’s external interface, as the traffic you are limiting
flows from your company network, through the firewall, and then
to the Internet.
Because QoS is enforced on traffic as it egresses the firewall, the QoS policy rule is applied to
traffic after the firewall has enforced all other security policy rules, including
Network Address Translation (NAT) rules. However, the firewall evaluates QoS rules based
on the contents of the original packet, such as pre-NAT source IP, pre-NAT source zone,
pre-NAT destination IP, and post-NAT destination zone. Therefore, do not configure the
QoS policy with the post-NAT addresses.