Enabling a QoS profile on the egress interface of the traffic identified for QoS treatment completes a QoS configuration. The ingress interface for QoS traffic is the interface on which the traffic enters the firewall. The egress interface for QoS traffic is the interface that traffic leaves the firewall from. QoS is always enabled and enforced on the egress interface for a traffic flow. The egress interface in a QoS configuration can either be the external- or internal-facing interface of the firewall, depending on the flow of the traffic receiving QoS treatment.

For example, in an enterprise network, if you are limiting employees’ download traffic from a specific website, the egress interface in the QoS configuration is the firewall’s internal interface, as the traffic flow is from the Internet, through the firewall, and to your company network. Alternatively, when limiting employees’ upload traffic to the same website, the egress interface in the QoS configuration is the firewall’s external interface, as the traffic you are limiting flows from your company network, through the firewall, and then to the Internet.

Because QoS is enforced on traffic as it egresses the firewall, the QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. However, the firewall evaluates QoS rules based on the contents of the original packet, such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone. Therefore, do not configure the QoS policy with the post-NAT addresses.

Learn more about how to Identify the egress interface for applications that you want to receive QoS treatment.