Configure QoS

Follow these steps to configure Quality of Service (QoS), which includes creating a QoS profile, creating a QoS policy, and enabling QoS on an interface.
  1. Identify the traffic you want to manage with QoS.
    This example shows how to use QoS to limit web browsing.
    Select
    ACC
    to view the
    Application Command Center
    page. Use the settings and charts on the
    ACC
    page to view trends and traffic related to Applications, URL filtering, Threat Prevention, Data Filtering, and HIP Matches.
    Click any application name to display detailed application information.
  2. Identify the egress interface for applications that you want to receive QoS treatment.
    The egress interface for traffic depends on the traffic flow. If you are shaping incoming traffic, the egress interface is the internal-facing interface. If you are shaping outgoing traffic, the egress interface is the external-facing interface.
    Select
    Monitor
    Logs
    Traffic
    to view the Traffic logs.
    To filter and only show logs for a specific application:
    • If an entry is displayed for the application, click the underlined link in the Application column then click the Submit icon.
    • If an entry is not displayed for the application, click the Add Log icon and search for the application.
    The
    Egress I/F
    in the traffic logs displays each application’s egress interface. To display the
    Egress I/F
    column if it is not displayed by default:
    • Click any column header to add a column to the log:
      ConfigureQoS-Step2-SN1-AddEgressColumn.png
    • Click the spyglass icon to the left of any entry to display a detailed log that includes the application’s egress interface listed in the Destination section:
    ConfigureQoS-Step2-DetailLog.png
  3. Add a QoS policy rule.
    A QoS policy rule defines the traffic to receive QoS treatment. The firewall assigns a QoS class of service to the traffic matched to the policy rule.
    Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the post-NAT source address in a QoS policy rule (do not use the pre-NAT source address).
    1. Select
      Policies
      QoS
      and
      Add
      a new policy rule.
    2. On the
      General
      tab, give the QoS Policy Rule a descriptive
      Name
      .
    3. Specify traffic to receive QoS treatment based on
      Source
      ,
      Destination
      ,
      Application
      ,
      Service/URL Category
      , and
      DSCP/ToS
      values (the
      DSCP/ToS
      settings allow you to Enforce QoS Based on DSCP Classification).
      For example, select the
      Application
      , click
      Add
      , and select
      web-browsing
      to apply QoS to web browsing traffic.
    4. (
      Optional
      ) Continue to define additional parameters. For example, select
      Source
      and
      Add
      a
      Source User
      to provide QoS for a specific user’s web traffic.
    5. Select
      Other Settings
      and assign a
      QoS Class
      to traffic matching the policy rule. For example, assign Class 2 to the user1’s web traffic.
    6. Click
      OK
      .
  4. Add a QoS profile rule.
    A QoS profile rule allows you to define the eight classes of service that traffic can receive, including priority, and enables QoS Bandwidth Management.
    You can edit any existing QoS profile, including the default, by clicking the QoS profile name.
    1. Select
      Network
      Network Profiles
      QoS Profile
      and
      Add
      a new profile.
    2. Enter a descriptive
      Profile Name
      .
    3. Set the overall bandwidth limits for the QoS profile rule:
      • Enter an
        Egress Max
        value to set the overall bandwidth allocation for the QoS profile rule.
      • Enter an
        Egress Guaranteed
        value to set the guaranteed bandwidth for the QoS Profile.
      Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed. Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
    4. In the Classes section, specify how to treat up to eight individual QoS classes:
      1. Add
        a class to the QoS Profile.
      2. Select the
        Priority
        for the class: real-time, high, medium, or low.
      3. Enter the
        Egress Max
        and
        Egress Guaranteed
        bandwidth for traffic assigned to each QoS class.
    5. Click
      OK
      .
    In the following example, the QoS profile rule Limit Web Browsing limits Class 2 traffic to a maximum bandwidth of 50Mbps and a guaranteed bandwidth of 2Mbps.
    ConfigureQoS-Step4-SN1-QoSProfile.png
  5. Enable QoS on a physical interface.
    Part of this step includes the option to select clear text and tunneled traffic for unique QoS treatment.
    Check if the firewall model you’re using supports enabling QoS on a subinterface by reviewing a summary of the Product Specifications.
    1. Select
      Network
      QoS
      and
      Add
      a QoS interface.
    2. Select
      Physical Interface
      and choose the
      Interface Name
      of the interface on which to enable QoS.
      In the example, Ethernet 1/1 is the egress interface for web-browsing traffic (see Step 2).
    3. Set the
      Egress Max
      bandwidth for all traffic exiting this interface.
      It is a best practice to always define the Egress Max value for a QoS interface. Ensure that the cumulative guaranteed bandwidth for the QoS profile rules attached to the interface does not exceed the total bandwidth allocated to the interface.
    4. Select
      Turn on QoS feature on this interface
      .
    5. In the Default Profile section, select a QoS profile rule to apply to all
      Clear Text
      traffic exiting the physical interface.
    6. (
      Optional
      ) Select a default QoS profile rule to apply to all tunneled traffic exiting the interface.
    For example, enable QoS on ethernet 1/1 and apply the bandwidth and priority settings you defined for the QoS profile rule Limit Web Browsing (Step 4) to be used as the default settings for clear text egress traffic.
    ConfigureQoS-Step5-SN1.png
    1. (
      Optional
      ) Continue to define more granular settings to provide QoS for Clear Text and Tunneled Traffic. Settings configured on the
      Clear Text Traffic
      tab and the
      Tunneled Traffic
      tab automatically override the default profile settings for clear text and tunneled traffic on the Physical Interface tab.
      • Select
        Clear Text Traffic
        and:
        • Set the
          Egress Guaranteed
          and
          Egress Max
          bandwidths for clear text traffic.
        • Click
          Add
          and apply a QoS profile rule to enforce clear text traffic based on source interface and source subnet.
      • Select
        Tunneled Traffic
        and:
        • Set the
          Egress Guaranteed
          and
          Egress Max
          bandwidths for tunneled traffic.
        • Click
          Add
          and attach a QoS profile rule to a single tunnel interface.
    2. Click
      OK
      .
  6. Commit your changes.
    Click
    Commit
    .
  7. Verify a QoS configuration.
    Select
    Network
    QoS
    and then
    Statistics
    to view QoS bandwidth, active sessions of a selected QoS class, and active applications for the selected QoS class.
    For example, see the statistics for ethernet 1/1 with QoS enabled:
    ConfigureQoS-Step6-SN2.png
    Class 2 traffic limited to 2Mbps of guaranteed bandwidth and a maximum bandwidth of 50Mbps.
    Continue to click the tabs to display further information regarding applications, source users, destination users, security rules and QoS rules.
    Bandwidth limits shown on the
    QoS Statistics
    window include a hardware adjustment factor.

Related Documentation