Enabling a QoS profile rule on the egress interface
of the traffic identified for QoS treatment completes a QoS configuration.
The ingress interface for QoS traffic is the interface on which
the traffic enters the firewall. The egress interface for QoS traffic
is the interface that traffic leaves the firewall from. QoS is always enabled
and enforced on the egress interface for a traffic flow. The egress
interface in a QoS configuration can either be the external- or
internal-facing interface of the firewall, depending on the flow
of the traffic receiving QoS treatment.
For example, in an enterprise network, if you are limiting employees’
download traffic from a specific website, the egress interface in
the QoS configuration is the firewall’s internal interface, as the
traffic flow is from the Internet, through the firewall, and to
your company network. Alternatively, when limiting employees’ upload traffic
to the same website, the egress interface in the QoS configuration
is the firewall’s external interface, as the traffic you are limiting
flows from your company network, through the firewall, and then
to the Internet.
Because QoS is enforced on traffic as it egresses the firewall,
your QoS policy rule is applied to traffic after the firewall has
enforced all other security policy rules, including Network Address
Translation (NAT) rules. If you want to apply QoS treatment to traffic
based on source, you must specify the post-NAT source address in
a QoS policy rule (do not use the pre-NAT source address).