Network Security
QoS Concepts for Traffic Control
Table of Contents
QoS Concepts for Traffic Control
QoS uses policies, profiles, and classes to prioritize and manage bandwidth for
different types of network traffic as it exits interfaces.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Learn about the different components and mechanisms of a QoS configuration on a Palo Alto
Networks firewall.
QoS for Applications and Users
A Palo Alto Networks firewall provides basic QoS, controlling traffic leaving the
firewall according to network or subnet, and extends the power of QoS to also
classify and shape traffic according to application and user. The Palo Alto Networks
firewall provides this capability by integrating the features App-ID and User-ID with the QoS configuration. App-ID
and User-ID entries that exist to identify specific applications and users in your
network are available in the QoS configuration so that you can easily specify
applications and users for which you want to manage and/or guarantee bandwidth.
QoS Policy
Use a QoS policy rule to define traffic to receive QoS treatment (either preferential
treatment or bandwidth-limiting) and assign such traffic a QoS class of service.
Define a QoS policy rule to match to traffic based on:
- Applications and application groups.
- Source zones, source addresses, and source users.
- Destination zones and destination addresses.
- Services and service groups limited to specific TCP and/or UDP port numbers.
- URL categories, including custom URL categories.
- Differentiated Services Code Point (DSCP) and Type of Service (ToS) values, which are used to indicate the level of service requested for traffic, such as high priority or best effort delivery.
You cannot apply DSCP code points or QoS to SSL Forward Proxy, SSL Inbound
Inspection, and SSH Proxy traffic.
Set up multiple QoS policy rules () to associate different types of traffic with different QoS classes of service.
Because QoS is enforced on traffic as it egresses the firewall, the QoS policy rule
is applied to traffic after the firewall has enforced all other security policy
rules, including Network Address Translation (NAT) rules. However, the firewall
evaluates QoS rules based on the contents of the original packet, such as pre-NAT
source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination
zone. Therefore, do not configure the QoS policy with the post-NAT addresses.
QoS Profile
Use a QoS profile to define values of up to eight QoS classes contained within
that single profile.
With a QoS profile, you can define QoS priority queuing and QoS bandwidth management for
QoS classes. Each QoS profile allows you to configure individual bandwidth and
priority settings for up eight QoS classes, as well as the total bandwidth allotted
for the eight classes combined. Attach the QoS profile (or multiple QoS profiles) to
a physical interface to apply the defined priority and bandwidth settings to the
traffic exiting that interface.
A default QoS profile is available on the firewall. The default profile and the
classes defined in the profile do not have predefined maximum or guaranteed
bandwidth limits.
To define priority and bandwidth settings for QoS classes, see Step Add a QoS
profile.
QoS Classes
A QoS class determines the priority and bandwidth for traffic matching a QoS policy rule. You can use a
QoS profile to define QoS
classes. There are up to eight definable QoS classes in a single QoS profile. Unless
otherwise configured, traffic that does not match a QoS class is assigned a class of
4.
QoS priority queuing and QoS bandwidth management, the
fundamental mechanisms of a QoS configuration, are configured within the QoS class
definition (see Step 4). For each QoS class, you can set a
priority (real-time, high, medium, and low) and the maximum and guaranteed bandwidth
for matching traffic. QoS priority queuing and bandwidth management determine the
order of traffic and how traffic is handled upon entering or leaving a network.
QoS Priority Queuing
One of four priorities can be enforced for a QoS class: real-time, high, medium, and
low. Traffic matching a QoS policy rule is assigned the QoS class associated with
that rule, and the firewall treats the matching traffic based on the QoS class
priority. Packets in the outgoing traffic flow are queued based on their priority
until the network is ready to process the packets. Priority queuing allows you to
ensure that important traffic, applications, and users take precedence. Real-time
priority is typically used for applications that are particularly sensitive to
latency, such as voice and video applications.
QoS Bandwidth Management
QoS bandwidth management allows you to control traffic flows on a network so that
traffic does not exceed network capacity (resulting in network congestion) and also
allows you to allocate bandwidth for certain types of traffic and for applications
and users. With QoS, you can enforce bandwidth for traffic on a narrow or a broad
scale. A QoS profile allows you to set bandwidth limits for individual QoS classes
and the total combined bandwidth for all eight QoS classes. As part of the steps to
Configure QoS,
you can attach the QoS profile to a physical interface to enforce bandwidth settings
on the traffic exiting that interface—the individual QoS class settings are enforced
for traffic matching that QoS class (QoS classes are assigned to traffic matching
QoS policy rules) and the
overall bandwidth limit for the profile can be applied to all clear text traffic,
specific clear text traffic originating from source interfaces and source subnets,
all tunneled traffic, and individual tunnel interfaces. You can add multiple profile
rules to a single QoS interface to apply varying bandwidth settings to the traffic
exiting that interface.
The following fields support QoS bandwidth settings:
- Egress Guaranteed—The amount of bandwidth guaranteed for matching traffic. When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis. Bandwidth that is guaranteed but is unused continues to remain available for all traffic. Depending on your QoS configuration, you can guarantee bandwidth for a single QoS class, for all or some clear text traffic, and for all or some tunneled traffic.Example:Class 1 traffic has 5 Gbps of egress guaranteed bandwidth, which means that 5 Gbps is available but is not reserved for class 1 traffic. If Class 1 traffic does not use or only partially uses the guaranteed bandwidth, the remaining bandwidth can be used by other classes of traffic. However, during high traffic periods, 5 Gbps of bandwidth is absolutely available for class 1 traffic. During these periods of congestion, any Class 1 traffic that exceeds 5 Gbps is best effort.
- Egress Max—The overall bandwidth allocation for matching traffic. The firewall drops traffic that exceeds the egress max limit that you set. Depending on your QoS configuration, you can set a maximum bandwidth limit for a QoS class, for all or some clear text traffic, for all or some tunneled traffic, and for all traffic exiting the QoS interface.The cumulative guaranteed bandwidth for the QoS profile attached to the interface must not exceed the total bandwidth allocated to the interface.
To define bandwidth settings for QoS classes, see Step Add a QoS
profile. To then apply those bandwidth settings to clear text and
tunneled traffic, and to set the overall bandwidth limit for a QoS interface, see
Step Enable QoS on a
physical interface.
QoS Egress Interface
Enabling a QoS profile on the egress interface of the traffic identified for QoS
treatment completes a QoS configuration. The ingress interface for QoS traffic is
the interface on which the traffic enters the firewall. The egress interface for QoS
traffic is the interface that traffic leaves the firewall from. QoS is always
enabled and enforced on the egress interface for a traffic flow. The egress
interface in a QoS configuration can either be the external- or internal-facing
interface of the firewall, depending on the flow of the traffic receiving QoS
treatment.
For example, in an enterprise network, if you are limiting employees’ download
traffic from a specific website, the egress interface in the QoS configuration is
the firewall’s internal interface, as the traffic flow is from the Internet, through
the firewall, and to your company network. Alternatively, when limiting employees’
upload traffic to the same website, the egress interface in the QoS configuration is
the firewall’s external interface, as the traffic you are limiting flows from your
company network, through the firewall, and then to the Internet.
Because QoS is enforced on traffic as it egresses the firewall, the QoS policy rule
is applied to traffic after the firewall has enforced all other security policy
rules, including Network Address Translation (NAT) rules. However, the firewall
evaluates QoS rules based on the contents of the original packet, such as pre-NAT
source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination
zone. Therefore, do not configure the QoS policy with the post-NAT addresses.
Learn more about how to Identify the egress
interface for applications that you want to receive QoS treatment.
QoS for Clear Text and Tunneled Traffic
At the minimum, enabling a QoS interfaces requires you to select a default QoS
profile that defines bandwidth and priority settings for clear text traffic
egressing the interface. However, when setting up or modifying a QoS interface, you
can apply granular QoS settings to outgoing clear text traffic and tunneled traffic.
QoS preferential treatment and bandwidth limiting can be enforced for tunneled
traffic, for individual tunnel interfaces, and/or for clear text traffic originating
from different source interfaces and source subnets. On Palo Alto Networks
firewalls, tunneled traffic refers to tunnel interface traffic,
specifically IPSec traffic in tunnel mode.