Policies > QoS
Table of Contents
Policies > QoS
Add QoS policy
![]()
rules
to define the traffic that receives specific QoS treatment and assign
a QoS class
![]()
for
each QoS policy rule to specify that the assigned class of service
applies to all traffic matched to the associated rule as it exits
a QoS-enabled interface.
QoS policy rules pushed to a firewall from Panorama are shown
in orange and cannot be edited at the firewall level.
Additionally, to fully enable the firewall to provide QoS:
- Set bandwidth limits for each QoS class of service (select Network > Network Profiles > QoS to add or modify a QoS profile).
- Enable QoS on an interface (select Network > QoS).
Refer to Quality of Service
![]()
for complete QoS
workflows, concepts, and use cases.
Add a new rule or clone an existing rule
and then define the following fields.
QoS
Policy Rule Settings | |
|---|---|
General Tab | |
Name | Enter a name to identify the rule (up to
63 characters). The name is case-sensitive and must be unique. Use
only letters, numbers, spaces, hyphens, and underscores. |
Description | Enter an optional description. |
Tag | If you need to tag the policy, Add and
specify the tag. A policy tag is a keyword or phrase that
allows you to sort or filter policies. This is useful when you have
defined many policies and want to view those that are tagged with
a particular keyword. For example, you may want to tag certain security
policies with Inbound to DMZ, decryption policies with the words
Decrypt and No-decrypt, or use the name of a specific data center
for policies associated with that location. |
Group Rules by Tag | Enter a tag with which to group
similar policy rules. The group tag allows you to view your policy
rule base based on these tags. You can group rules based on a Tag. |
Audit Comment | Enter a comment to audit the
creation or editing of the policy rule. The audit comment is case-sensitive
and can have up to 256 characters, which can be letters, numbers,
spaces, hyphens, and underscores. |
Audit Comment Archive | View previous Audit Comments for
the policy rule. You can export the Audit Comment Archive in CSV
format. |
Source Tab | |
Source Zone | Select one or more source zones (default
is any). Zones must be of the same type (Layer
2, Layer 3, or virtual wire). |
Source Address | Specify a combination of source IPv4 or
IPv6 addresses for which the identified application can be overridden.
To select specific addresses, choose select from
the drop-down and do any of the following:
To add new addresses that can be used in
this or other policies, click New Address.
To define new address groups, select Objects
> Address Groups. |
Source User | Specify the source users and groups to which
the QoS policy will apply. |
Negate | Select this option to have the policy apply
if the specified information on this tab does NOT match. |
Destination Tab | |
Destination Zone | Select one or more destination zones (default
is any). Zones must be of the same type (Layer
2, Layer 3, or virtual wire). |
Destination Address | Specify a combination of source IPv4 or
IPv6 addresses for which the identified application can be overridden.
To select specific addresses, choose select from
the drop-down and do any of the following:
To add new addresses that can be used in
this or other policies, click New Address. |
Negate | Select this option to have the policy apply
if the specified information on this tab does not match. |
Application Tab | |
Application | Select specific applications for the QoS
rule. To define new applications or application groups, select . If
an application has multiple functions, you can select the overall application
or individual functions. If you select the overall application, all
functions are included, and the application definition is automatically
updated as future functions are added. If you are using application
groups, filters, or container in the QoS rule, you can view details
on these objects by holding your mouse over the object in the Application
column, click the down arrow and select Value.
This enables you to easily view application members directly from
the policy without having to go to the Objects tab. |
Service/URL Category Tab | |
Service | Select services to limit to specific TCP
and/or UDP port numbers. Choose one of the following from the drop-down:
|
URL Category | Select URL categories for the QoS rule.
|
DSCP/TOS Tab | |
Any | Select Any (default)
to allow the policy to match to traffic regardless of the Differentiated
Services Code Point (DSCP) value or the IP Precedence/Type of Service
(ToS) defined for the traffic. |
Codepoints | Select Codepoints to
enable traffic to receive QoS treatment based on the DSCP or ToS
value defined a packet’s IP header. The DSCP and ToS values are
used to indicate the level of service requested for traffic, such
as high priority or best effort delivery. Using codepoints as matching
criteria in a QoS policy allows a session to receive QoS treatment
based on the codepoint detected at the beginning of the session. Continue
to Add codepoints to match traffic to the
QoS policy:
|
Other Settings Tab | |
Class | Choose the QoS class to assign to the rule,
and click OK. Class characteristics are defined
in the QoS profile. Refer to Network
> Network Profiles > QoS for information on configuring settings
for QoS classes. |
Schedule |
|
Target Tab (Panorama only) | |
Any (target all devices) | Enable (check) to push the policy rule to
all managed firewalls in the device group. |
Devices | Select one or more managed firewalls associated
with the device group to push the policy rule to. |
Tags | Add one or more tags
to push the policy rule to managed firewalls in the device group
with the specified tag. |
Target to all but these specified devices
and tags | Enable (check) to push the policy rule to
all managed firewalls associated with the device group except for
the selected device(s) and tag(s). |
