Policies > QoS
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Policies > QoS
Add QoS policy
rules
to define the traffic that receives specific QoS treatment and assign
a QoS class
for
each QoS policy rule to specify that the assigned class of service
applies to all traffic matched to the associated rule as it exits
a QoS-enabled interface.
QoS policy rules pushed to a firewall from Panorama are shown
in orange and cannot be edited at the firewall level.
Additionally, to fully enable the firewall to provide QoS:
- Set bandwidth limits for each QoS class of service (select Network > Network Profiles > QoS to add or modify a QoS profile).
- Enable QoS on an interface (select Network > QoS).
Refer to Quality of Service
for complete QoS
workflows, concepts, and use cases.
Add a new rule or clone an existing rule
and then define the following fields.
QoS
Policy Rule Settings | |
---|---|
General Tab | |
Name | Enter a name to identify the rule (up to
63 characters). The name is case-sensitive and must be unique. Use
only letters, numbers, spaces, hyphens, and underscores. |
Description | Enter an optional description. |
Tag | If you need to tag the policy, Add and
specify the tag. A policy tag is a keyword or phrase that
allows you to sort or filter policies. This is useful when you have
defined many policies and want to view those that are tagged with
a particular keyword. For example, you may want to tag certain security
policies with Inbound to DMZ, decryption policies with the words
Decrypt and No-decrypt, or use the name of a specific data center
for policies associated with that location. |
Group Rules by Tag | Enter a tag with which to group
similar policy rules. The group tag allows you to view your policy
rule base based on these tags. You can group rules based on a Tag. |
Audit Comment | Enter a comment to audit the
creation or editing of the policy rule. The audit comment is case-sensitive
and can have up to 256 characters, which can be letters, numbers,
spaces, hyphens, and underscores. |
Audit Comment Archive | View previous Audit Comments for
the policy rule. You can export the Audit Comment Archive in CSV
format. |
Source Tab | |
Source Zone | Select one or more source zones (default
is any). Zones must be of the same type (Layer
2, Layer 3, or virtual wire). |
Source Address | Specify a combination of source IPv4 or
IPv6 addresses for which the identified application can be overridden.
To select specific addresses, choose select from
the drop-down and do any of the following:
To add new addresses that can be used in
this or other policies, click New Address.
To define new address groups, select Objects
> Address Groups. |
Source User | Specify the source users and groups to which
the QoS policy will apply. |
Negate | Select this option to have the policy apply
if the specified information on this tab does NOT match. |
Destination Tab | |
Destination Zone | Select one or more destination zones (default
is any). Zones must be of the same type (Layer
2, Layer 3, or virtual wire). |
Destination Address | Specify a combination of source IPv4 or
IPv6 addresses for which the identified application can be overridden.
To select specific addresses, choose select from
the drop-down and do any of the following:
To add new addresses that can be used in
this or other policies, click New Address. |
Negate | Select this option to have the policy apply
if the specified information on this tab does not match. |
Application Tab | |
Application | Select specific applications for the QoS
rule. To define new applications or application groups, select ObjectsApplications. If
an application has multiple functions, you can select the overall application
or individual functions. If you select the overall application, all
functions are included, and the application definition is automatically
updated as future functions are added. If you are using application
groups, filters, or container in the QoS rule, you can view details
on these objects by holding your mouse over the object in the Application
column, click the down arrow and select Value.
This enables you to easily view application members directly from
the policy without having to go to the Objects tab. |
Service/URL Category Tab | |
Service | Select services to limit to specific TCP
and/or UDP port numbers. Choose one of the following from the drop-down:
|
URL Category | Select URL categories for the QoS rule.
|
DSCP/TOS Tab | |
Any | Select Any (default)
to allow the policy to match to traffic regardless of the Differentiated
Services Code Point (DSCP) value or the IP Precedence/Type of Service
(ToS) defined for the traffic. |
Codepoints | Select Codepoints to
enable traffic to receive QoS treatment based on the DSCP or ToS
value defined a packet’s IP header. The DSCP and ToS values are
used to indicate the level of service requested for traffic, such
as high priority or best effort delivery. Using codepoints as matching
criteria in a QoS policy allows a session to receive QoS treatment
based on the codepoint detected at the beginning of the session. Continue
to Add codepoints to match traffic to the
QoS policy:
|
Other Settings Tab | |
Class | Choose the QoS class to assign to the rule,
and click OK. Class characteristics are defined
in the QoS profile. Refer to Network
> Network Profiles > QoS for information on configuring settings
for QoS classes. |
Schedule |
|
Target Tab (Panorama only) | |
Any (target all devices) | Enable (check) to push the policy rule to
all managed firewalls in the device group. |
Devices | Select one or more managed firewalls associated
with the device group to push the policy rule to. |
Tags | Add one or more tags
to push the policy rule to managed firewalls in the device group
with the specified tag. |
Target to all but these specified devices
and tags | Enable (check) to push the policy rule to
all managed firewalls associated with the device group except for
the selected device(s) and tag(s). |