Apply QoS to traffic

You can apply QoS to traffic by selecting a QoS Class for an Access rule. The same QoS Class can appear in several Access rules.

You can insert a QoS Class in an Access rule that allows traffic or in an Access rule that uses the Continue action to set the same QoS Class for several rules. This way, you can assign a specific QoS Class to any traffic that you can match with a single Access rule. If you only want to collect QoS statistics about traffic, define Access rules to assign a QoS Class to the traffic.

The rules on the QoS tab of the QoS Policy are linked to different types of traffic using the QoS Classes. QoS Classes are matched to traffic in the Access rules with the following actions:
  • Access rules with the Allow action set a QoS Class for traffic that matches the rules.
  • Access rules with the Continue action set a QoS Class for all subsequent matching rules that have no specific QoS Class defined.
  • Access rules with the Use VPN action (Firewall only) set a QoS Class for VPN traffic. Incoming VPN traffic can also match a normal Allow rule after decryption. Otherwise, for outgoing traffic, encryption is done after the QoS Policy is checked. For incoming traffic, decryption is done before the QoS Policy is checked.

If you want to read and use DSCP markers set by other devices, the QoS Class is assigned according to rules on the DSCP Match/Mark tab of the QoS Policy.

Note: If traffic is assigned a QoS Class using a DSCP Match rule, the same traffic must not match Access rules that assign a different QoS Class to the same traffic. Such Access rules override the QoS Class that has been set with a DSCP Match rule.

  For more details about the product and how to configure features, click Help or press F1.


  1. Open the Firewall, IPS, Layer 2 Firewall, or Layer 2 Interface Policy for editing.
  2. Click the QoS Class cell of a rule that allows traffic or a Continue rule, then drag and drop a QoS Class element into the cell.
    • The QoS Class links connections to a rule on the QoS tab of the QoS Policy. There can be different rules in different QoS Policies for the same QoS Class.
    • Packets in both directions of a connection are assigned the same QoS Class (when connection tracking is active for the rule).
    • The applied QoS Class is shown in the logs. You can also generate reports based on this information.
  3. Refresh the engine’s policy to transfer the changes.