Quality of Service (QoS) and how it works

QoS (Quality of Service) allows you to manage the available network bandwidth and make sure that important network services are given priority over less important traffic.

There are two Quality of Service (QoS) features: bandwidth management and traffic prioritization. Both features are configured using the same tools. You can use both bandwidth management and traffic prioritization together or bandwidth management or traffic prioritization individually for any given type of traffic. Bandwidth management and traffic prioritization are not supported on Modem interfaces of Single Firewalls.

The Firewall can also read and write DiffServ Code Point (DSCP) markers in type of service (ToS) fields. The markers allow you to integrate the Firewall with other network equipment that implements QoS management in your own or your ISP’s network.

What QoS does

The QoS features help you in the following ways:
  • You can set up a Guarantee for a type of traffic that must always be given a certain minimum share of the available bandwidth.
  • You can set up a Limit for maximum bandwidth for a type of traffic that must never use more than a certain share of the available bandwidth.
  • You can set a Priority value for the traffic. Higher priority traffic is sent forward to its destination before lower priority traffic if the engine queues packets due to congestion.
  • Active Queue Management (AQM) reduces the volume of dropped or retransmitted packets when there is network congestion. AQM monitors the average queue size and uses a scheduling algorithm to determine the statistical probability for dropping incoming packets.
  • The engine can read or write DiffServ Code Point (DSCP) type of service (ToS) field markers. The markers allow the engine to be aware of the priorities set by other network equipment. Other equipment is also aware of the priorities set in the QoS Policy.
  • The engine can collect statistics about traffic that matches Access rules that apply a QoS Class to the traffic. QoS Class-based statistics items are used in Overviews and Reports.


  • QoS is only available on some interface types:
    NGFW Engine role Interface types
    • Layer 3 physical interfaces
    • Layer 2 physical interfaces of the Inline IPS Interface and Inline Layer 2 Firewall type
    • VLAN interfaces
    • Tunnel interfaces
    • ADSL interfaces
    • SSID interfaces
    • Port group interfaces of an integrated switch
    Note: QoS is also available in the properties of policy-based VPNs
    IPS, Layer 2 Firewall Physical interfaces of the Inline Interface type
  • It is not possible to apply a bandwidth guarantee to incoming Internet traffic on your Internet link. By the time the engine sees the traffic, the bandwidth has already been used. If you want guaranteed bandwidth for a specific portion of your incoming Internet traffic, contact your ISP and ask if they can enforce this guarantee for you.
  • If you want to create QoS rules for both incoming and outgoing traffic, you must assign a QoS Policy to at least two interfaces. Incoming traffic is processed according to the Firewall, IPS, or Layer 2 Firewall policy, and then the QoS Policy is applied to the allowed traffic on the outgoing interface.

What do I need to know before I begin?

  • There are three default QoS Classes: High Priority, Normal Priority, and Low Priority. These are used in the default QoS Policy, Prioritize. The Prioritize QoS Policy is a sample policy that contains simple rules for prioritizing traffic according to the three default QoS Classes. High Priority traffic is assigned the highest possible priority value of 1. The Normal Priority value is 8, and Low Priority is assigned the lowest possible value of 16. The default Prioritize policy does not provide any bandwidth guarantees or limits. If the default Prioritize policy is sufficient for you, you can use the default QoS Classes and the Prioritize policy as they are.
  • By default, the DSCP mark for the encrypted ESP packet in VPN traffic is inherited from the plaintext packet. Selecting a QoS Policy in the properties of the policy-based VPN makes it possible to mark the ESP packet after encryption.
  • Priorities, limits, and guarantees are applied. DSCP codes are written to outgoing packets on the interface that the traffic uses to exit the engine according to the QoS Policy and interface speed defined for that interface.
  • For packets entering the engine, the QoS Policy on that interface is only used for reading DSCP codes and matching them to QoS Classes for further use. It is the only QoS operation that is done on the interface that the traffic uses to enter the engine.

    Example: A new packet enters a Firewall through interface A and leaves the Firewall through interface B. The priorities, guarantees, and limits configured on interface A are ignored for packets in this direction. Any priorities, guarantees, and limits are configured and applied on interface B. If the packet contains a DSCP code when entering the Firewall, the DSCP code is read and matched to a QoS Class on interface A. If a new DSCP code is (over)written in the packet, the new code is written on interface B.

  • The QoS Mode for each interface defines how QoS is applied to the interface. Depending on the QoS Mode, you might also have to define the QoS Policy the interface uses and the speed of the interface.