Define QoS Policy elements
QoS policies determine the rules that the NGFW Engine follows when it decides which traffic is given priority and how the available bandwidth is allocated.
- One QoS Policy can be assigned for each Physical Interface, VLAN Interface, Tunnel Interface, ADSL Interface, SSID Interface, Port Group Interface of an integrated Switch, and policy-based VPN. You can assign the same QoS Policy to several interfaces.
- QoS Policies are tables of QoS rules and DSCP Match/Mark rules. If you only want to collect QoS statistics about traffic, you do not need to define a QoS Policy.
- Because the QoS rules are separate from the Access rules, you can flexibly design the rules. For example, you can create different QoS Policies for different interfaces of the same NGFW Engine.
- All cells in the QoS rules are applied to outgoing packets. When using Full QoS, packets that do not match a QoS rule are handled with priority 8 (middle of the scale) without bandwidth guarantees or limits.
- All cells in the DSCP Match/Mark rules except the DSCP Match cell are applied to outgoing packets. If packets do not match a DSCP Match/Mark rule, DSCP markers in the traffic are preserved, but do not affect how the NGFW Engine handles traffic.
The QoS Mode for each interface defines how QoS is applied to the interface. By default, No QoS is selected. You can select a QoS Mode and define a bandwidth for traffic in the properties of a Physical, VLAN, ADSL, Tunnel, SSID, or Port Group Interface. You can select different QoS Modes for each interface. It is not mandatory to use QoS on all interfaces of the same NGFW Engine.
When using Full QoS, define the available throughput in the properties for each Physical, VLAN, ADSL, Tunnel, SSID, or Port Group Interface or whose throughput you want to manage. There is no way to automatically find out how much bandwidth each interface has. The throughput must correspond to the actual throughput that interface offers to clients, that is, the outbound bandwidth of an Internet link that is connected to the interface. If there are VLANs on a Physical Interface, the settings are only available in the properties of each VLAN.
- If you are using load-balancing Multi-Link, set the throughput to the combined outbound bandwidth of all Internet links behind the Physical Interface.
- If you are using standby NetLinks, set the throughput to the outbound bandwidth of the primary (active) NetLink. When the bandwidth of the backup NetLink is lower, set the throughput to the speed of the primary NetLink, as it is the most used link.
Policy-based VPNs can optionally use a QoS Policy to define how DSCP matching or marking is done for VPN traffic. In policy-based VPN traffic, the DSCP mark for the encrypted ESP packet is normally inherited from the plaintext packet. Selecting a QoS Policy for the policy-based VPN makes it possible to mark the ESP packet after encryption. Because the total throughput is undefined, Guarantees and Priorities cannot be used for policy-based VPN traffic.