QoS Overview
QoS Traffic Flow Diagram
QoS Configuration Components
QoS for Applications and Users
QoS Policy
QoS Profile
QoS Classes
QoS Priority Queuing
QoS Bandwidth Management
QoS Egress Interface
QoS for Clear Text and Tunneled Traffic
Configure QoS (Step-by-Step)
Configure Lockless QoS (PAN-OS 11.0.3+)
Configure QoS for a Virtual System
Enforce QoS Based on DSCP Classification
Use Case: QoS for a Single User
Use Case: QoS for Voice and Video Applications
QoS Interactive Quiz

QoS Overview

Quality of Service (QoS) is used to prioritize and adjust quality aspects of network traffic. It allows administrators to assign the order in which packets are handled and allocate bandwidth, ensuring preferred treatment and optimal performance levels for selected traffic, applications, and users.

Key network measurements managed by QoS include:

Bandwidth (maximum transfer rate)
Throughput (actual transfer rate)
Latency (delay)
Jitter (variance in latency)

QoS is particularly important for real-time traffic like Voice over IP (VoIP), video conferencing, and video-on-demand, which are sensitive to latency and jitter. Common QoS goals include:

Prioritizing critical business traffic or limiting non-essential traffic.
Ensuring fair bandwidth sharing among subnets, classes, or users.
Allocating bandwidth differently for upload and download traffic.
Guaranteeing low latency for customer-facing or revenue-generating applications.
Profiling application bandwidth usage.

Each firewall model supports QoS on a maximum number of ports; refer to firewall datasheets for specific limits.

QoS Traffic Flow Diagram

graph TD A[Incoming Traffic] --> B[Firewall Processing - Security Policy, NAT, etc.]; B --> C[QoS Policy Match?]; C -- Yes --> D[Assign QoS Class]; C -- No --> E[Default QoS Class - Class 4]; D --> F[QoS Egress Interface]; E --> F; subgraph "QoS Shaping on Egress" F -- Applies Settings From --> G[QoS Profile - Attached to Interface]; G -- Defines Bandwidth/Priority For --> H[QoS Classes 1-8]; F -- Shapes Traffic Based On --> H; end F --> I[Queuing & Scheduling - Priority, WRED]; I --> J[Outgoing Traffic]; style F fill:#f9f,stroke:#333,stroke-width:2px style G fill:#ccf,stroke:#333,stroke-width:2px

This diagram shows how traffic flows through the firewall, gets classified by a QoS Policy, and is then shaped (prioritized and bandwidth-managed) by the QoS Profile settings applied to the egress interface.

QoS Configuration Components

A complete QoS solution on a Palo Alto Networks firewall primarily involves three components:

QoS Policy: Defines the traffic to receive QoS treatment (based on App-ID, User-ID, zones, addresses, services, URL categories, DSCP/ToS values) and assigns it to a specific QoS Class.
QoS Profile: Defines the bandwidth limits (guaranteed and maximum) and priority level for each of the eight available QoS Classes. A profile can set an overall bandwidth limit for all classes combined.
QoS Egress Interface: A physical interface where QoS is enabled. A QoS Profile is attached to this interface to apply the defined class settings to traffic exiting the interface. You can apply different profiles for clear text vs. tunneled traffic and even define specific rules based on source/destination subnets or specific tunnel interfaces.

The firewall uses a Weighted Random Early Drop (WRED) algorithm to manage queue congestion proactively.

QoS for Applications and Users

Palo Alto Networks firewalls extend basic QoS (based on network/subnet) by integrating App-ID and User-ID. This allows administrators to classify and shape traffic specifically based on the application being used or the user initiating the traffic, providing much more granular control.

QoS Policy

Use a QoS policy rule ( Policies > QoS ) to define traffic that should receive specific QoS treatment and assign that traffic to one of the eight QoS classes.

Traffic matching criteria can include:

Applications and application groups (App-ID).
Source zones, source addresses, and source users (User-ID).
Destination zones and destination addresses.
Services (TCP/UDP ports) and service groups.
URL categories (including custom categories).
Differentiated Services Code Point (DSCP) and Type of Service (ToS) values.

Note: QoS cannot be applied to SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy traffic.

QoS policy rules are evaluated after Security and NAT policies but are based on the original packet information (e.g., pre-NAT source IP/zone, pre-NAT destination IP, but post-NAT destination zone). Therefore, QoS policies should generally use pre-NAT addresses for matching.

QoS Profile

A QoS Profile ( Network > Network Profiles > QoS Profile ) defines the bandwidth limits and priorities for up to eight QoS Classes.

Key settings within a profile include:

Overall Egress Max and Egress Guaranteed bandwidth for the entire profile.
Individual Egress Max, Egress Guaranteed, and Priority settings for each of the eight classes.

A default QoS profile exists but has no predefined limits. QoS Profiles are attached to physical interfaces (QoS Egress Interfaces) to apply the defined settings.

QoS Classes

There are eight QoS classes (1 through 8) available for classifying traffic. Traffic matched by a QoS Policy rule is assigned the specified class. Traffic that doesn't match any QoS policy rule is assigned the default Class 4.

Each class within a QoS Profile can be configured with:

Priority: real-time, high, medium, low.
Bandwidth Management: Egress Max and Egress Guaranteed limits.

QoS Priority Queuing

Defines the priority for a QoS class (real-time, high, medium, low). Packets in the outgoing queue are processed based on their assigned priority, ensuring that higher-priority traffic is handled before lower-priority traffic during periods of congestion. Real-time is typically reserved for latency-sensitive applications like VoIP and video.

QoS Bandwidth Management

Controls traffic flow to prevent congestion and allocate bandwidth. Key parameters set per class and/or overall profile/interface are:

Egress Guaranteed: The minimum amount of bandwidth guaranteed for matching traffic during congestion. Unused guaranteed bandwidth is available for other traffic.
Egress Max: The absolute maximum bandwidth allocation for matching traffic. Traffic exceeding this limit is dropped.

These limits can be set in Mbps or percentages. Percentage calculations for class guarantees are based on the interface's or profile's Egress Max value. The sum of guaranteed bandwidths across all classes in a profile applied to an interface should not exceed the interface's total configured bandwidth (Egress Max on the QoS Interface settings).

QoS Egress Interface

QoS is always enabled and enforced on the egress interface for a specific traffic flow (the interface the traffic leaves the firewall from).

For traffic going from the internal network to the internet (upload), the egress interface is typically the external-facing (untrust) interface.
For traffic coming from the internet to the internal network (download), the egress interface is typically the internal-facing (trust) interface.

Diagram showing upload traffic egressing the external interface and download traffic egressing the internal interface.

Remember, QoS policy matching uses pre-NAT details, but enforcement happens on the egress interface.

QoS for Clear Text and Tunneled Traffic

When configuring QoS on an interface ( Network > QoS ), you can apply different QoS profiles and bandwidth limits specifically for:

Clear Text Traffic: Unencrypted traffic. You can apply a default profile and optionally create rules to apply different profiles based on source interface/subnet.
Tunneled Traffic: Refers primarily to IPsec VPN traffic in tunnel mode. You can apply a default profile for all tunneled traffic and optionally create rules to apply specific profiles to individual tunnel interfaces.

Configure QoS (Step-by-Step)

Follow these general steps to configure QoS:

Identify Traffic & Egress Interface: Use the ACC ( ACC tab) and Traffic logs ( Monitor > Logs > Traffic ) to identify the application/user traffic you want to manage and determine its egress interface ( Egress I/F column or detailed log view).
Add QoS Policy Rule: ( Policies > QoS > Add )
- Give it a Name.
- Define matching criteria (Source, Destination, Application, Service/URL Category, DSCP/ToS). Remember to use pre-NAT info for source matching.
- On the 'Other Settings' tab, assign a QoS Class (1-8).
- Click OK.
Add/Modify QoS Profile: ( Network > Network Profiles > QoS Profile > Add )
- Give it a Name.
- Set overall Egress Max and Egress Guaranteed bandwidth (optional but recommended).
- Add/Modify classes (1-8): Set Priority, Egress Max, Egress Guaranteed for each class used in your QoS policies.
- Click OK.
Enable QoS on Egress Interface: ( Network > QoS > Add )
- Select the Physical Interface Name identified in step 1.
- Set the overall Egress Max bandwidth for this physical interface.
- Check "Turn on QoS feature on this interface".
- Select a Default Profile for Clear Text traffic (often the one created in step 3).
- (Optional) Select a Default Profile for Tunneled Traffic.
- (Optional) Add more granular rules on the 'Clear Text Traffic' and 'Tunneled Traffic' tabs to apply specific profiles based on source subnet/interface or tunnel interface.
- Click OK.
Commit your changes.
Verify QoS Configuration: ( Network > QoS > Statistics ) View bandwidth usage, active sessions, and applications per QoS class for the configured interface. ( Monitor > Session Browser ) can also show applied QoS rules/classes per session.

Configure Lockless QoS (PAN-OS 11.0.3+)

Lockless QoS is an alternative QoS processing mode available on specific newer platforms (PA-34xx, PA-54xx series as listed in the original text) designed to improve performance, especially for higher bandwidth requirements, by dedicating CPU cores to QoS functions for specific interfaces.

Legacy QoS (default): Shares CPU resources.
Lockless QoS: Dedicates cores per interface, potentially improving throughput/latency but limiting LAG QoS throughput to a single core's capacity. Maximum allocatable bandwidth per port/profile remains 10G on supported platforms mentioned.

Use CLI commands to manage Lockless QoS:

Enable: set lockless-qos yes (requires commit and reboot)
Disable: set lockless-qos no (requires commit and reboot, falls back to legacy QoS if previously configured)
Show Status: show lockless-qos enable
Show Interface-Core Mapping: show lockless-qos if-core-mapping

Configure QoS for a Virtual System

QoS can be configured independently for each virtual system (vsys) on a firewall.

The process is similar to configuring QoS on a physical firewall, but requires careful consideration of source and destination zones within the QoS Policy rule to ensure traffic is shaped correctly for the intended vsys, as traffic might traverse multiple virtual systems.

Identify the traffic, egress interface (which might be physical or associated with another vsys), source zone, and destination zone specific to the vsys you are configuring QoS for, using tools like the ACC (filtered by vsys) and Traffic logs.

Diagram showing two virtual systems (VSYS 1 and VSYS 2) on a firewall, with separate QoS policies and shaping applied to traffic flows within each vsys.

Screenshot showing the Virtual System dropdown filter in the ACC.

Follow the standard steps (Create QoS Profile, Create QoS Policy specifying vsys-specific zones, Enable QoS on the appropriate physical egress interface) while ensuring the QoS Policy specifically targets the desired vsys traffic using zone matching.

Verify using QoS Statistics and Session Browser (filtered by vsys if applicable).

Enforce QoS Based on DSCP Classification

You can use Differentiated Services Code Point (DSCP) values in packet headers to classify traffic for QoS. The firewall can honor incoming DSCP values and/or mark outgoing traffic.

DSCP Markings:

Expedited Forwarding (EF): Highest priority, low loss/latency (e.g., VoIP).
Assured Forwarding (AF): Higher priority than best-effort, provides more reliable delivery. Multiple AF levels exist (e.g., AF11, AF21, etc.).
Class Selector (CS): Backward compatibility with IP Precedence.
IP Precedence (ToS): Legacy priority marking.
Custom Codepoint: Define custom binary values.

Note: QoS/DSCP cannot be applied to SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy traffic.

To configure DSCP-based QoS:

Perform preliminary QoS steps (Profile, Interface).
In the QoS Policy rule ( Policies > QoS ), go to the DSCP/ToS tab.
Click Add under Codepoints.
Select the DSCP Type (e.g., Assured Forwarding).
Select the specific Codepoint (e.g., AF11).
Assign the appropriate QoS Class on the 'Other Settings' tab.
(Optional) To mark return traffic with the same DSCP value, go to the corresponding Security Policy rule ( Policies > Security ), select the Actions tab, and in the QoS Marking dropdown, choose Follow Client-to-Server Flow .
Commit changes.

Use Case: QoS for a Single User

Scenario: A CEO needs guaranteed network performance for critical applications, even during peak usage.

Create a QoS Profile (e.g., "CEO_traffic") assigning a high Egress Guaranteed bandwidth (e.g., 50 Mbps) and high priority (e.g., Class 1 set to 'high' or 'real-time'). The Egress Max can be set high if no strict upper limit is desired.
Create a QoS Policy rule identifying the CEO's traffic. Use User-ID (Source User = CEO's username) if available, or Source Address (CEO's static IP). Set Source/Destination Zone/Address/Application to 'Any' or be more specific if needed. Assign this traffic to the high-priority class (e.g., Class 1) defined in the profile.
Enable QoS on the Egress Interface (e.g., external interface ethernet1/2 for outbound traffic). Attach the "CEO_traffic" QoS Profile as the default for Clear Text traffic.
Commit the changes.
Verify using QoS Statistics ( Network > QoS > Statistics ).

A similar process can be used to prioritize traffic *to* a specific user/destination by matching on Destination User/Address and enabling QoS on the internal egress interface.

Use Case: QoS for Voice and Video Applications

Scenario: Employees experience poor quality VoIP calls and video conferences.

Create a QoS Profile (e.g., "ensure voip-video traffic") defining a high-priority class (e.g., Class 2 set to 'real-time') with sufficient Egress Guaranteed bandwidth (e.g., 250 Mbps).
Create a QoS Policy rule identifying VoIP and video applications. Use an Application Filter (Subcategory = voip-video, Risk = low, Widely Used = yes) or add specific App-IDs (e.g., sip, rtp, skype, webex). Assign this traffic to the real-time class (e.g., Class 2). Set Source/Destination Zone/Address to 'Any' if applying globally.
Enable QoS on *both* the internal-facing egress interface (e.g., ethernet1/1 for incoming traffic) and the external-facing egress interface (e.g., ethernet1/2 for outgoing traffic). Attach the "ensure voip-video traffic" QoS Profile as the default for Clear Text traffic on both interfaces.
Commit the changes.
Verify using QoS Statistics ( Network > QoS > Statistics ) for both interfaces.

📝 QoS Interactive Quiz

1. What are the three primary components configured for QoS on a Palo Alto Networks firewall?

Security Policy, NAT Policy, QoS Interface QoS Policy, QoS Profile, QoS Egress Interface QoS Profile, QoS Class, QoS Monitor QoS Policy, Service Route, QoS Zone

2. On which interface is QoS always enabled and enforced for a traffic flow?

Ingress interface Management interface Egress interface Loopback interface

3. How many QoS classes can be defined within a single QoS Profile?

4 6 8 16

4. What does the "Egress Guaranteed" bandwidth setting in a QoS Profile signify?

The absolute maximum bandwidth allowed for the class. The bandwidth strictly reserved only for that class, even if unused. The minimum bandwidth assured for the class during congestion, available to others if unused. The average bandwidth consumed by the class.

5. Which firewall feature allows QoS policies to match traffic based on specific applications like 'web-browsing' or 'sip'?

User-ID Content-ID App-ID Device-ID

6. What is the default QoS class assigned to traffic that does not match any QoS policy rule?

Class 1 Class 4 Class 8 No class is assigned

7. Which priority level is typically recommended for latency-sensitive traffic like VoIP and video within a QoS Profile?

low medium high real-time

8. If a QoS policy needs to match traffic based on the original source IP before NAT, what address should be used in the QoS policy rule?

Post-NAT source IP Pre-NAT source IP Post-NAT destination IP Pre-NAT destination IP

9. What feature allows the firewall to honor incoming DSCP values and mark outgoing session traffic with the same value for consistent QoS treatment across the network?

Lockless QoS QoS Bandwidth Management Session-Based DSCP Classification (using QoS Marking in Security Policy) QoS Priority Queuing

10. When configuring QoS for tunneled (IPsec VPN) traffic specifically, where are the profiles and bandwidth limits applied?

On the Tunnel Interface settings itself. Within the QoS Policy rule definition. On the QoS Egress Interface configuration page, under the 'Tunneled Traffic' tab. Within the IKE/IPsec Crypto Profile.

Table of Contents