Consolidated Guide to PAN-OS Quality of Service (QoS)

What is Quality of Service (QoS)?

Quality of Service (QoS) on Palo Alto Networks firewalls allows administrators to manage network bandwidth and prioritize critical applications during periods of congestion. By classifying traffic and assigning different levels of service (bandwidth guarantees, priority), QoS ensures that essential applications receive the necessary resources, while less critical traffic can be rate-limited or handled on a best-effort basis.

The primary goal is to improve the performance and reliability of key applications by controlling how bandwidth is allocated on egress interfaces .

Note: PAN-OS QoS is primarily applied on egress to control traffic *leaving* an interface. While QoS Policy rules can match ingress traffic, the actual queuing and bandwidth management occur on the egress interface.

PAN-OS QoS relies on several interconnected components working together:

1. QoS Interface Settings: Configured directly on the physical or aggregate egress interface. This is where you define the total available egress bandwidth and allocate guaranteed/maximum bandwidth to each of the 8 QoS classes.
2. QoS Classes: There are 8 predefined, fixed classes ( class 1 to class 8 ). These represent distinct priority queues. Class 1 has the highest priority, and Class 8 has the lowest (best-effort).
3. QoS Profile: An object that primarily maps traffic to a specific QoS Class (1-8) . Optionally, it can also define DSCP/ToS remarking actions.
4. QoS Policy Rule: Similar to a Security Policy rule, it matches traffic based on criteria (zone, address, user, application, service, DSCP). Instead of Allow/Deny, its action is to apply a specific QoS Profile to the matched traffic.

Fundamental Order: You MUST configure QoS on the egress interface (defining total bandwidth and class bandwidths) *before* QoS Policy rules referencing that interface can effectively manage traffic.

Enabling QoS and Defining Bandwidth

QoS functionality is enabled and configured on a per-interface basis, typically the external-facing or congested egress interface.

• Location: Network > Network Profiles > QoS Profile (confusingly named, this profile applies settings *to an interface*, distinct from the QoS Profile object used in policy). Alternatively, access directly via Network > Interfaces > [Select Interface] > QoS tab.
• Enable QoS: Check the box to enable QoS on the selected interface.
• Interface Egress Max (Mbps): Crucial Setting . Define the total maximum egress bandwidth available on this interface (e.g., the speed of your ISP link). This sets the ceiling for all QoS calculations.
• Default QoS Profile: Assign a default QoS Profile (which maps to a default class, usually class 4) for traffic that doesn't match any specific QoS Policy rule.

Allocating Bandwidth to Classes

Once QoS is enabled on an interface, you allocate bandwidth to the 8 fixed classes:

• Guaranteed Egress (Mbps or %): The minimum bandwidth reserved for a class during congestion. The sum of guaranteed bandwidth across all 8 classes cannot exceed the Interface Egress Max. This ensures critical traffic gets its share even when the link is full.
• Maximum Egress (Mbps or %): The absolute maximum bandwidth a class can consume, even if more bandwidth is available on the interface. This prevents lower-priority but high-volume traffic from overwhelming the link. The maximum value must be greater than or equal to the guaranteed value for that class.

Example: On a 100 Mbps interface, you might guarantee 20 Mbps for Class 2 (VoIP) and set its maximum to 30 Mbps. You might guarantee 5 Mbps for Class 6 (Bulk Transfers) and set its maximum to 50 Mbps.

The 8 Fixed Classes

PAN-OS uses 8 fixed priority queues (Classes 1-8). You cannot add or remove classes.

• class 1 : Highest Priority
• class 2 : High Priority
• class 3 : Medium-High Priority
• class 4 : Medium Priority (Often the default)
• class 5 : Medium-Low Priority
• class 6 : Low Priority
• class 7 : Lower Priority
• class 8 : Lowest Priority (Best Effort)

Strict Priority Queuing

PAN-OS employs a Strict Priority Queuing mechanism for Classes 1 through 7. This means:

• The firewall attempts to transmit all packets from Class 1 first, up to its allocated maximum bandwidth.
• Only when Class 1's queue is empty (or its bandwidth limit is hit) does the firewall serve Class 2.
• This continues down the classes (Class 2 served before Class 3, etc.).
• Class 8 (Best Effort): Receives any remaining bandwidth *after* Classes 1-7 have received their guaranteed bandwidth and satisfied their demand up to their maximum limits.

Implication: If higher-priority classes consistently consume all available bandwidth up to their maximums, lower-priority classes might experience packet loss or significant delays, even if they have guaranteed bandwidth configured (as the guarantee only applies during congestion when higher classes aren't demanding *all* the bandwidth).

Mapping Traffic to a Class

A QoS Profile object is simple but essential. Its primary function is to link traffic identified by a QoS Policy rule to one of the 8 QoS classes.

• Location: Objects > QoS Profile
• Name: A descriptive name (e.g., QoS-VoIP-Class2 , QoS-Bulk-Class6 ).
• Class: Select the desired QoS Class (1-8) from the dropdown menu. This is the core setting.

Optional: DSCP/ToS Remarking

QoS Profiles can optionally be used to modify the Differentiated Services Code Point (DSCP) or Type of Service (ToS) value in the IP header of packets matching the associated QoS Policy rule.

• Use Case: To ensure consistent QoS markings end-to-end across a network where other devices also honor DSCP/ToS values.
• Settings: Choose IP DSCP or IP Precedence (ToS) and select the desired codepoint value from the dropdown (e.g., EF for Expedited Forwarding, AFxx for Assured Forwarding classes).

Matching Traffic for QoS Treatment

QoS Policy rules determine *which* traffic sessions receive specific QoS treatment.

• Location: Policies > QoS
• Rule Structure: Similar to Security Policy rules. Evaluated top-down, first match .
• Matching Criteria:
  • Source/Destination Zone
  • Source/Destination Address (Pre-NAT)
  • User/Group (User-ID)
  • Application (App-ID)
  • Service (Port/Protocol)
  • URL Category
  • DSCP Codepoint (Matches incoming DSCP value)
• Action: Apply QoS Profile:
  • Select a pre-configured QoS Profile object from the dropdown. This profile dictates the QoS Class the matched traffic will be assigned to on the egress interface.
• DSCP/ToS Remarking (Alternative Action): Instead of applying a profile, you can directly choose to remark DSCP/ToS values within the policy rule itself (though using a profile is often cleaner).

Interaction with Security Policy: QoS Policy evaluation occurs *after* a session has been allowed by Security Policy. You only apply QoS to traffic that is permitted to pass through the firewall.

1. Interface Configuration: Administrator enables QoS on the egress interface (e.g., ethernet1/1 ), defines its total Egress Max bandwidth, and allocates Guaranteed and Maximum bandwidth limits for each of the 8 QoS classes.
2. Profile Creation: Administrator creates QoS Profile objects (e.g., Profile-VoIP maps to Class 2 , Profile-Web maps to Class 4 , Profile-Bulk maps to Class 6 ).
3. Policy Creation: Administrator creates QoS Policy rules.
   • Rule 1: Matches VoIP application traffic, applies Profile-VoIP .
   • Rule 2: Matches web-browsing application traffic, applies Profile-Web .
   • Rule 3: Matches file-transfer application traffic, applies Profile-Bulk .
   • (Default): Traffic not matching Rules 1-3 uses the interface's default profile (e.g., mapping to Class 4 ).
4. Traffic Processing:
   • A packet arrives at the firewall.
   • Security Policy allows the packet.
   • QoS Policy lookup occurs (top-down). A matching rule is found (e.g., Rule 1 for a VoIP packet).
   • The associated QoS Profile ( Profile-VoIP ) is applied, marking the packet internally for Class 2 treatment.
   • If the profile includes DSCP remarking, the IP header is modified.
   • As the packet prepares to leave the egress interface ( ethernet1/1 ), it's placed into the queue for Class 2 .
   • The interface's QoS scheduler dequeues packets based on strict priority (Class 1 first, then Class 2, etc.), respecting the configured guaranteed/maximum bandwidth limits for each class during periods of congestion.

flowchart TD
    A[Packet Ingress] --> B[Security Policy Lookup]
    B -- Allowed --> C[QoS Policy Lookup]
    C -- Match Rule --> D[Apply QoS Profile]
    D --> E[Assign QoS Class e.g., Class 2]
    E --> F[Optional: Remark DSCP]
    F --> G[Place in Egress Queue for assigned Class]
    subgraph "Egress Interface (e.g., eth1/1)"
        direction TB
        G --> H[QoS Scheduler]
        subgraph Queues
            direction TB
            Q1[Class 1 Queue]
            Q2[Class 2 Queue]
            Q3[...]
            Q8[Class 8 Queue]
        end
        H --> Q1
        H --> Q2
        H --> Q3
        H --> Q8
        style H fill:#f9f,stroke:#333,stroke-width:2px
    end
    H --> I[Transmit Packet]
    B -- Denied --> J[Drop/Reject]
    C -- No Match --> K[Apply Interface Default QoS Profile/Class]
    K --> E

    linkStyle 10 stroke:#f00,stroke-width:2px,color:red

    

Simplified QoS processing flow.

Understanding QoS is important for the PCNSE exam. Key areas include:

• The purpose of QoS (managing bandwidth, prioritizing traffic during congestion).
• The 4 main components: QoS Interface settings, QoS Classes, QoS Profile, QoS Policy Rule.
• Where total egress bandwidth and class bandwidths (Guaranteed/Maximum) are defined (on the Interface).
• The fixed nature and priority order of the 8 QoS Classes.
• The function of a QoS Profile (mapping to a class, optional DSCP marking).
• How QoS Policy rules match traffic and apply a QoS Profile.
• The top-down, first-match processing of QoS Policy rules.
• The concept of Strict Priority Queuing for Classes 1-7 and Best Effort for Class 8.
• The difference between Guaranteed and Maximum bandwidth per class.
• The prerequisite of enabling QoS on the interface *before* policies take effect.
• The relationship between Security Policy (allows traffic first) and QoS Policy (classifies allowed traffic).

References

• QoS Policy Concepts
• QoS Profile Concepts
• QoS Classes Concepts
• QoS Priority Queuing Concepts
• QoS Bandwidth Management Concepts
• Configure QoS (How-To Guide)