Consolidated Guide to PAN-OS Quality of Service (QoS)

What is Quality of Service (QoS)?

Quality of Service (QoS) on Palo Alto Networks firewalls allows administrators to manage network bandwidth and prioritize critical applications during periods of congestion. By classifying traffic and assigning different levels of service (bandwidth guarantees, priority), QoS ensures that essential applications receive the necessary resources, while less critical traffic can be rate-limited or handled on a best-effort basis.

The primary goal is to improve the performance and reliability of key applications by controlling how bandwidth is allocated on egress interfaces .

Note: PAN-OS QoS is primarily applied on egress to control traffic *leaving* an interface. While QoS Policy rules can match ingress traffic, the actual queuing and bandwidth management occur on the egress interface.

Core QoS Components in PAN-OS

PAN-OS QoS relies on several interconnected components working together:

  1. QoS Interface Settings: Configured directly on the physical or aggregate egress interface. This is where you define the total available egress bandwidth and allocate guaranteed/maximum bandwidth to each of the 8 QoS classes.
  2. QoS Classes: There are 8 predefined, fixed classes ( class 1 to class 8 ). These represent distinct priority queues. Class 1 has the highest priority, and Class 8 has the lowest (best-effort).
  3. QoS Profile: An object that primarily maps traffic to a specific QoS Class (1-8) . Optionally, it can also define DSCP/ToS remarking actions.
  4. QoS Policy Rule: Similar to a Security Policy rule, it matches traffic based on criteria (zone, address, user, application, service, DSCP). Instead of Allow/Deny, its action is to apply a specific QoS Profile to the matched traffic.

Fundamental Order: You MUST configure QoS on the egress interface (defining total bandwidth and class bandwidths) *before* QoS Policy rules referencing that interface can effectively manage traffic.

1. QoS Interface Settings & Bandwidth Management

Enabling QoS and Defining Bandwidth

QoS functionality is enabled and configured on a per-interface basis, typically the external-facing or congested egress interface.

Allocating Bandwidth to Classes

Once QoS is enabled on an interface, you allocate bandwidth to the 8 fixed classes:

Example: On a 100 Mbps interface, you might guarantee 20 Mbps for Class 2 (VoIP) and set its maximum to 30 Mbps. You might guarantee 5 Mbps for Class 6 (Bulk Transfers) and set its maximum to 50 Mbps.

2. QoS Classes & Priority Queuing

The 8 Fixed Classes

PAN-OS uses 8 fixed priority queues (Classes 1-8). You cannot add or remove classes.

Strict Priority Queuing

PAN-OS employs a Strict Priority Queuing mechanism for Classes 1 through 7. This means:

Implication: If higher-priority classes consistently consume all available bandwidth up to their maximums, lower-priority classes might experience packet loss or significant delays, even if they have guaranteed bandwidth configured (as the guarantee only applies during congestion when higher classes aren't demanding *all* the bandwidth).

3. QoS Profile

Mapping Traffic to a Class

A QoS Profile object is simple but essential. Its primary function is to link traffic identified by a QoS Policy rule to one of the 8 QoS classes.

Optional: DSCP/ToS Remarking

QoS Profiles can optionally be used to modify the Differentiated Services Code Point (DSCP) or Type of Service (ToS) value in the IP header of packets matching the associated QoS Policy rule.

4. QoS Policy Rule

Matching Traffic for QoS Treatment

QoS Policy rules determine *which* traffic sessions receive specific QoS treatment.

Interaction with Security Policy: QoS Policy evaluation occurs *after* a session has been allowed by Security Policy. You only apply QoS to traffic that is permitted to pass through the firewall.

How QoS Components Work Together (Workflow)

  1. Interface Configuration: Administrator enables QoS on the egress interface (e.g., ethernet1/1 ), defines its total Egress Max bandwidth, and allocates Guaranteed and Maximum bandwidth limits for each of the 8 QoS classes.
  2. Profile Creation: Administrator creates QoS Profile objects (e.g., Profile-VoIP maps to Class 2 , Profile-Web maps to Class 4 , Profile-Bulk maps to Class 6 ).
  3. Policy Creation: Administrator creates QoS Policy rules.
    • Rule 1: Matches VoIP application traffic, applies Profile-VoIP .
    • Rule 2: Matches web-browsing application traffic, applies Profile-Web .
    • Rule 3: Matches file-transfer application traffic, applies Profile-Bulk .
    • (Default): Traffic not matching Rules 1-3 uses the interface's default profile (e.g., mapping to Class 4 ).
  4. Traffic Processing:
    • A packet arrives at the firewall.
    • Security Policy allows the packet.
    • QoS Policy lookup occurs (top-down). A matching rule is found (e.g., Rule 1 for a VoIP packet).
    • The associated QoS Profile ( Profile-VoIP ) is applied, marking the packet internally for Class 2 treatment.
    • If the profile includes DSCP remarking, the IP header is modified.
    • As the packet prepares to leave the egress interface ( ethernet1/1 ), it's placed into the queue for Class 2 .
    • The interface's QoS scheduler dequeues packets based on strict priority (Class 1 first, then Class 2, etc.), respecting the configured guaranteed/maximum bandwidth limits for each class during periods of congestion.

QoS Policy vs. QoS Profile: Understanding the Difference

It's crucial to understand the distinct roles of QoS Policy rules and QoS Profile objects, as they work together but serve different functions:

In summary: The QoS Policy rule asks "*Which* traffic gets QoS?", while the associated QoS Profile object answers "*What* class (and maybe DSCP marking) should that traffic receive?". You need both configured correctly, along with the interface QoS settings, for QoS to function.

Quick Comparison Table:

Attribute QoS Policy Rule QoS Profile Object
Primary Goal Identify/Match Traffic Define QoS Treatment
Location Policies > QoS Objects > QoS Profile
Key Action Apply a QoS Profile (or directly remark DSCP) Assign QoS Class (1-8)
Configuration Focus Matching Criteria (Zones, IPs, Apps, Users, Services, DSCP) QoS Class selection, Optional DSCP/ToS Remarking
Dependency Requires a QoS Profile (or direct remarking) to apply Is applied *by* a QoS Policy rule or as an Interface Default

Clarification: Where is the "QoS Profile" Applied?

Important Point of Clarity: The term "QoS Profile" can be confusing because it's used in two distinct contexts within the PAN-OS configuration. Understanding where each is applied is key:

  1. Interface QoS Settings (Sometimes called Network QoS Profile):

    • What it is: This configuration defines the overall QoS behavior for a specific physical or aggregate interface . It sets the total egress bandwidth limit for the interface and, critically, allocates the guaranteed and maximum bandwidth for each of the 8 QoS classes on that specific interface . It also defines the default QoS class for traffic not matching any QoS policy rule on that interface.
    • Configuration Location: Network > Interfaces > [Select Interface] > QoS tab OR via Network > Network Profiles > QoS Profile (where you create a profile that is then *assigned* to one or more interfaces).
    • Applied To: This profile/configuration is applied directly TO THE EGRESS INTERFACE . It controls the resources and queuing behavior *on that interface*.

  2. QoS Profile Object:

    • What it is: This is an object you create primarily to map traffic to one of the 8 QoS Classes . It can also optionally include DSCP remarking settings.
    • Configuration Location: Objects > QoS Profile
    • Applied To: This profile object is selected as the ACTION within a QoS Policy Rule ( Policies > QoS ) . When a QoS policy rule matches traffic, it applies the settings defined in this QoS Profile object *to that matched traffic*, primarily telling the system which QoS Class that traffic belongs to.

In essence:

Both are needed for QoS to function: the interface needs its class bandwidths defined, and policies need to assign traffic to those classes using the QoS Profile objects.

Simplified Analogy:

diagram_1_May_20_2025_02-02PM Simplified QoS processing flow.

PCNSE Exam Relevance

Understanding QoS is important for the PCNSE exam. Key areas include:

QoS Knowledge Check Quiz

1. Where is the total maximum egress bandwidth for an interface defined in PAN-OS QoS?

The overall bandwidth limit (Interface Egress Max) and the guaranteed/maximum bandwidths per class are configured directly on the egress interface's QoS tab or via its associated Network > QoS Profile.

2. How many QoS classes are available in PAN-OS, and which has the highest priority?

PAN-OS has 8 fixed, predefined QoS classes (1 through 8). Class 1 always has the highest priority in the strict priority queuing model.

3. What is the primary function of a QoS Profile object?

The main purpose of a QoS Profile object (found under Objects > QoS Profile) is to specify which QoS Class traffic should be assigned to when a QoS Policy rule using this profile is matched. Optional DSCP remarking can also be configured here.

4. Which PAN-OS policy type determines if traffic is allowed or denied *before* QoS policy is evaluated?

QoS is applied only to traffic that has already been permitted by a Security Policy rule. If Security Policy denies the traffic, QoS evaluation does not occur for that session.

5. What does the 'Guaranteed Egress' bandwidth setting for a QoS class on an interface ensure?

The 'Guaranteed Egress' setting ensures that, even when the interface is congested, the specified class will receive at least this amount of bandwidth, provided it has traffic to send.

6. In the PAN-OS strict priority queuing model, when does QoS Class 3 receive bandwidth?

Strict priority means Class 1 is served first, then Class 2. Only when the higher priority queues are empty or have hit their maximum bandwidth limit does the scheduler move to serve the next lower priority queue (Class 3 in this case).

7. A QoS Policy rule matches traffic based on Application 'ms-rdp' and applies a QoS Profile named 'RDP-Class3'. What does this achieve?

The QoS Policy rule identifies the traffic (RDP), and the applied QoS Profile maps it to Class 3. The actual bandwidth allocation and prioritization happen based on the Class 3 settings configured on the egress interface.

8. What happens to traffic that does NOT match any specific QoS Policy rule?

Each interface where QoS is enabled has a Default QoS Profile setting. Traffic not matching any explicit QoS rule inherits the class specified by this default profile (often Class 4, but configurable).

9. Can a QoS Profile be used to change the DSCP value of IP packets?

In addition to assigning a QoS Class, a QoS Profile object can optionally be configured to remark the DSCP or IP Precedence (ToS) values in the IP headers of matching packets.

10. What is the main prerequisite before any QoS Policy rule can effectively manage bandwidth for a specific class?

The QoS Policy rules and Profiles assign traffic to classes, but the actual bandwidth management (guarantees, maximums, queuing) only occurs if QoS is enabled on the egress interface and bandwidth limits are defined for the classes on that specific interface.