Quality of Service (QoS) and how it works

QoS (Quality of Service) allows you to manage the available network bandwidth and make sure that important network services are given priority over less important traffic.

QoS consists of bandwidth management and traffic prioritization. You can use both bandwidth management and traffic prioritization together or bandwidth management or traffic prioritization individually for any given type of traffic.

The QoS features help you in the following ways:

  • You can set up a Guarantee for a type of traffic that must always be given a certain minimum share of the available bandwidth.
  • You can set up a Limit for maximum bandwidth for a type of traffic that must never use more than a certain share of the available bandwidth.
  • You can set a Priority value for the traffic. Higher priority traffic is sent forward to its destination before lower priority traffic if the Engine queues packets due to congestion.
  • Active Queue Management (AQM) reduces the volume of dropped or retransmitted packets when there is network congestion. AQM monitors the average queue size and uses a scheduling algorithm to determine the statistical probability for dropping incoming packets.
  • On Engines, Master Engines, and Virtual Engines in the Firewall/VPN role, you can use QoS Class elements to apply criteria for dynamic link selection in Multi-Link VPNs to traffic.
    Note: Only layer 3 physical interfaces are supported.
  • The Engine can read or write DiffServ Code Point (DSCP) type of service (ToS) field markers. The markers allow the Engine to be aware of the priorities set by other network equipment. Other equipment is also aware of the priorities set in the QoS Policy. The markers allow you to integrate the Firewall with other network equipment that implements QoS management in your own or your ISP’s network.
  • The Engine can collect statistics about traffic that matches Access rules that apply a QoS Class to the traffic. QoS Class-based statistics items are used in Overviews and Reports.

The QoS features have the following limitations:

  • QoS is only available on some interface types:
    Engine role Interface types
    Firewall/VPN
    • Layer 3 physical interfaces
    • Layer 2 physical interfaces of the Inline IPS Interface and Inline Layer 2 Firewall type
    • VLAN interfaces
    • Tunnel interfaces
    • ADSL interfaces
    • SSID interfaces
    • Port group interfaces of an integrated switch
    Note: QoS is also available in the properties of policy-based VPNs
    IPS, Layer 2 Firewall Physical interfaces of the Inline Interface type

    Bandwidth management and traffic prioritization are not supported on Modem interfaces of Single Firewalls.

  • It is not possible to apply a bandwidth guarantee to incoming Internet traffic on your Internet link. By the time the Engine processes the traffic, the bandwidth has already been used. If you want guaranteed bandwidth for a specific portion of your incoming Internet traffic, contact your ISP and ask if they can enforce this guarantee for you.
  • If you want to create QoS rules for both incoming and outgoing traffic, you must assign a QoS Policy to at least two interfaces. Incoming traffic is processed according to the Firewall, IPS, or Layer 2 Firewall policy, and then the QoS Policy is applied to the allowed traffic on the outgoing interface.
  • When you use the DSCP Match/Mark rules of a QoS Policy to assign a QoS Class based on the DSCP code in incoming traffic, custom link selection options in the QoS Class elements are not applied to the traffic. Instead, the traffic uses the settings in QoS Class elements in Access rules that override the default link selection options defined in the Network Application or Protocol elements. If there are no matching Access rules that override the default link selection options defined in the Network Application or Protocol elements, the traffic uses the default settings.