Getting Started: Quality of Service
Resolution
What more can my firewall do? Quality of Service!
In this installment of the Getting Started series we'll take a closer look at how to enable Quality of Service, or QoS. QoS is a technology that manages bandwidth for a network segment and can limit applications in their consumption while guaranteeing capacity for other applications. This enables you, as the administrator, to prioritize, for example, VoIP calls over other traffic, and limit the amount of bandwidth those YouTube videos consume.
An important concept to keep in mind is that a QoS profile is applied on the egress interface of a packet that is traveling through the firewall. This would mean, for example, that to limit upload, a QoS profile needs to be enabled on the untrust interface and to limit download, a QoS profile needs to be enabled on the trust interface.
To get started, you first need at least one QoS profile. Go to the network tab and in the QoS Profile, create a new profile.
In this view, you can add several classes. These classes identify flows and apply a bandwith characteristic to them and determine if packets get prioritized in the dataplane over other packets.
The default class is class4. Any session that does not have a specific class assigned to it will be controlled by this class, so we need to make sure a profile exists that can carry the brunt of the traffic.
Let's assume you have an internet bandwidth of 100Mbps and want to limit your generic traffic to half. To accomplish this, you need to set the Egress Max to 100Mbps for this profile and 50Mbps for class4.
Next, you want to make sure your VoIP traffic does not suffer from any download spikes, so create a class with 'real-time' priority, which will ensure that if the dataplane is heavily loaded, these packets get priority over other packets. Set a guaranteed bandwidth of 30Mbps so calls dont suffer from congestion as bandwidth is reserved.
*When creating classes, setting the priority determines in which order packets are handled by the firewall in case of heavy load, with real-time being the highest priority and low being the lowest priority.
Lastly, you want to limit some applications from consuming much bandwidth while still allowing these to go through, like YouTube. Create a 'low' priority class with an Egress Max set to 0.1Mbps, or 100Kbps.
Next, activate the profile on all the relevant interfaces. For now, we will use the same profile for both internal and external interface. Go to the QoS menu and add interfaces.
Select the appropriate interface from the dropdown, make sure the checkbox to enable QoS is checked, and set the Clear Text Default Profile to your newly created profile. We can leave the interface-specific Egress Max set to 0 for now, as we only have two interfaces and the profile will apply to all traffic.
The last step before we can test our configuration is to create a QoS policy. Just like a security policy, a QoS policy can be built to more granularly control the classes you just created and apply a class to certain traffic only.
Go to the Policies tab and create a new policy in QoS.
To create the VoIP policy, set the source zone to trust, destination zone to untrust, choose the relevant applications. I've selected Skype and some streaming protocols. Then classify this traffic as class1.
Repeat this step for the applications you want to severely limit.
The schedule in the last tab could be used to apply Quality of Service based on the time of day. For example, limit YouTube from 7am-12pm and 1pm to 7pm, so users are allowed to watch videos as class4 during the lunch break. Several rules for the same class can be created and will be processed top to bottom.
Since class4 is the default, no policy needs to be created. Go ahead and commit this configuration to enable QoS.
You can now go ahead and test if the QoS configuration is being applied. There is a live statistics page on the QoS page that can help visualize how bandwidth is being used. Open the Networks tab and in the Qos page, open the statistics for ethernet1/2 as we will be testing downloads.
You should now get a popup similar to this.
On your GUI, the colors may be slightly different, but in my example above, you can see from the purple that represents class4, I've downloaded the FileZilla client, from the internet, which caused a little spike up to 8Mbps in my bandwidth.
If you start downloading a file through FTP onto your client, you'll notice the transfer is extremely slow. The statistics page will reflect that by showing class8 traffic using up its full 0.1Mbps allotted bandwidth.
Another way to verify which class a session is assigned to is through the CLI.
> show session all -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 1105 ftp-data ACTIVE FLOW ND 198.51.100.1[20]/untrust/6 (198.51.100.1[20]) vsys1 198.51.100.230[41094]/trust (10.0.2.4[4383]) 1097 ftp ACTIVE FLOW NS 10.0.2.4[4379]/trust/6 (198.51.100.230[62430]) vsys1 198.51.100.1[21]/untrust (198.51.100.1[21]) 1106 dns ACTIVE FLOW NS 10.0.2.4[53048]/trust/17 (198.51.100.230[30096]) vsys1 4.2.2.2[53]/untrust (4.2.2.2[53]) 1107 dns ACTIVE FLOW NS 10.0.2.4[49267]/trust/17 (198.51.100.230[26164]) vsys1 4.2.2.2[53]/untrust (4.2.2.2[53]) > show session id 1105 Session 1105 c2s flow: source: 198.51.100.1 [untrust] dst: 198.51.100.230 proto: 6 sport: 20 dport: 41094 state: ACTIVE type: FLOW src user: unknown dst user: unknown qos node: ethernet1/2, qos member N/A Qid 0 s2c flow: source: 10.0.2.4 [trust] dst: 198.51.100.1 proto: 6 sport: 4383 dport: 20 state: ACTIVE type: FLOW src user: unknown dst user: unknown qos node: ethernet1/1, qos member N/A Qid 0 start time : Wed Nov 25 14:52:26 2015 ... snipped for brevity ... ingress interface : ethernet1/1 egress interface : ethernet1/2 session QoS rule : bandwidth-hoggers (class 8) tracker stage l7proc : ctd decoder bypass end-reason : unknown
Here are a couple of thoughts to keep in your pocket while configuring QoS:
- QoS profile applies to the interface any given packet is egressing out of (not the direction of the session).
- Bandwidth limitations or guarantees are shared within a class, not per session.
- Combined Max or Reserved throughput may not exceed interface max bandwidth.
- Class4 is the default class for any session not matched to a QoS policy.
- QoS policy, like security policy, is processed top to bottom and the first policy match will be applied.
I hope you liked this edition of Getting Started. Please feel free to leave a comment or check out the previous episodes at the Getting Started series.
Can't wait for the Advanced Series or want to know more? Please check out the QoS section in the admin guide.
Tom