Home Page


Firewall Topics

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which Network Firewall?

Zero Day Protection



QOS (Quality of Service)Advanced features



QOS (Quality of Service)

Today’s networks consist of many types of traffic all sharing and competing for the same bandwidth. An important video conference call could be sharing the same bandwidth as someone downloading games and music on the same network. This may cause a loss of packets for the video conference call as well as delay and jitter, which would affect the quality of the call.

QOS has been developed to eliminate these types of problems by prioritising traffic. Using QOS marking gives time sensitive and critical traffic more prioritisation which would ensure traffic is delivered quickly and reliably. A QOS marking creates different classifications of service for different types of traffic. A company can bind a QOS marking to an interface, so when the interface is marked with a specific QOS value, packets leaving that interface are marked with this value, and now the firewall will know the treatment it would have on that traffic compared to other traffic.

QOS markings can usually be set on either the interface, per IP, per policy or per application basis. Watchguard and Fortinet firewalls for example use this method. If both QOS is enabled on the interface and for specific policies, the QOS markings for policies take precedence over the QOS markings on the interface. QOS can also be set to IPSec traffic via policies. You can also enable QOS on an application, so for example limiting video streaming traffic, or giving guaranteed bandwidth to RDP.


There are three general levels of QOS

Best effort service

There is no guarantee a packet will do anything at all. This is usually the way packets are assigned.

Differentiated service

Better than best effort service. This type of QOS provides better than a best effort type of service, however it still does not provide any guaranteed service. Traffic requiring better reliability than just a best effort basis should be assigned this type of service.

Guaranteed service

This type provides the highest priority and is used for time sensitive applications. An application is guaranteed a configured level of bandwidth.

Before implementing QOS a company may need to ensure LAN equipment such as routers and switches are able to identify and support QOS, and possibly the ISP supports the use of QOS markings as well. A company would then need to identify the types of traffic that are important or time sensitive and the types of traffic that use high amounts of bandwidth.

When configuring QOS ultimately you will be configuring the “Type of Service” (an 8 bit field within an IP packet reserved for QOS markings. Most firewalls support DSCP and IP precedence to configure QOS levels. DSCP for example is the commonly used method and consists of 0-56 where 0 is normal traffic and 56 is the highest priority traffic.

However some firewalls do not have this level of granularity, but still provide QOS by defining a “Low” “Medium” “High” and “Guaranteed” to different types of traffic. “Guaranteed traffic” will guarantee a certain amount of bandwidth. “High” will have defined percentage assigned that is not being used by guaranteed traffic usually around the 75% of bandwidth. Normal will use around the 50% percent of bandwidth, and normal around the 20% of bandwidth.

The Fortinet firewalls support traffic policing which drop packets which do not conform to their bandwidth QOS policy. It also supports traffic shaping which you can assign guaranteed bandwidth, maximum bandwidth and a traffic priority (Low, medium and high). Guaranteed bandwidth would guarantee an amount of bandwidth. Maximum bandwidth will drop packets if it starts using more bandwidth than the maximum defined for that policy. Lastly using traffic priority by selecting low medium or high would assign a certain percentage of traffic to the assigned policy. The Fortinet also support a queuing feature which prioritise's traffic on the interface itself.

For further reading, there's some excellent electronic ebooks available for download from eBooks.com