TTechclick ⚡ XP 0% All lessons
Palo Alto · NGFW · QoSInteractive · L1 / L2 / L3

Palo Alto QoS & Traffic Shaping on PAN-OS: — Classes, Profiles, Policies & the Egress-Only Rule

Your branch link is full, a backup job is hogging it, and the voice call breaks up. QoS on PAN-OS is the expressway with a reserved ambulance lane: it carves the link into eight classes, hands voice a guaranteed real-time lane, and squeezes bulk backups — but only on the way OUT. This lesson makes that click.

📅 2026-06-11 · ⏱ 11 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

PAN-OS QoS for L1/L2 engineers and PCNSE: QoS profiles (8 classes, guaranteed/max egress, real-time priority), QoS policy classification by App-ID/DSCP, clear-text vs tunneled, DSCP marking, and why QoS only shapes egress.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why shape traffic

The full-link pain QoS was built to fix.

 2

Profile: 8 classes

Guaranteed + max egress, real-time voice lane.

 3

Policy + egress rule

Classify by App-ID/DSCP — only on the way out.

 4

Clear-text vs tunneled

DSCP marking, verify, PCNSE & career.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A backup job is starving a voice call on a full link. What does QoS let you do?

Answered in Why shape traffic.

2. On a Palo Alto firewall, where is QoS actually enforced for a flow?

Answered in Policy + egress rule.

3. A brand-new session's first few packets arrive. Has App-ID identified the app yet?

Answered in Profile: 8 classes.

Most engineers think…

Most engineers think turning on QoS will "speed up" a slow link, and that it controls both the upload AND the download on whatever interface you enable it on.

Wrong on both counts. QoS doesn't add bandwidth — it rations the bandwidth you already have, deciding who waits when the link is full. And PAN-OS enforces it on the egress interface only: a profile on your internet-facing interface shapes uploads, not downloads. To influence the download direction you shape on the internal/LAN-facing interface (where that return traffic egresses) — a distinction that trips up almost everyone the first time.

① Why shape traffic at all — the full-link problem

Picture Sneha, an L2 engineer at Infosys, on a Monday morning. The Pune branch has a single 50 Mbps internet link (203.0.113.10 on the outside, the LAN sitting on 10.20.0.0/16). At 9 a.m. the nightly cloud backup is still running, and a sales team's voice call to a client keeps breaking up. The link isn't broken — it's full, and every flow is fighting for the same pipe with no referee.

This is the problem QoS exists to solve. QoS does not add bandwidth — it can't conjure more Mbps. What it does is decide who waits when the link is congested. You carve the link into lanes (PAN-OS calls them classes), give the voice call a guaranteed, high-priority lane, and cap the backup so it can only use what's left over.

Daily-life analogy — the expressway with an ambulance lane

Think of the Mumbai–Pune Expressway at rush hour. Without QoS, an ambulance is stuck in the same jam as a slow-moving truck full of cement. QoS adds a reserved ambulance lane (the real-time class for voice) that's always kept clear, while the cement truck (your nightly backup) is told to use the slow lane and yield. The road is the same width — you just decided who gets priority when it's crowded.

On PAN-OS, QoS is built from three pieces that you'll meet in order: a QoS profile (defines the lanes — up to 8 classes, each with guaranteed and maximum egress bandwidth and a priority), a QoS policy (classifies each session into a class, by App-ID, service, source or DSCP), and the QoS interface (where you attach the profile and where shaping actually happens). Miss any one of the three and nothing shapes.

👉 So far: QoS rations a full link, it doesn't grow it; and it's built from a profile, a policy, and an interface. Next: the one rule that explains half the QoS tickets you'll ever see — egress only.

Here is the rule to tattoo on your brain: QoS is always enforced on the egress interface — the interface a packet leaves from. PAN-OS states it plainly: "QoS is always enabled and enforced on the egress interface for a traffic flow." Shaping is about controlling a queue as packets go out the door; you can't un-send bits that have already arrived. So enabling QoS on your internet-facing interface shapes your upload; to influence the download, you shape on the internal interface where that return traffic egresses toward the LAN.

Figure 1 — QoS = policy + profile + interface, all on egress
QoS is three parts that only fire on the way OUT: the policy picks the class, the profile shapes the class, and the interface is where it actually happens The PAN-OS QoS architecture drawn left to right. Traffic enters the firewall on an ingress zone. A QoS Policy rule (Policies QoS) classifies each session by App-ID, service, source or DSCP into one of eight classes, with unmatched traffic falling to the default Class 4. A QoS Profile (Network Network Profiles QoS) defines the eight classes with guaranteed and maximum egress bandwidth plus a priority of real-time, high, medium or low. The profile is attached to the egress interface (Network QoS) where shaping is enforced as the packet leaves. A reserved real-time lane carries voice; a bulk best-effort lane carries backup. The whole apparatus only acts on the egress interface. QoS = policy picks the lane · profile sizes the lane · interface enforces it (on EGRESS) Ingress zonetrust · 10.20.0.0/16 voice (SIP/RTP) SaaS / web backup (bulk) QoS PolicyPolicies › QoSmatch App-ID / service /source / DSCP → set Classno match → Class 4(best-effort default) QoS Profile (8 classes)Network › Network Profiles › QoSClass 1 · real-time · voiceClass 2 · high · SaaSClass 8 · low · backupeach: Egress Guaranteed + Egress Max Egress interfaceNetwork › QoSprofile attached HEREshaping happens on theway OUT only The expressway picture — same road, sized lanes 🚑 Class 1 real-time — voice — reserved lane, never blocked 🚗 Class 2 high — SaaS/web — guaranteed slice, can borrow spare 🚚 Class 8 low — backup — capped, yields under load classify once, shape on egress — that's the whole game bulk / best-effortclassified / shapedpolicy / class decisionkey insightreal-time / protected
Read left to right: the policy picks a class, the profile sizes the class, and the interface enforces it — but only as traffic leaves. Note the expressway lanes at the bottom: real-time (green) reserved, bulk (red) capped.

The four ideas QoS hinges on

Tap each card — these four are what every PAN-OS QoS question, and every real ticket, comes back to.

🚦
It rations, not adds
tap to flip

QoS decides who waits on a full link; it never creates bandwidth. So: useless on an empty link, vital on a congested one.

➡️
Egress only
tap to flip

Shaping happens as packets leave an interface. So: shape uploads on the WAN side, downloads on the LAN side.

🛣️
8 classes, 4 priorities
tap to flip

Up to 8 lanes; each gets guaranteed + max egress + a priority (real-time/high/medium/low). So: voice rides real-time.

🔎
Classify then shape
tap to flip

A policy assigns the class (App-ID/DSCP); the profile shapes it. So: App-ID must name the app before the lane opens.

Quick check · Q1 of 10

Rahul at TCS enables a QoS profile on the firewall's internet-facing interface (ethernet1/1) to stop a backup from killing voice. Cloud backups (uploads) now behave — but a huge file DOWNLOAD from the internet still saturates the link. Why?

Correct: a. QoS is enforced on the egress interface. On ethernet1/1 (facing the ISP), the egress direction is your upload, so downloads sailing IN aren't shaped there. To control the download, apply QoS on the internal/LAN-facing interface, where that return traffic egresses toward the users. A commit issue or CPU wouldn't selectively affect only the download direction.

Pause & Predict

Predict: you set Class 1's guaranteed egress bandwidth to 60 Mbps on a link whose total egress is only 50 Mbps. What happens to the 'guarantee'? Type your guess.

Answer: The guarantee becomes meaningless. Guaranteed bandwidth only holds if the sum of all classes' guaranteed values fits inside the interface's egress max. If a single class is promised more than the link can deliver — or the totals across classes exceed the link — PAN-OS simply can't honour it, and you get best-effort behaviour with a false sense of safety. Rule of thumb: Σ(guaranteed) must stay comfortably under the link's egress max, and the per-profile Egress Max must be ≤ the physical interface's Egress Max.

② The QoS profile — eight classes, guaranteed vs max, and the real-time lane

The QoS profile is where you define the lanes. You build it at Network > Network Profiles > QoS Profile and click Add. At the top you set the profile's overall Egress Max and Egress Guaranteed. Then you add up to eight classes (Class 1 through Class 8), and for each class you set its own Egress Guaranteed, Egress Max, and — the important one — its Priority.

The four priorities are real-time, high, medium and low. Real-time is special: it's the reserved ambulance lane, meant for latency-sensitive traffic like voice and video (SIP/RTP). Under congestion, the firewall serves the real-time class's queue first, keeping jitter and latency low. The other priorities share the remaining bandwidth in weighted order. A classic design is Class 1 = real-time for voice, Class 2 = high for business SaaS, and Class 8 = low for backups.

Guaranteed vs max is the part students fumble, so be precise. Egress Guaranteed is a floor — it's the bandwidth a class is assured when the link is congested, but it is not pre-reserved while idle (other classes can borrow it until the owner needs it). Egress Max is a ceiling — the most a class may ever use. Set a class's Egress Max to 0 and you mean "no limit" for that class. The art is sizing guarantees so they add up to less than the link.

Figure 2 — How one session gets its class and gets shaped
A voice call gets its reserved lane only after App-ID names it — the first packets are unclassified and ride best-effort A five-step QoS flow for one session. Step 1 the first packets of a new session arrive and App-ID has not yet identified the application, so the session is treated as unknown and lands in the default Class 4. Step 2 App-ID identifies the app, for example sip or rtp. Step 3 the QoS policy rule matches the app and assigns the session a class, say Class 1. Step 4 the QoS profile on the egress interface shapes that class with its guaranteed and maximum egress bandwidth and real-time priority. Step 5 packets leave on the egress interface in their class queue. A break note shows what happens when the guaranteed bandwidth across classes is set higher than the link itself. First packets are blind — the lane opens only once App-ID names the app 1 · first packetsapp unknown → Class 4 2 · App-ID names itsip / rtp identified 3 · QoS policy matchset Class 1 4 · profile shapes classguaranteed + max + real-time 5 · packets leave on egress interfacequeued by class · Class 1 served first under congestion Egress queues at the interface — congestion is where QoS earns its keep Class 1 (real-time, voice) → dequeued first, lowest latency/jitter — the ambulance lane Class 2 (high) → guaranteed slice honoured, then best-effort for the rest Class 8 (low, backup) → squeezed first when the link fills
Follow steps 1→5: first packets are unclassified (Class 4), App-ID names the app, the policy sets the class, the profile shapes it, and packets leave queued by class. The real-time lane (green) is dequeued first under congestion.
🖥️ This is the screen you'll use — Network > Network Profiles > QoS Profile > Add. Define the profile ceiling, then add classes with their priority and bandwidth. (Recreated for clarity — your console matches this.)
PA-VM · Network · Network Profiles · QoS Profile
1
Profile Name
WAN-Shaping-50M
2
Egress Max (Mbps)
50
Egress Guaranteed (Mbps)
0
3
Class 1 · Priority
real-time
Class 1 · Egress Guaranteed
10 (voice/video)
Class 2 · Priority
high
4
Class 8 · Priority / Egress Max
low / 15 (backup cap)
OK
CLI — confirm the profile's classes and bandwidth on the live interface
admin@PA-VM> show qos interface ethernet1/1
Expected output
Interface: ethernet1/1
  Number of Subinterface(s): 0
  Maximum egress bandwidth: 50000 kbps
  Default profile (clear text): WAN-Shaping-50M
  Class    Priority    Egress Max(kbps)   Egress Guaranteed(kbps)
  class1   real-time   0 (unlimited)      10000
  class2   high        0 (unlimited)      20000
  class4   medium      0 (unlimited)      0          <-- default/unclassified
  class8   low         15000              0
Common mistake — "my guarantees add up to MORE than the link"

Symptom: you promised Class 1 = 30 Mbps, Class 2 = 30 Mbps on a 50 Mbps link, committed cleanly, but under load nothing behaves and voice still stutters. Cause: the sum of guaranteed bandwidth (60 Mbps) exceeds the interface Egress Max (50 Mbps), so PAN-OS cannot honour any of them and falls back to best-effort. Fix: keep Σ(class guaranteed) well under the link's egress max (e.g. 10 + 15 + 10 on a 50 Mbps link), and make sure each profile's Egress Max ≤ the physical interface's Egress Max.

Quick check · Q2 of 10

Priya at HCL is designing voice QoS for a 100 Mbps link. She wants voice to have the lowest latency under congestion AND never be capped. Which class setting fits?

Correct: c. Real-time priority gives voice the reserved, served-first lane (lowest latency/jitter); Egress Max 0 means 'no cap' so it's never throttled; Egress Guaranteed 20 reserves a floor under congestion. 'Low' would yield the worst treatment; 'medium' with no guarantee gives no floor; 'high' with Egress Max 10 caps voice at 10 Mbps — the opposite of 'never capped'.

Pause & Predict

Predict: traffic that doesn't match ANY of your QoS policy rules — which class does PAN-OS put it in by default, and what treatment does it get? Type your guess.

Answer: It lands in Class 4. PAN-OS documents: "Unless otherwise configured, traffic that does not match a QoS class is assigned a class of 4." So Class 4 is your catch-all best-effort bucket. The practical takeaway: if you forget to write a policy for something, it silently rides Class 4 — which is why you should deliberately size Class 4 and not leave critical apps relying on a rule you never wrote.

③ The QoS policy — classify by App-ID, service, source or DSCP

A profile only defines empty lanes. The QoS policy is what puts each session into a lane. You build it at Policies > QoS and Add a rule. On the matching tabs you can classify by Source (zone/address/user), Destination, Application (App-ID), Service/URL Category, and DSCP/ToS. Then, under the rule's settings, you pick the QoS Class (1–8) that matching traffic should receive. That's the whole job: match traffic → assign a class.

App-ID is the powerful matcher — you can say "sip and rtp go to Class 1" or "web-browsing goes to Class 2" by name, regardless of port. But here's the catch that surprises everyone: App-ID isn't instant. When a session starts, the firewall needs the first several packets to identify the app. Until then the session is unknown and rides the default class. For long flows (a backup, a video call) this is invisible; for tiny, short-lived sessions it matters.

▶ Watch a voice call get its lane (and the first packets miss it)

A SIP/RTP voice call from a phone at 10.20.5.30 starts during a congested period. Follow how it gets classified and shaped on egress. Press Play for the healthy path, then Break it to see the failure.

① First packetsnew session 10.20.5.30203.0.113.55; App-ID = unknown → default Class 4
② App-ID decidesafter a few packets, App-ID = sip / rtp; the session now has an identity
③ Policy assignsQoS rule "voice" matches app sip,rtp → set Class 1 (real-time)
④ Profile shapesegress interface serves Class 1 first; low latency, guaranteed 10 Mbps floor
Press Play to step through the healthy path. Then press Break it.

QoS can also mark DSCP, not just read it. In the QoS policy you can set an outbound DSCP value — for example, stamp voice with EF (46) — so that every router and switch after the firewall keeps honouring that priority end-to-end. Crucially, because the firewall classifies on the decrypted session, DSCP marking works on SSL-decrypted traffic too: even encrypted apps you've decrypted can be identified by App-ID and then marked on the way out.

That leads to the clear-text vs tunneled split. On clear-text (and decrypted) traffic the firewall sees the real App-ID and classifies precisely. But for traffic inside an IPsec or GRE tunnel, the inner application is encrypted — App-ID is blind to it. There you classify by the outer DSCP/ToS value instead, and you attach a separate profile for tunneled traffic. When you enable QoS on the interface, PAN-OS lets you set one default profile for Clear Text traffic and another for Tunneled traffic — they're handled independently.

Figure 3 — Clear-text vs tunneled — what QoS can actually see
Two QoS worlds on one interface: clear-text traffic is shaped by App-ID, but tunneled traffic is opaque so you mark and trust DSCP instead A two-column comparison. Left, clear-text and decrypted traffic: the firewall sees the real App-ID, the QoS policy can match the application precisely, the firewall can mark DSCP outbound, and a default Clear Text profile catches the rest. Right, tunneled traffic such as IPsec or GRE: the inner application is hidden inside the encrypted tunnel, so App-ID cannot see it, and you instead classify by the outer DSCP or ToS value and attach a separate tunnel-interface profile. Green marks what works cleanly; amber marks the policy decision; red marks the blind spot. Clear-text / decrypted vs tunneled — what QoS can actually see Clear-text & decrypted ✓ App-ID sees the real app (sip, ms-teams) ✓ QoS policy matches by application precisely ✓ default Clear Text profile catches the rest ◆ can MARK DSCP outbound on the session ◆ decrypted TLS → App-ID + DSCP both work App-ID → Class mark DSCP EF (46) Voice marked EF → downstream routers honour it too Attach via: Network › QoS › Clear Text Tunneled (IPsec / GRE) ✗ inner app is encrypted — App-ID is blind ✗ can't match by application inside the tunnel ◆ classify by OUTER DSCP / ToS instead ◆ attach a separate Tunnel Interface profile ✓ pre-marked DSCP from the LAN still classifies encrypted payload read outer DSCP→ Class Mark DSCP BEFORE the tunnel, or shape the tunnel as a whole Attach via: Network › QoS › Tunneled Traffic
Left (green): clear-text/decrypted — App-ID classifies, and you can mark DSCP EF. Right (red): tunneled — the inner app is hidden, so classify by the outer DSCP and attach a separate tunnel profile.

Karthik at Airtel faces this

Karthik, an L2 engineer, gets a ticket: voice quality is fine WITHIN the office, but calls that ride the site-to-site IPsec tunnel to the Gurgaon branch still break up under load, even though his QoS profile has a real-time voice class.

Likely cause

The voice packets going to Gurgaon are inside the IPsec tunnel, so App-ID can't see 'sip/rtp' to classify them — to QoS they're just opaque tunnel traffic, falling to the default class. His app-based QoS rule never matches the encrypted inner flow.

Diagnosis

He separates clear-text from tunneled: local calls (clear-text) classify by App-ID and behave; tunnel calls don't because the inner app is hidden. He checks whether the LAN already marks voice DSCP before the tunnel.

Network > QoS > (edit interface) > Tunneled Traffic tab; and Policies > QoS (match on DSCP/ToS, not Application)
Fix

Mark voice with DSCP EF on the LAN (or in a QoS rule) BEFORE it enters the tunnel so the outer header carries EF; then write a QoS rule that classifies by DSCP EF (46) → Class 1, and attach the tunneled-traffic profile to the tunnel interface.

Verify

show qos interface shows voice hitting Class 1 with low drops; calls to Gurgaon stay clear under load, and the Network > QoS Statistics graph shows Class 1 utilisation, not Class 4.

Quick check · Q3 of 10

Meera at Wipro needs voice that traverses an IPsec tunnel to keep its priority across the WAN. Which approach actually works?

Correct: c. Inside an IPsec/GRE tunnel the inner app is encrypted, so App-ID (Application=sip) can't match it. Marking DSCP EF before encapsulation puts the priority in the outer header, where the firewall (and downstream routers) can read it; you then classify by DSCP and use the tunneled-traffic profile. Disabling App-ID or bumping CPU doesn't give the tunnel traffic a class.

Pause & Predict

Predict: you decrypt outbound TLS for inspection, then re-encrypt. At which point can the firewall apply App-ID-based QoS and mark DSCP — before or after it re-encrypts? Type your guess.

Answer: While the session is decrypted. SSL decryption exposes the real application to App-ID, so the firewall can classify by app and stamp DSCP on the (now visible) session — and that marking survives onto the packet as it egresses, even after re-encryption of the payload, because DSCP lives in the outer IP header. This is exactly why PAN-OS QoS pairs so well with decryption: an app you couldn't classify when it was opaque TLS becomes classifiable and markable once decrypted.

④ Verify, the gotchas, and the PCNSE angle

Configuring QoS without verifying it is how you get a 2 a.m. callback. After your Commit, prove it three ways. First, the live graph: Network > QoS, then Statistics on the interface — you'll see real-time per-class bandwidth, so you can watch Class 1 fill with voice and Class 8 get squeezed during the backup window. Second, the CLI. Third, generate real congestion and re-check, because QoS does nothing on an idle link.

CLI — verify QoS is live and watch per-class throughput in real time
admin@PA-VM> show qos interface ethernet1/1 throughput 0
admin@PA-VM> show qos interface ethernet1/1
Expected output
Class      Priority   Egress(kbps)   Guaranteed(kbps)   Current(kbps)   Drops
class1     real-time  0              10000              8420            0
class2     high       0              20000              19500           2
class4     medium     0              0                  3100            0
class8     low        15000          0                  14980           1875
  (class8 = backup, capped at 15 Mbps, dropping excess; class1 voice clean)
Prove the shaping actually engaged, not just that it's configured

A profile showing in show qos interface only proves it's attached. To prove it's working, congest the link (run the backup, or push iperf) and watch Network > QoS > Statistics: Class 1 (voice) should hold near its guarantee with ~0 drops while Class 8 (backup) hits its Egress Max and shows drops. If everything sits in Class 4, your policy isn't classifying — fix the rule, not the profile. No congestion = no visible effect; that's expected, not a bug.

👉 So far: build profile → policy → enable on egress → verify with the Statistics graph and show qos interface. Next: the gotchas that fail you, and what PCNSE actually asks.

Three production gotchas to carry into every QoS job. (1) Egress only — you can't shape the download on the WAN interface; shape it on the LAN side. (2) First packets are unclassified — App-ID needs a few packets, so brand-new short sessions briefly ride Class 4; design for it. (3) Guaranteed math — if the sum of class guarantees exceeds the link's egress max, nothing is guaranteed. A bonus one: tiny QoS classes on a busy box used to cost throughput, which is why PAN-OS 11.1 introduced Lockless QoS on the PA-3400 and PA-5400 series so QoS no longer caps performance there.

Figure 4 — PAN-OS QoS — the cheat-sheet
PAN-OS QoS on one card — the three menus, the eight classes, the defaults that bite, and the first show commands A nine-tile cheat sheet for PAN-OS QoS. Tiles cover the build order, the three WebUI paths, the eight classes and four priorities, the egress-only rule, the default Class 4, the guaranteed-versus-max trap, DSCP marking, clear-text versus tunneled, and the first three show commands. Each tile has a one-line role. PAN-OS QoS — your one-glance card Build order1. Profile (8 classes)2. Policy (classify → class)3. Enable on egress interface The 3 WebUI pathsNetwork › Network Profiles › QoSPolicies › QoSNetwork › QoS (interface) 8 classes · 4 prioritiesclasses 1–8, each guaranteed+maxpriority: real-time / high / med / lowreal-time = voice/video lane Egress-only ruleQoS shapes traffic LEAVINGthe interface — never ingressto cap downloads, shape on LAN side Defaults that biteunmatched traffic → Class 4first packets unclassified (App-ID)Σ guaranteed > link → nothing guaranteed DSCP markingmark in the QoS policy (e.g. EF 46)works on DECRYPTED sessions toodownstream routers then honour it Clear-text vs tunneledclear-text: App-ID classifiestunneled: classify by outer DSCPseparate profile per type First show commandsshow qos interface ethernet1/1show qos interface … throughputNetwork › QoS › Statistics (live graph) Recent (PAN-OS 11.1)Lockless QoS — higher throughputon PA-3400 / PA-5400 seriesQoS no longer the bottleneck there
Your one-card map of the whole lesson: the build order, the three WebUI paths, 8 classes / 4 priorities, the egress-only rule, the defaults that bite (Class 4, first-packet, guaranteed math), DSCP marking, clear-text vs tunneled, and the first show commands.

For the PCNSE / PCNSA exam, QoS sits under traffic management and shows up as scenario questions, not trivia. Expect to be tested on: the order (profile → policy → enable on interface), that QoS is egress-enforced, the 8 classes and the four priorities (with real-time for voice), the default Class 4 for unmatched traffic, and the difference between guaranteed vs max egress bandwidth. A favourite trap is the egress-direction question — "why doesn't QoS on the untrust interface shape my downloads?" Know that cold and you'll pick up the marks.

Refresher: Security Policy fundamentals (App-ID matching)Next: Logging & Reporting — see QoS in the data
Daily-life analogy — the wedding hall caterer

A QoS profile is like a caterer at a big Indian wedding who promises plates per table. Egress Guaranteed is "every VIP table is assured 10 plates even when the hall is packed" — but those plates aren't sitting idle on empty tables; they're served on demand. Egress Max is "no table may grab more than 30 plates and starve the rest." And the golden rule: if you promise more plates than the kitchen can cook (Σ guarantees > the link), every promise is hollow — exactly like over-committing guaranteed bandwidth.

Quick check · Q4 of 10

An interviewer asks Aditya: "In one line, why does enabling a QoS profile on the firewall's internet-facing (untrust) interface fail to fix slow DOWNLOADS for branch users?" Best answer?

Correct: b. QoS shapes traffic as it leaves an interface. On the untrust interface, egress = the upload direction; the download traffic egresses the trust/internal interface toward the users, so that's where you must apply QoS to shape it. CPU, App-ID and commit aren't what makes the direction wrong — the egress-only rule is.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Palo Alto docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

On a PAN-OS firewall, which interface is QoS enforced on for a traffic flow?

Correct: c. PAN-OS states QoS is always enabled and enforced on the egress interface — the one a packet leaves from. Shaping controls an outbound queue; you can't shape bits that already arrived. It's not ingress, not 'the biggest' interface, and not both at once.
Q6 · Apply

You're building a QoS profile for voice on a 100 Mbps link. You want voice served first under congestion and never throttled. Which class settings fit?

Correct: a. Real-time priority is the served-first lane for voice; Egress Max 0 means no cap (never throttled); a 20 Mbps guarantee gives a floor under congestion. 'Low' gives the worst treatment; 'medium' caps voice at 20; 'high' with Egress Max 10 caps it at 10 — the opposite of 'never throttled'.
Q7 · Apply

A backup application is saturating the upload on a branch's internet link and degrading voice. The voice and backup are clear-text. What's the correct QoS approach?

Correct: b. Classify the backup (App-ID) into a low class with an Egress Max cap and voice into a real-time class, then attach the profile on the egress interface where the upload leaves — that shapes the upload without blocking the backup. QoS isn't enforced on ingress; blocking the app is heavy-handed and loses the data; MTU is unrelated to congestion priority.
Q8 · Analyze

A profile shows correctly under 'show qos interface', but during the backup window all traffic — including voice — sits in Class 4 and voice still breaks up. Most likely root cause?

Correct: d. Class 4 is the default for unmatched traffic. If everything lands there, the profile is attached but the POLICY isn't classifying — there's no rule putting sip/rtp into Class 1. Fix the QoS policy, not the profile. A high Egress Max wouldn't force traffic into Class 4; QoS is egress-enforced; and a reboot doesn't write a missing rule.
Q9 · Analyze

Voice that stays inside the office is crisp, but voice traversing the site-to-site IPsec tunnel breaks up under load — despite a real-time voice class in the profile. Why, and what fixes it?

Correct: b. The encrypted inner app hides from App-ID, so an Application=sip rule can't match tunnel voice and it defaults to Class 4. The fix is to mark DSCP EF before encapsulation (so the OUTER header carries priority) and classify by the outer DSCP into the real-time class, using the Tunneled Traffic profile. MTU doesn't classify traffic; the real-time class isn't auto-disabled for tunnels; and QoS over tunnels IS possible via DSCP.
Q10 · Evaluate

Two engineers propose voice-QoS designs on a 50 Mbps link. (A) Class 1 guaranteed 30 Mbps + Class 2 guaranteed 30 Mbps, both real-time. (B) Class 1 real-time guaranteed 10 Mbps (Egress Max 0) for voice, Class 2 high guaranteed 15 Mbps for SaaS, Class 8 low Egress Max 15 Mbps for backup. Which is sound and why?

Correct: b. B is sound: Σ guaranteed (10+15+0) fits well under 50 Mbps, voice has a real-time uncapped lane, and the backup is capped so it yields. A over-commits — 30+30 = 60 Mbps on a 50 Mbps link — so PAN-OS can't honour either guarantee and falls back to best-effort. Bigger guarantees don't help if they don't fit; multiple real-time classes don't 'double' priority, they just compete.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a QoS profile on your internet-facing interface shape uploads but not downloads? Then compare to the expert version.

Expert version: Because PAN-OS enforces QoS on the egress interface only — on the internet-facing interface the egress direction is your upload; the download traffic egresses the internal/LAN interface toward users, so you must apply QoS there to shape it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

QoS (Quality of Service)
Rationing a link by class so important traffic gets bandwidth and priority while bulk traffic yields; it shapes, it doesn't add capacity.
QoS Profile
Network > Network Profiles > QoS. Defines up to 8 classes, each with Egress Guaranteed, Egress Max and a priority.
QoS Policy
Policies > QoS. Classifies each session into a class by matching App-ID, service, source, destination or DSCP/ToS.
QoS Class (1–8)
One of eight lanes. Unmatched traffic defaults to Class 4. Each class is sized and prioritised by the profile.
Egress Guaranteed
The bandwidth floor a class is assured during congestion — not pre-reserved while idle; only honoured if the totals fit the link.
Egress Max
The ceiling a class (or profile) may use as traffic leaves. 0 means no limit. Must be ≤ the physical interface's egress max.
Real-time priority
The reserved, served-first lane for latency-sensitive voice/video (SIP/RTP); one of four priorities (real-time/high/medium/low).
Egress interface
The interface a packet leaves from. QoS is always enforced here — never on ingress. Shape uploads on the WAN side, downloads on the LAN side.
DSCP
A 6-bit IP-header value that signals priority to downstream routers. PAN-OS can match it and mark it (e.g. EF 46 for voice), including on decrypted sessions.
Clear-text vs tunneled QoS
Clear-text/decrypted traffic classifies by App-ID; tunneled (IPsec/GRE) traffic hides the inner app, so classify by the outer DSCP with a separate profile.
App-ID (first-packet effect)
Identifies the app from the first several packets; until it decides, the session is unknown and rides the default class.
Lockless QoS
PAN-OS 11.1 enhancement that removes a QoS locking bottleneck to raise throughput on PA-3400 and PA-5400 series firewalls.

📚 Sources

  1. PAN-OS Networking / QoS Administration — "Configure QoS" (build order: QoS profile → QoS policy → enable on interface; WebUI paths Network > Network Profiles > QoS Profile, Policies > QoS, Network > QoS; Egress Max / Egress Guaranteed; up to 8 classes; priority real-time/high/medium/low; default Clear Text and Tunneled profiles). docs.paloaltonetworks.com/network-security/quality-of-service/administration/configure-qos/configure-qos-pan-os
  2. PAN-OS Admin Guide — "QoS Concepts: QoS Egress Interface" ("QoS is always enabled and enforced on the egress interface for a traffic flow"; ingress vs egress definitions; "traffic that does not match a QoS class is assigned a class of 4"). docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface
  3. PAN-OS Admin Guide — "Enforce QoS Based on DSCP Classification" + session-based DSCP marking (honour incoming DSCP, mark on egress so a session gets continuous QoS; marking on decrypted sessions; EF/46 for voice). docs.paloaltonetworks.com/network-security/quality-of-service/administration/enforce-qos-based-on-dscp-classification
  4. Firewall.cx — "Configuring QoS on Palo Alto Firewalls: Class-based Policies, QoS Profiles, Enabling QoS on Interfaces" (practitioner walkthrough: 8 classes, Class 4 catch-all, per-profile Egress Max ≤ interface Egress Max, 'traffic matched in the direction the session is initiated', show qos counter). firewall.cx/security/palo-alto-networks/configuring-qos-on-palo-alto-firewalls.html
  5. LIVEcommunity (live.paloaltonetworks.com) — "Egress/Ingress difference for QoS" thread + Palo Alto KB "What more can my firewall do? Quality of Service!" (real practitioner confusion that QoS on the internet interface shapes uploads, not downloads; shape downloads on the internal interface). live.paloaltonetworks.com/t5/general-topics/egress-ingress-difference-for-qos/td-p/68426
  6. PAN-OS 11.1 Release Notes — "Improved Throughput with Lockless QoS" (PA-3410/3420/3430/3440, PA-5410/5420/5430/5440/5445) — recent QoS performance enhancement. docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes
  7. Palo Alto Networks PCNSE / PCNSA exam blueprints — traffic-management / QoS objectives (QoS profile classes & priorities, egress enforcement, DSCP marking & matching, guaranteed vs max bandwidth). paloaltonetworks.com/services/education/certification

What's next?

You can now carve a link into classes and protect voice on egress. Next we follow that traffic into the logs: how PAN-OS records sessions, threats and QoS behaviour, and how to turn raw logs into reports you can actually hand to a manager.

Next · Logging & Reporting → Practice on exam.techclick.in →