Quality of Service (QoS) for Firepower Threat Defense

The following topics describe how to use the Quality of Service (QoS) feature to police network traffic using Firepower Threat Defense devices:

Introduction to QoS

Quality of Service, or QoS, rate limits (polices) network traffic that is allowed or trusted by access control. The system does not rate limit traffic that was fastpathed.

Though QoS is supported only on the routed interfaces of Firepower Threat Defense devices, it is not supported on site-to-site VPN and VTI interfaces.

Logging Rate-Limited Connections

There are no logging configurations for QoS. A connection can be rate limited without being logged, and you cannot log a connection simply because it was rate limited. To view QoS information in connection events, you must independently log the ends of the appropriate connections to the Firepower Management Center database; see Other Connections You Can Log.

Connection events for rate-limited connections contain information on how much traffic was dropped, and which QoS configurations limited the traffic. You can view this information in event views (workflows), dashboards, and reports.

About QoS Policies

QoS policies deployed to managed devices govern rate limiting. Each QoS policy can target multiple devices; each device can have one deployed QoS policy at a time.

The system matches traffic to QoS rules in the order you specify. The system rate limits traffic according to the first rule where all rule conditions match the traffic. Traffic that does not match any of the rules is not rate limited.


Note


The total number of rules including QoS rules on the device cannot exceed 255. When this threshold is reached, a deployment warning message is displayed. You need to reduce the number of rules for a successful deployment.


You must constrain QoS rules by source or destination (routed) interfaces. The system enforces rate limiting independently on each of those interfaces; you cannot specify an aggregate rate limit for a set of interfaces.

QoS rules can also rate limit traffic by other network characteristics, as well as contextual information such as application, URL, user identity, and custom Security Group Tags (SGTs).

You can rate limit download and upload traffic independently. The system determines download and upload directions based on the connection initiator.


Note


QoS is not subordinate to a main access control configuration; you configure QoS independently. However, the access control and QoS policies deployed to the same device share identity configurations; see Associating Other Policies with Access Control.


QoS Policies and Multitenancy

In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain.

Administrators in ancestor domains can deploy the same QoS policy to devices in different descendant domains. Administrators in those descendant domains can use this read-only ancestor-deployed QoS policy, or replace it with a local policy.

Requirements and Prerequisites for QoS

Model Support

FTD

Supported Domains

Any

User Roles

Admin

Access Admin

Network Admin

Rate Limiting with QoS Policies

To perform policy-based rate limiting, configure and deploy QoS policies to managed devices. Each QoS policy can target mutiple devices; each device can have one deployed QoS policy at a time.

Only one person should edit a policy at a time, using a single browser window. If multiple users save the same policy, the last saved changes are retained. For your convenience, the system displays information on who (if anyone) is currently editing each policy. To protect the privacy of your session, a warning appears after 30 minutes of inactivity on the policy editor. After 60 minutes, the system discards your changes.

Procedure


Step 1

Choose Devices > QoS.

Step 2

Click New Policy to create a new QoS policy and, optionally, assign target devices; see Creating a QoS Policy.

You can also Copy (copy icon) or Edit (edit icon) an exisiting policy.

Step 3

Configure QoS rules; see Configuring QoS Rules and Rule Management: Common Characteristics.

The Rules in the QoS policy editor lists each rule in evaluation order, and displays a summary of the rule conditions and rate limiting configurations. A right-click menu provides rule management options, including moving, enabling, and disabling.

Helpful in larger deployments, you can Filter by Device to display only the rules that affect a specfic device or group of devices. You can also search for and within rules; the system matches text you enter in the Search Rules field to rule names and condition values, including objects and object groups.

Note

 

Properly creating and ordering rules is a complex task, but one that is essential to building an effective deployment. If you do not plan carefully, rules can preempt other rules, require additional licenses, or contain invalid configurations. Icons represent comments, warnings, and errors. If issues exist, click Show Warnings to display a list. For more information, see Best Practices for Access Control Rules.

Step 4

Click Policy Assignments to identify the managed devices targeted by the policy; see Setting Target Devices for a QoS Policy.

If you identified target devices during policy creation, verify your choices.

Step 5

Save the QoS policy.

Step 6

Because this feature must allow some packets to pass, you must configure your system to examine those packets. See Best Practices for Handling Packets That Pass Before Traffic Identification and Specify a Policy to Handle Packets That Pass Before Traffic Identification.

Step 7

Deploy configuration changes; see Deploy Configuration Changes.


Creating a QoS Policy

A new QoS policy with no rules performs no rate limiting.

Procedure


Step 1

Choose Devices > QoS.

Step 2

Click New Policy.

Step 3

Enter a Name and, optionally, a Description.

Step 4

(Optional) Choose the Available Devices where you want to deploy the policy, then click Add to Policy, or drag and drop to the Selected Devices. To narrow the devices that appear, type a search string in the Search field.

You must assign devices before you deploy the policy.

Step 5

Click Save.


What to do next

Setting Target Devices for a QoS Policy

Each QoS policy can target mutiple devices; each device can have one deployed QoS policy at a time.

Procedure


Step 1

In the QoS policy editor, click Policy Assignments.

Step 2

Build your target list:

  • Add—Choose one or more Available Devices, then click Add to Policy or drag and drop into the list of Selected Devices.
  • Delete—Click Delete (delete icon) next to a single device, or choose multiple devices, right-click, then choose Delete Selected.
  • Search—Enter a search string in the search field. Click Clear (clear icon) to clear the search.

Step 3

Click OK to save policy assignments.

Step 4

Click Save to save the policy.


What to do next

Configuring QoS Rules

When you create or edit a rule, use the upper portion of the rule editor to configure general rule properties. Use the lower portion of the rule editor to configure rule conditions and comments.

Procedure


Step 1

On Rules of the QoS policy editor:

  • Add Rule—Click Add Rule.
  • Edit Rule—Click Edit (edit icon).

Step 2

Enter a Name.

Step 3

Configure rule components:

  • Enabled—Specify whether the rule is Enabled.
  • Apply QoS On—Choose the interfaces you want to rate limit, either Interfaces in Destination Interface Objects or Interfaces in Source Interface Objects. Your choice must correspond with a populated interface constraint (not any).
  • Traffic Limit Per Interface—Enter a Download Limit and an Upload Limit in Mbits/sec. The default value of Unlimited prevent matching traffic from being rate limited in that direction.
  • Conditions—Click the corresponding condition you want to add. You must configure a source or destination interface condition, corresponding to your choice for Apply QoS On.
  • Comments—Click Comments. To add a comment click New Comment, enter a comment, and click OK. You can edit or delete this comment until you save the rule.

For detailed information on rule components, see QoS Rule Components.

Step 4

Save the rule.

Step 5

In the policy editor, set the rule position. Click and drag or use the right-click menu to cut and paste.

Rules are numbered starting at 1. The system matches traffic to rules in top-down order by ascending rule number. The first rule that traffic matches is the rule that handles that traffic. Proper rule order reduces the resources required to process network traffic and prevents rule preemption.

Step 6

Click Save to save the policy.


What to do next

QoS Rule Components

State (Enabled/Disabled)

By default, rules are enabled. If you disable a rule, the system does not use it and stops generating warnings and errors for that rule.

Interfaces (Apply QoS On)

You cannot save a QoS rule that rate limits all traffic. For each QoS rule, you must apply QoS on either:

  • Interfaces in Source Interface Objects—Rate limits traffic through the rule's source interfaces. If you choose this option, you must add at least one source interface constraint (cannot be any).

  • Interfaces in Destination Interface Objects—Rate limits traffic through the rule's destination interfaces. If you choose this option, you must add at least one destination interface constraint (cannot be any).

Traffic Limit Per Interface

A QoS rule enforces rate limiting independently on each of the interfaces you specify with the Apply QoS On option. You cannot specify an aggregate rate limit for a set of interfaces.

You can rate limit traffic by Mbits per second. The default value of Unlimited prevents matching traffic from being rate limited.

You can rate limit download and upload traffic independently. The system determines download and upload directions based on the connection initiator.

If you specify a limit greater than the maximum throughput of an interface, the system does not rate limit matching traffic. Maximum throughput may be affected by an interface’s hardware configuration, which you specify in each device’s properties (Devices > Device Management).

Conditions

Conditions specify the specific traffic the rule handles. You can configure each rule with multiple conditions. Traffic must match all conditions to match the rule. Each condition type has its own tab in the rule editor. You can rate limit traffic using:

Comments

Each time you save changes to a rule you can add comments. For example, you might summarize the overall configuration for the benefit of other users, or note when you change a rule and the reason for the change.

In the policy editor, the system displays how many comments a rule has. In the rule editor, use the Comments tab to view existing comments and add new ones.

History for QOS

Feature

Version

Details

Ability to specify handling of URLs having unknown reputation

6.7

For details, see History for URL Filtering.

Rate limit increased

6.2.1

Raised the maximum rate limit from 1,000 Mbps to 100,000 Mbps.

Modified screen: QoS rule editor

Supported platforms: Firepower Threat Defense

Custom SGT and original client network filtering

6.2.1

QoS can now rate limit traffic using custom Security Group Tags (SGTs) and original client network information (XFF, True-Client-IP, or custom-defined HTTP headers).

Modified screen: QoS rule editor

Supported platforms: Firepower Threat Defense

QoS (rate limiting)

6.1

Feature introduced.

QoS rate limits (polices) network traffic that is allowed or trusted by access control.

New screens: Devices > QoS

Supported platforms: Firepower Threat Defense