QoS policies deployed to managed devices govern rate limiting. Each QoS policy can target multiple devices; each device can
have one deployed QoS policy at a time.
In a QoS policy, a maximum of 32 QoS rules handle network traffic. The system matches traffic to QoS rules in the order you
specify. The system rate limits traffic according to the first rule where all rule conditions match the traffic. Traffic that
does not match any of the rules is not rate limited.
You must constrain QoS rules by source or destination (routed) interfaces. The system enforces rate limiting independently on each of those interfaces; you cannot specify an aggregate rate limit for a set of interfaces.
QoS rules can also rate limit traffic by other network characteristics, as well as contextual information such as application,
URL, user identity, and custom Security Group Tags (SGTs).
You can rate limit download and upload traffic independently. The system determines download and upload directions based on
the connection initiator.
QoS is not subordinate to a main access control configuration; you configure QoS
independently. However, the access control and QoS policies deployed to the same
device share identity configurations; see Associating Other Policies with Access Control.
QoS Policies and Multitenancy
In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays
policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to
Administrators in ancestor domains
can deploy the same QoS policy to devices in different descendant domains.
Administrators in those descendant domains can use this read-only ancestor-deployed
QoS policy, or replace it with a local policy.