@Joseph W. Doherty   ISP link is connected to the WAN Router. This Router has switching module, one interface is connected to ISP and another to the Firewall. Also there is VLAN with L3 interface and public IP, those two ports are part of that VLAN. Internet connection is going through Firewall, but since it's connected to Router anyway and QoS applied to the physical interface connected to ISP. So, the traffic from Firewall should be affected by QoS as well. Config:

policy-map child
class voice
priority percent 15
class video
bandwidth remaining percent 10
class data
bandwidth remaining percent 35
class scavenger
bandwidth remaining percent 5
class class-default
bandwidth remaining percent 50
fair-queue

policy-map parent
class class-default
shape average 300000000
service-policy child

policy-map parent attached to the physical interface connected to ISP.

If "parent" is applied as an egress policy to the Internet, then yes, overall traffic should be limited to 300 Mbps.  However, as you also mention switching modules and VLANs, unsure you not somehow bypassing the policy at L2.(?)

@Joseph W. Doherty  Please take a look at the picture. This is topology. Router, Firewall and ISP are in the same broadcast domain. QoS is applied on physical interface connected to ISP, this interface is part of that VLAN.

"Router, Firewall and ISP are in the same broadcast domain."

Then it's possible FW and ISP can exchange data without passing through router's SVI, correct?

@Joseph W. Doherty   Yes, actually this how it should happen. Traffic from the Firewall should not hit router's SVI, it should go directly to the ISP's interface's IP, but the thing is, QoS is applied on the physical interface connected to ISP, not on SVI. So, from my point of view, QoS should affect traffic from the Firewall.

Okay, I'm lost in what your topology actually is.  You described both a VLAN, SVI and physical router interface.  Is the physical router interface, that connects to the ISP, a routed port or VLAN port?  If the former, how do you have it in the same L2 broadcast domain as the FW and ISP?

Hello @Joseph W. Doherty 
"Is the physical router interface, that connects to the ISP, a routed port or VLAN port?" - It's a VLAN port. There is VLAN configure in Router and it has SVI and two ports inside it. One port is connected to Firewall and other port is connected to ISP. Both ports are not routed, they're members of one VLAN which also has SVI. So, Router's SVI, Firewall's port and ISP's port are all in the same broadcast. QoS policy is attached to not routed port (Router's port which is member of that VLAN) connected to the ISP.

Okay, if I understand correctly, the QoS policy is actually attached to the VLAN access port, not the SVI?

@Joseph W. Doherty  Yes, QoS policy is attached to the physical port which is VLAN access port. This port is connected to ISP.

Hmm, I'm unsure router QoS will work on an access port.  What to service policy stats show?

@Joseph W. Doherty  can you please take a look?

Important update: There is DMVPN Tunnel interface which is configured with qos pre-classify.

show policy-map interface GigabitEthernet0/1/2
GigabitEthernet0/1/2

Service-policy output: parent

Class-map: class-default (match-any)
492370 packets, 212703840 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 1250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 300000000, bc 1200000, be 1200000
target shape rate 300000000

Service-policy : child

queue stats for all priority classes:
Queueing
queue limit 512 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: voice (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp ef (46)
Priority: 15% (60000 kbps), burst bytes 1500000, b/w exceed drops: 0

Class-map: video (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp af41 (34)
Queueing
queue limit 1250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth remaining 10%

Class-map: data (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp af21 (18)
Queueing
queue limit 1250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth remaining 35%

Class-map: SCAVENGER (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp af11 (10)
Match: access-group name scavenger
Queueing
queue limit 1250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth remaining 5%

Class-map: class-default (match-any)
492370 packets, 212703840 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 1250 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 0/0
bandwidth remaining 50%
Fair-queue: per-flow queue limit 312 packets

@MHM Cisco World  thank you for the link. Sorry for the stupid question, how to check if other control plane packets are dropped as well?