Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You can "do" QoS on ingress or egress, although not all QoS features are supported for ingress and egress.
Generally on ingress, you might validate what you're receiving, and based on what you "seeing" drop, mark, remark and/or rate limit the ingress traffic. Generally on egress, you deal with possible congestion, so you might prioritize some traffic over other traffic but you also might mark, remark, drop, rate limit and/or shape.
Ideally, a firewall, since it can selectively block traffic, should provide the same QoS support as other network devices, but if not, you might be able to provide the needed QoS on an upstream device. For example, consider a FW without QoS features, but with a LAN FE interface and with a WAN DS3 interface. Outbound traffic might queue on the FW DS3, but to manage that, external to the FW, the LAN device to the FW might shape for DS3 rate and manage congestion on it (before the FW "sees" the traffic).
For tunnels, of any type, again shaping for maximum tunnel transit bandwidth, not the tunnel device's physical interface bandwidth, could be the key to managing the tunnel's available bandwidth.
