If your Firewall isn’t up to it, the choice is replacing the Firewall or adding a Traffic Shaping Appliance. Unless you are particularly wedded to your Firewall we would suggest you take the opportunity to upgrade to a Next Generation Firewall where Palo Alto is the clear market leader.
Traditional Firewalls work on application ports and target/destination IP addresses. However, modern applications are no respecter of fixed ports and there are literally hundreds of applications that can operate over http/https (ports 80 & 443). Next Generation Firewalls recognise the application using deep packet inspection (regardless of port or SSL encryption) and identify users and groups though Active Directory integration. Once you have properly identified the traffic and valid users it is possible to define policies that set the Traffic Shaping rules accordingly.
Traffic shaping is most effective over synchronous circuits. On outbound services over asynchronous circuits it can only shape traffic within the confines of the slower up-channel. The one exception is where you want to allocate symmetric bandwidth over an asymmetric circuit. For example you might have 5 concurrent high quality VoIP calls, each of which requires 100Kbps. It is possible to allocate 0.5Mb symmetrical even on an ADSL circuit.
See the excellent Next Generation Palo Alto Firewalls available from our X.COMM security division.