How to assign different bandwidth for multiple subnets to limit upload using QoS

105534

Created On 09/25/18 19:21 PM - Last Modified 10/24/20 01:50 AM

Initial Configuration

8.1

9.0

9.1

PAN-OS

Symptom

Symptoms

How to assign different bandwidth for multiple subnets (more than 8) to limit upload using QoS.

Available class for QoS = 8.
There is a need for providing different bandwidth to more than 8 subnets.

Diagnosis

Create different QoS profiles using the same class.
Then write different QoS policies according to the traffic flow.

Environment

PAN-OS 8.1 and above.
Palo Alto Firewall.
QoS Configuration.

Resolution

Case 1 - Limiting uploads: This is only applicable when the Firewall is not performing NAT operation.

There are multiple subnets behind the LAN interface for which we have to limit the upload to 216.57.196.78

Create a different QoS profiles using the same class.
Check the figure below.

One thing to note here is that we are limiting the uploads so there's no doubt that QoS needs to be applied on the egress, which is a WAN interface.

Now click on the other tab (clear text traffic).

Note: Remember that the source interface/subnet will be the interface nearest the originator of the traffic.

The key point here is that the source interface will be the interface that is nearest to the originator of the traffic hence the Lan interface and the subnet will be the originator who is generating the actual traffic.

The egress interface and the source subnet are 2 different things.

Now write the QoS policy as per your requirements.

I have written only 4 policies (all using class 2) but you can write multiple policies as per your needs, the concept will remain the same.

Note: In the case of NAT, the IP addresses in the example must be changed to use the translated IP address (post-NAT IP) in both the QoS configuration and Policy. Subinterfaces can be used for multiple source subnets.

Case 2 - Limiting Downloads

Assigning different bandwidth for more than 8 subnets from any particular source (for download) cannot be done. Here's why:
We have 8 QoS classes so when it comes to assigning different bandwidth we can use only 8 classes per source. (Use all the QoS classes in one profile.)

If you are limiting download based on the source subnet,

Apply the QoS on the Egress interface which will be your LAN interface.
In this case, the source interface/subnet will be the WAN interface and the subnet will be the server's subnet/IP address. (Example, Vimeo servers IP address)

Remember that the source interface will be the interface that is nearest the originator of the traffic and the source subnet will the severs IP / subnet.

Tips and tricks

Always check the C2S / S2C flow using the session id.

For example, for download limit, you observe that the QoS profile will be applied in S2C flow, see the below snapshot.

Note: This figure is just for reference; however, it is taken from live traffic with QoS applied in which we limited the download from the 104.156.81.217 server. (called sources interface = WAN and source subnet = Vimeo servers IP address in clear text traffic tab.)

In addition, here is the output of the clear text tab from the CLI (check the QoS id which will point to which QoS profile is applied to that session) the QoS ID is 1 over here and is applied to the above traffic for download.

Means QoS Mafra is the QoS profile in which we have limited bandwidth in any class, this is only to show you how the source subnet works.

We have also written a QoS policy calling that particular class, which is not shown here.

This was mainly to demonstrate the concepts of QoS and how we can use the source subnet of a clear text tab in QoS.