topic Re: Palo Alto QOS configuration question in Next-Generation Firewall Discussions

Palo Alto QOS configuration question

ciscojuniperf5 — Thu, 07 Aug 2025 06:29:11 GMT

created the below QOS configuration to limit the bandwidth to wasabi to 10 mbps on PA 440. When I checked the QOS statistics, the default group is getting used and not the one I created and also the default group is restricted to 10 Mbps. Please guide me how do I fix it.

Interface Ethernet 1/6 has a subinterface Ethernet 1/6.201.

Create the QoS Policy Rule

Navigate to Policies > QoS.

Click Add to create a new QoS policy rule.

Name : Limit Veeam Backup

Source Zone : Trust

Source Address : Select All VMs

Destination Zone: Untrust

Destination Address : Wasabi

Application : wasabi

Other settings: Class 8

Click OK

Create a QoS Profile:

Navigate to Network > Network Profiles > QoS.

Click Add to create a new QoS Profile. "Veeam-Backup-QoS"

Egress Max (MBPS): 10

Egress Guaranteed (MBPS): 0

1.25 MBPS = 10 Mbps

In the Classes section, click Add:

Class: Class 8

Priority: Low

Egress Max: 10

Egress Guaranteed: 0

Click OK

Enable QoS on the Interface:

Navigate to Network > QoS

Select Ethernet 1/6

Under the Default Profile, select the QoS profile "Veeam-Backup-QoS"

Set the Egress Max (Mbps): 1024

Under Clear Text Traffic

Egress Guaranteed (Mbps) = 0

Egress Max (Mbps) = 10

Name :Veeam

Qos Profile : "Veeam-Backup-QoS"

Source Interface : Ethernet 1/6.201

Click OK

QOS settings on interface:

If I set the default profile to default, Veeam is getting more bandwidth, when I set it to Veeam-Backup-QOS, All traffic get 10 Mbps

Re: Palo Alto QOS configuration question

aleksandar.astardzhiev — Tue, 19 Aug 2025 22:50:34 GMT

Hi @ciscojuniperf5 ,

Two important notes that you need to remember for PAN QoS
- Traffic is "labeled" with class4 by default, if no class is explicitly assigned to the traffic.

- QoS is applied on egress only. Which means if you want to limit download from public internet you need to apply the QoS profile on the inside interface (when traffic egress from the firewall to the user). If you want to limit/shape the upload to public Internet, you need to apply the QoS profile on the outside interface (when traffic egress from firewall to Interne)

It is not clear which is your public interface and which internal, but I would guess (based on the sub-interface to Veem) that eth1/6 is your inside interface, which means that applying a QoS there will shape/limit the download from Internet. If am understand you are trying to limit the upload from Veem to Wasabi, correct?

If that is the case you need QoS interface for your public interface. Under the Clear Text Traffic tab, configure the same rule - where you use 1/6.201 as source and Veem QoS profile. This will tell the firewall to apply the Veem QoS profile when traffic is sourced from eth1/6.201 and egressing to public internet.

Note that - "Default Profile" under the QoS Interface is the profile that will be applied the traffic that is egressing this interface and does not match any of the "rules" under the Clear Text Traffic tab.