topic Re: QoS: only ever matches default-group in General Topics

QoS: only ever matches default-group

fjwcash — Tue, 04 Apr 2023 23:16:56 GMT

I'm obviously missing something simple here, but nothing I've tried makes a difference.

Creating a QoS Profile to configure the 8 classes: works great.

Creating a series of QoS Policies to classify AppIDs, URLs, users, etc into difference classes: works great.

Creating multiple QoS Profiles to limit bandwidth for separate networks: nothing works everything ends up in default-group (when viewing the live QoS Statistics on ethernet1/4).

ethernet1/4 is the WAN interface. 100 Mbps symmetric link shared between two sites.

ethernet1/3 is the LAN interface for site 1.

ethernet1/2 is the LAN interface for site 2.

What I want to do is:

give site 1 a guaranteed 49 Mbps for uploads
give site 1 a guaranteed 49 Mbps for downloads
give site 2 a guaranteed 49 Mbps for uploads
give site 2 a guaranteed 49 Mbps for downloads
allow either site to use the full 100 Mbps if the other site is idle

What I'm trying to prevent is having one site hog all the bandwidth, but I also don't want to limit each site. I just want to guarantee a minimum bandwidth for each site (they can use more if the other site isn't using it).

Seems pretty simple in theory, according to the docs.

Just create a QoS Profile with guaranteed egress of 49 Mbps and max egress of 99 Mbps for each site (to keep it under the 100 Mbps max for the interface). Then in the QoS setup for ethernet1/4, on the Clear Text Traffic tab, add separate entries for each source subnet and/or source interface and attach the corresponding QoS Profile to it.

Nope, doesn't work. All traffic gets classified into the default-group. The other two groups never see any traffic.

Doesn't matter if both source interface and source subnet are set, only one or the other is set, or neither of them is set. All traffic shows in the Statistics as being in the default-group. (On the bright side, all the QoS Policies are working, and traffic is being classified correctly into the 8 classes.)

Assigning the QoS profile to the LAN interfaces works, but that's not the shared interface where we need the QoS to apply.

So, what am I missing?

Re: QoS: only ever matches default-group

reaper — Mon, 17 Apr 2023 10:58:13 GMT

Howdy

QoS is applied on the 'egress' interface (out of firewall), so for uploads you need to have a profile on the WAN interface and downloads have another profile on the LAN interface (I.e. a single session touches 2 different QoS profiles on the c2s and s2c)

The class is applied on the c2s flow and applies to both profiles

Hope this helps

Re: QoS: only ever matches default-group

Raido_Rattameister — Wed, 05 Apr 2023 12:59:34 GMT

@reaper I think you have a typo there.

QoS is on egress not ingress.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface

Re: QoS: only ever matches default-group

Raido_Rattameister — Wed, 05 Apr 2023 13:51:17 GMT

I tested and works well.

What PANOS are you running?

Re: QoS: only ever matches default-group

Raido_Rattameister — Wed, 05 Apr 2023 14:01:11 GMT

I found interesting discrepancy.

I pushed config from Panorama and in Panorama there is also destination interface option that firewall QoS setting don't have.

Not sure if it made difference. Will test directly setting QoS on firewall when I have time.

Re: QoS: only ever matches default-group

fjwcash — Wed, 05 Apr 2023 15:46:48 GMT

PA-220 firewall running PanOS 9.1.15-h1.

Your setup appears to be almost identical to mine, but yours works and mine doesn't. Wonder if it's a PanOS version issue (you appear to be running 10.x?).

Doesn't matter if I use the physical interface, or the VLAN sub-interface on the Clear Text Traffic tab, the traffic never gets assigned to the different groups in the Statistics dialog. Always shows under default-group only.

Could it be a layer2 vs layer3 interface configuration?

Re: QoS: only ever matches default-group

fjwcash — Wed, 05 Apr 2023 15:35:29 GMT

The larger firewalls (3x00, 5x00, 7x00) allow you to set the destination interface. The smaller firewalls only support the source interface. Panorama shows both and only pushes the relevant interface based on the destination hardware.

Re: QoS: only ever matches default-group

fjwcash — Wed, 05 Apr 2023 15:41:04 GMT

The docs show QoS is applied on egress.

I have QoS configured on 3 interfaces in the firewall:

ethernet1/2 has the Pineridge-QoS-Profile assigned (LAN for Pineridge, for "download" traffic)
ethernet1/3 has the Maint-QoS-Profile assigned (LAN for Maint, for "download" traffic)
ethernet1/4 has both Pineridge-QoS-Profile and Maint-QoS-Profile assigned under the Clear Text Traffic tab, with the source interface set to 2 and 3 respectively (WAN for both sites, for "upload" traffic)

Re: QoS: only ever matches default-group

reaper — Mon, 17 Apr 2023 10:58:53 GMT

@Raido_Rattameister wrote:

@reaper I think you have a typo there.

QoS is on egress not ingress.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egress-interface

yep my bad, made a booboo there 🙂

Re: QoS: only ever matches default-group

jkvalk59s — Sat, 06 Jul 2024 13:23:00 GMT

I'm observing the same issue on VM-series 11.0.3-h3. I can successfully configure QoS in all directions and there are no misunderstandings about ingress/egress etc., but for the life of me I can't make traffic hit anything else than the default-group, in other words, the "Clear Text Traffic" tab in "QoS Interface" does not have any effect.

Anyone ever found out something useful?