topic Re: segmentation of bandwidth: in General Topics

segmentation of bandwidth:

Lahcen — Fri, 30 Aug 2013 09:38:25 GMT

Hi All,

One of our customers has an internet acces of 20Mbits and 4 types of users so he wants to segment the internet acces into 4 acces in order to ensure that every user groups has a bandwidth of 5Mbits.

is it possible to do this treatment with a Palo Alto firewall ?

BR,

Re: segmentation of bandwidth:

Retired Member — Fri, 30 Aug 2013 09:45:59 GMT

You can use Active directory user groups in QOS rules.

For eaach group you can use a max 5mbit class and all for the related qos profile.

QoS in PAN-OS 4.1 You can configure details related to document.

Re: segmentation of bandwidth:

harshanatarajan — Fri, 30 Aug 2013 09:50:29 GMT

Look for the QoS use cases in the doc - QoS in PAN-OS 4.1

Case 2 – Sharing Bandwidth with Fairness

Hope this helps.

Re: segmentation of bandwidth:

Lahcen — Fri, 30 Aug 2013 10:58:04 GMT

Thank you for your reply.

I have another question is it possible to limit the bandwidth for users (users are defined by IP adress) I mean if a user exceeds a bandwith threshold example 1Go per day the internet connection for this user will be denied and he will not be able to connect to the internet till the next bussines day.

Re: segmentation of bandwidth:

Retired Member — Fri, 30 Aug 2013 11:00:37 GMT

This function is not supported for now.

Re: segmentation of bandwidth:

Lahcen — Fri, 30 Aug 2013 14:18:12 GMT

thanks.

Re: segmentation of bandwidth:

drwillis07 — Fri, 30 Aug 2013 14:26:15 GMT

While true out of the box, there is a way to accomplish this manually using the API interface and the dynamic address object feature.

1. You could create a dynamic address object that is referenced by the QoS policy. This policy is committed even though the DAO is empty.

2. When a user is manually detected as consuming too much bandwidth (DDoS protection looks at session levels, not bandwidth), you would add those users to the XML document referenced by a script (several ways to do that - manual script manipulation or the use of a block list API added into the GUI)

3. A process on your server would detect that the script was updated and execute the API to push the document to firewall(s) directly or via Panorama to populate the DAO on the firewall with your bad user(s)

4. Another automated process on your server would then remove the IP address of the bad actors at a set time every day based on the timestamp of the actor's addition

See here as a potential basis for your workflow - Sample API workflow for Dynamic Address Objects

Obvious challenges here - besides writing scripts and monitoring CRON (or CRON-like processes) is tracking on bandwidth consumption by user. The function that is missing on the appliance is the lack of such a report. The only way to get that out of the appliance is to apply QoS as a reporting only (i.e. no max bandwidth) function, but you would need to create a policy per user - which is unrealistic. You would want to look to an external tool to gather this kind of information.