topic Re: Qos question in General Topics

Qos question

simsim — Mon, 22 May 2017 17:52:26 GMT

Hi,

Let's say user wathing youtube , to limit the user's traffic ,
do we need to create qos profile for upload and download ?
Thanks

Re: Qos question

jbhoorasingh — Mon, 22 May 2017 18:04:03 GMT

Policy -> QoS
Add
- Name: Youtube
- Source: Trusted
- Destination:Untrusted
- Application: [youtube]
- Class:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Quality-of-Service/ta-p/68633

Re: Qos question

simsim — Mon, 22 May 2017 19:25:31 GMT

Hi,

I am not talking about the qos policy rule , I am talking about the profile .

I just to mentioned 'youtube ' for easy understanding .

If I rephrase my question , It would be like below

If a user browsing internet , Do I need to set download and upload profile (egress and ingress)

Thanks

Re: Qos question

Raido_Rattameister — Tue, 23 May 2017 02:33:30 GMT

To get best results you should decrypt traffic.

I have seen cases when Youtube was identified as SSL without decyption.

As traffic comes from outside and heading inside you can't apply QoS to outside interface because at that point you don't know yet what this traffic is.

You need to let it into firewall to be analyzed and apply QoS profile to internal interface where traffic exits the firewall.

On the other hand if you want to QoS Youtube upload then you apply QoS to outside interface as traffic egress point is outside interface.

Re: Qos question

reaper — Tue, 23 May 2017 07:07:26 GMT

QoS shaping is applied the moment a packet is about to leave the firewall (on the egress interface):

- to limit downloads the QoS profile on the internal interface is used (packets flowing from the internet and exiting onto your local network)

- to limit uploads, the QoS profile of the untrust interface is applied (packet flowing from the lan and exiting onto the internet

in a single session 2 different QoS profiles can be hit (outbound and inbound packets)

Re: Qos question

simsim — Wed, 24 May 2017 07:12:37 GMT

Hi,
A user just browsing cnn.com ,that means useer downloads and uploads the same time . Is there any issue If we just applied profile for limiting download only . What I mean does this effect CIR which is committed by ISP

Thanks

Re: Qos question

reaper — Wed, 24 May 2017 09:29:32 GMT

its perfectly possible to only create a profile to linit downloads and not interfere with uploads at all (QoS does not even need to be enabled on the upstream interface)

hope this helps

Re: Qos question

simsim — Wed, 24 May 2017 22:26:26 GMT

Hi @reaper

Thank you for your reply . You are always great help ! .

I just want rearrange my very basic and general qos question , Let's say we have a 10 Mb download commitement with ISP .And we have not yet applied any qos profile ,so the user will be able to take all the bandwidth which is 10 Mb .

Now we have created a profile and applied on egress with 5 classes and each class is 2 Mb limit with same priority and the user is in class 1 .What will happen in this case ? .How the qos will help us

2) How this help us ISP's dropping the traffic ?

Thanks a million

Re: Qos question

Raido_Rattameister — Wed, 24 May 2017 23:20:16 GMT

I don't think it makes sense to set up 5 classes with 2Mbit each as if other classes are not in use then you don't use your full capability.

Few things that make sense to throttle are Dropbox application, Update applications using Application filter, Update URLs (for example create custom URL category and add MS update URL into it) etc.

Can you explain your issue?

ISP is dropping packets?

So what? If you enable QoS then it will be Palo who will drop packets to throttle traffic. Palo has to throw away packet from here and packet from there but TCP is smart and "tcp flow control" will keep traffic around the range you set with QoS.

Re: Qos question

reaper — Thu, 25 May 2017 07:54:14 GMT

I agree with @Raido_Rattameister , if you only have 10mbit it doesn't make much sense to limit all your classes to 2mb as this will limit the sessions every step of the way and will not change the fact packets need to get discarded to limit the bandwidth usage (if it's not the ISP, it's the firewall)

You could work with one or a few classes that do have a guarantee for business critical apps, so that when your users are using your full bandwidth, your business critical applications will still function normally (while everything else will be dreadfully slow)
And a class (or a few) for bad applications you really want to limit (like streaming or online storage, ...) Set to 1mb limit for example
And finally a class that you use for your generic browsing with no limit or guarantee. It will be able to use all bandwidth unless one of your guarantee classes is active at which time it will surrender the bandwidth to those classes (make sure to set the profile limit to 10mb)

(Class priority should not be a factor as that relates to platform IO and 10mb should not be an issue, but you can put the business critical class on real-time just to make sure it gets priority queueing if it's ever needed)

Hope this helps! 🙂

Re: Qos question

Raido_Rattameister — Thu, 25 May 2017 13:05:34 GMT

Just be sure that you create class 4 in your profile.

Class 4 is default class for traffic that is does not match to any QoS policy.

If class 4 is missing from profile it can cause big issues.

Edit: So I went to look up article about issue if class 4 is not set and here it is.

https://live.paloaltonetworks.com/t5/Management-Articles/Firewall-Slows-Down-and-Stops-Forwarding-Traffic-after-Applying/ta-p/59213

Issue is that there are other guidelines that suggest not to set class 4.

Final note says "Note: Only desired classes can be defined in the QoS profile. The rest of the traffic would default to class 4."

https://live.paloaltonetworks.com/t5/Configuration-Articles/Incorrect-QoS-Configuration-Caused-Network-Traffic-Outage/ta-p/62576

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/ConfigurationArticles/article-id/1128

@reaper as those articles are quite old can you check internally what is current suggestion. And it is a bit unclear if policy needs to exist for class 4 or both policy and class in profile.