https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167839#M53572 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58363">@ali.mathur</a></P><P>&nbsp;</P><P>No, this is not possible - at least not for the first session.</P><P>&nbsp;</P><BLOCKQUOTE><BR /><BR /><BR /><DIV class="xml parbase xml_level-3_16"><DIV class="level-3">Service Versus Applications in PBF</DIV><DIV class="level-3">&nbsp;</DIV></DIV><DIV class="xml_body_17 xml parbase"><DIV class="body">PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.</DIV><DIV class="body">&nbsp;</DIV></DIV><DIV class="xml_body_18 xml parbase"><DIV class="body">However, if you specify an application in a PBF rule, the firewall performs<SPAN>&nbsp;</SPAN>App-ID caching<SPAN>&nbsp;</SPAN>. When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.</DIV><DIV class="body">&nbsp;</DIV></DIV><DIV class="xml_body_19 xml parbase"><DIV class="body">Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter</DIV></DIV><HR /></BLOCKQUOTE><P>&nbsp;</P><P>Source:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499</A></P><P>&nbsp;</P><P>This will also be a "problem" in your other topic with 3 ISPs on one firewall</P> Sun, 23 Jul 2017 10:25:13 GMT Remo 2017-07-23T10:25:13Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167435#M53469 <P>Hi,</P><P>&nbsp;</P><P>We need to create QoS rule based on application, like (business application it will use ISP1 and General browsing it will ISP2).</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 20 Jul 2017 11:44:18 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167435#M53469 ali.mathur 2017-07-20T11:44:18Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167443#M53471 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58363">@ali.mathur</a>,</P> <P>&nbsp;</P> <P>I believe you are mixing up QoS with PBF.</P> <P>&nbsp;</P> <P><SPAN>With QoS (Quality of Service) you can limit or guarantee bandwidth based on application.</SPAN></P> <P><SPAN>With PBF (Policy Base Forwarding)&nbsp;you can choose to have certain applications use a different link without needing to tweak the routing table.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Based on your initial post I'm guessing you are looking for a PBF solution instead of QoS.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Check out the following article that expains PBF in detail :</SPAN></P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Policy-Based-Forwarding/ta-p/71257" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Policy-Based-Forwarding/ta-p/71257</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope it helps !</SPAN></P> <P><SPAN>-Kiwi</SPAN></P> Thu, 20 Jul 2017 12:03:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167443#M53471 kiwi 2017-07-20T12:03:37Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167467#M53478 <P>Hi Kiwi,</P><P>&nbsp;</P><P>Thanks for your reply, now i understand diffrence between QoS and PBF.&nbsp;</P><P>&nbsp;</P><P>I need to more clarification on PBF with application,&nbsp;how to inlcude non business related to PBF. As per the below document we can select web-browsing, but most of traffic detecting as diffrent application (example, if i access facebook.com its showing facebook-base) and its utilising our main link bandwidth.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 20 Jul 2017 14:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167467#M53478 ali.mathur 2017-07-20T14:30:25Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167682#M53529 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58363">@ali.mathur</a>,</P><P>You would generally take the path of least resistance so it's easier. So instead of applying a PBF for general-browsing, because it would be alot of applications, focus on your business traffic instead and set your default route to route the general traffic to the proper interface.</P><P>One thing to remember about application based PBF is the PBF is only going to be applied once your listed application is actually identified, which means the first few packets will go out your default route until it passes to what you've identified in the PBF policy. &nbsp;</P> Fri, 21 Jul 2017 13:06:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167682#M53529 BPry 2017-07-21T13:06:10Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167838#M53571 Hi BPry, The main issue with PBF is, its not showing the main applications, like email, business-system and etc.(as PA detecting under "Application Usage"). There is any way to detect business application under PBF. Sun, 23 Jul 2017 06:04:36 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167838#M53571 ali.mathur 2017-07-23T06:04:36Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167839#M53572 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58363">@ali.mathur</a></P><P>&nbsp;</P><P>No, this is not possible - at least not for the first session.</P><P>&nbsp;</P><BLOCKQUOTE><BR /><BR /><BR /><DIV class="xml parbase xml_level-3_16"><DIV class="level-3">Service Versus Applications in PBF</DIV><DIV class="level-3">&nbsp;</DIV></DIV><DIV class="xml_body_17 xml parbase"><DIV class="body">PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.</DIV><DIV class="body">&nbsp;</DIV></DIV><DIV class="xml_body_18 xml parbase"><DIV class="body">However, if you specify an application in a PBF rule, the firewall performs<SPAN>&nbsp;</SPAN>App-ID caching<SPAN>&nbsp;</SPAN>. When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.</DIV><DIV class="body">&nbsp;</DIV></DIV><DIV class="xml_body_19 xml parbase"><DIV class="body">Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter</DIV></DIV><HR /></BLOCKQUOTE><P>&nbsp;</P><P>Source:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499</A></P><P>&nbsp;</P><P>This will also be a "problem" in your other topic with 3 ISPs on one firewall</P> Sun, 23 Jul 2017 10:25:13 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-qos-rule-based-on-application/m-p/167839#M53572 Remo 2017-07-23T10:25:13Z