https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/181729#M56072 <P>&nbsp;</P><P>I want to limit download for our subnets. I configured a qos policy and&nbsp;a traffic class profile,&nbsp; next apply on trust zone interface.&nbsp; Then I saw in the statistic, there was&nbsp; runtime bandwidth&nbsp; in class 4,&nbsp; it seemed that all traffic was defined as class 4,&nbsp; there was not runtime in any other class.&nbsp; Could you tell me where I wrongly configured ? Thanks.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11927iC602F7C935AF6CF5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 660px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11928i73FC51DA2244298A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 572px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11929i088062AEF05B7F9B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 13 Oct 2017 13:41:56 GMT qq736401987 2017-10-13T13:41:56Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/181729#M56072 <P>&nbsp;</P><P>I want to limit download for our subnets. I configured a qos policy and&nbsp;a traffic class profile,&nbsp; next apply on trust zone interface.&nbsp; Then I saw in the statistic, there was&nbsp; runtime bandwidth&nbsp; in class 4,&nbsp; it seemed that all traffic was defined as class 4,&nbsp; there was not runtime in any other class.&nbsp; Could you tell me where I wrongly configured ? Thanks.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11927iC602F7C935AF6CF5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 660px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11928i73FC51DA2244298A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 572px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11929i088062AEF05B7F9B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 13 Oct 2017 13:41:56 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/181729#M56072 qq736401987 2017-10-13T13:41:56Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/181778#M56080 <P>Hello</P><P>&nbsp;</P><P>Please take a look into <A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Apply-QoS-for-Youtube-or-Streaming-Media/ta-p/66036" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Apply-QoS-for-Youtube-or-Streaming-Media/ta-p/66036</A></P><P>This is simple but should be a good start for You, as always please use "search" using QoS as a pattern there is a lot of topics with that</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Slawek</P> Fri, 13 Oct 2017 15:45:49 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/181778#M56080 _slv_ 2017-10-13T15:45:49Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182014#M56128 <P>also check out the <A title=" Getting Started: Quality of Service" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Quality-of-Service/ta-p/68633" target="_blank"> Getting Started: Quality of Service</A></P> <P>&nbsp;</P> <P>are you using NAT in your environment and are those hosts known to the outside as a public IP? you may need to set the pre-NAT IPs in the destination</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 16 Oct 2017 08:43:05 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182014#M56128 reaper 2017-10-16T08:43:05Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182160#M56147 <P>My firewall outside interface connects to a router, the router translates all our private subnets into a public IP. Do you mean I need to define specified IP addresses insteaof&nbsp;any&nbsp;in the Qos of the policy ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 676px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/11977i363C2E87A6C30323/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Tue, 17 Oct 2017 05:40:06 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182160#M56147 qq736401987 2017-10-17T05:40:06Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182161#M56148 <P>My failed configuration is referred from&nbsp;the link you mentioned. I want to limit all download traffic for my subnets, not for a special application.</P> Tue, 17 Oct 2017 05:44:31 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182161#M56148 qq736401987 2017-10-17T05:44:31Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182168#M56149 <P>Let's make sure we have the concepts right:</P> <P>You're trying to limit downloads, but in your first screenshot your policies have destination IP addresses, which would actually mean 'upload' (from the internet destined to the ip addresses)</P> <P>&nbsp;</P> <P>The QoS policies first need to match the direction of a session:</P> <P>You first need to determine in which direction your session is going to be initiated: will the session start from a client on your network, or from the internet.</P> <P>You then create a QoS policy that matches that direction (don't mind up/down load just yet, we'll get to that in a second).</P> <P>&nbsp;</P> <P>So if you want to apply policy to your internal client, you make a QoS policy from trust to untrust and apply a class.</P> <P>If you want to limit what a client on the internet can do, create a policy from untrust to trust and apply a class.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Next step is to determine _what_ you want to limit: upload or download.</P> <P>This is where it gets interesting: up- or download depends on the direction of your session; a download for your LAN clients flows in the exact opposite direction as a download for an internet based client (in this case he/she is "downloading" from your server, which in regards to your network is an upload but in regards of the session direction is a download).</P> <P>&nbsp;</P> <P>To prevent all the confusion above QoS is set up this way.</P> <P>&nbsp;</P> <P>You already created a policy based on the direction of the flow.</P> <P>Now you need to add QoS profiles to your interfaces: QoS is applied on the <STRONG>egress</STRONG> interface</P> <P>&nbsp;</P> <P>So, if you add a QoS profile on your untrust interface, you can limit everything going TO the internet (regardless if it's up- or download) and if you apply a QoS profile to your trust you can control everything going TO your LAN network.</P> <P>&nbsp;</P> <P>Any sessions that previosuly hit a QoS policy will now be categorized as a certain class and an appropriate QoS action will be applied.</P> <P>This also means that each flow can be controlled by 2 separate QoS profiles: one for the outgoing packets and one for incoming packets (eg you could limit outgoing packets to internet to 1mbps and limit returning packets to LAN to 5mbps)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>tl;dr you probably need to switch your QoS policy to "trust to untrust"</P> <P>&nbsp;</P> <P>Hope this helps</P> <P>T</P> Tue, 17 Oct 2017 07:25:16 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/182168#M56149 reaper 2017-10-17T07:25:16Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/186453#M56876 <P>Thanks. It&nbsp;works. By&nbsp;the&nbsp;way, how can I limit download bandwidth base on per-IP instead of per-subnet?</P> Fri, 10 Nov 2017 13:09:57 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/186453#M56876 qq736401987 2017-11-10T13:09:57Z https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/186455#M56877 <P>you can use the /32 subnet but i would advise against this as this will most likely not&nbsp;produce the desired result and make things very complex</P> Fri, 10 Nov 2017 13:37:25 GMT https://live.paloaltonetworks.com/t5/general-topics/fail-to-configure-download-limitation-on-my-pa-firewall/m-p/186455#M56877 reaper 2017-11-10T13:37:25Z