QoS profiles on Aggregate interfaces

QoS profiles on Aggregate interfaces

In advance - thank you for your help.

I am trying to create a QoS profile.  Here is my scenario.  I want to apply a QoS profile to a public IP I own to do one of two things.  1 Give it priority over other traffic OR (complete opposite) rate-limit traffic FROM this IP out of my Internet interface on my PA.

What I am testing:

Created a QoS Profile called Test20 and gave it a 20 mbits egress maximum.  Left guaranteed at 0.  I associated to Class 8.

Created a QoS Policy and added my IP/zone as source and Internet/any/any as destination.

My problem:  When I navigate to Network - QoS - I am unable to add my interface.  The box 'Physical Interface' doesn't have what my Internet Egress interface is.  I have Ethernet23/Ethernet/24 in an Aggregate group.  I have a sub-interface off this aggregate which is my internet interface.  My speedtest.net testing will go out this interface to my edge router.  How can I apply a QoS policy as described above?  Is this even possible?

PA-5050 running 5.0.8

Thanks again.

Re: QoS profiles on Aggregate interfaces

Hello Zach,

QoS is not supported on the PA firewalls at this time which is why you are not seeing it in the Physical Interface drop down of the QoS configuration.

A feature request (ID 1058) has been submitted for this but there is no ETA on when it would be fulfilled at the moment.



Re: QoS profiles on Aggregate interfaces

Hi Zach,

We ran into the same issue. QOS isn't supported on aggregate interfaces.  This issue is due to hardware not supporting it on lower firewall models, like PA200, PA500.  However, on higher models, such as the 5000 series, it's not supported due to software. Therefore, there is a chance it will be supported for the higher models in future PANOS software.

We ended up separating our MPLS and Internet connections into non-aggregate interfaces.  We only kept the zones/vlans for our actual resources, such as PCI vlans, VDI vlans, etc... If you were using aggregate interface to allow for redundancy and/or more bandwidth, you can accomplish that with HA firewalls and/or using bgp/ospf routing.  This worked great for us, we went with ibgp. Now we are able to do QOS and traffic shaping for traffic to MPLS and/or Internet. Hope this helps.

Re: QoS profiles on Aggregate interfaces

Any news on feature request ID 1058 ? we're also waiting for the feature. PA-3020.

Re: QoS profiles on Aggregate interfaces


Palo Alto does not discuss road map items in public forums.  You should contact your Palo Alto sales engineer and do two things.

1-vote for the FR 1058 so your desire is recorded

2-ask for what road map updates he is able to provide

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Re: QoS profiles on Aggregate interfaces

Another vote for QoS support on Aggregate Ethernets! I see it is still missing in 6.1. Have not looked at 7.0.

Re: QoS profiles on Aggregate interfaces

It's in 7.0.  Supports 5000, 3000, 2000, and 500s.  (The 7000 supported QoS on AE interfaces in 6.1). 

