QoS profiles on Aggregate interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

QoS profiles on Aggregate interfaces

Not applicable

In advance - thank you for your help.

I am trying to create a QoS profile.  Here is my scenario.  I want to apply a QoS profile to a public IP I own to do one of two things.  1 Give it priority over other traffic OR (complete opposite) rate-limit traffic FROM this IP out of my Internet interface on my PA.

What I am testing:

Created a QoS Profile called Test20 and gave it a 20 mbits egress maximum.  Left guaranteed at 0.  I associated to Class 8.

Created a QoS Policy and added my IP/zone as source and Internet/any/any as destination.

My problem:  When I navigate to Network - QoS - I am unable to add my interface.  The box 'Physical Interface' doesn't have what my Internet Egress interface is.  I have Ethernet23/Ethernet/24 in an Aggregate group.  I have a sub-interface off this aggregate which is my internet interface.  My speedtest.net testing will go out this interface to my edge router.  How can I apply a QoS policy as described above?  Is this even possible?

PA-5050 running 5.0.8

Thanks again.

1 accepted solution

Accepted Solutions

L3 Networker

Hello Zach,

QoS is not supported on the PA firewalls at this time which is why you are not seeing it in the Physical Interface drop down of the QoS configuration.

A feature request (ID 1058) has been submitted for this but there is no ETA on when it would be fulfilled at the moment.

Regards,

tasonibare

View solution in original post

6 REPLIES 6

L3 Networker

Hello Zach,

QoS is not supported on the PA firewalls at this time which is why you are not seeing it in the Physical Interface drop down of the QoS configuration.

A feature request (ID 1058) has been submitted for this but there is no ETA on when it would be fulfilled at the moment.

Regards,

tasonibare

L0 Member

Hi Zach,

We ran into the same issue. QOS isn't supported on aggregate interfaces.  This issue is due to hardware not supporting it on lower firewall models, like PA200, PA500.  However, on higher models, such as the 5000 series, it's not supported due to software. Therefore, there is a chance it will be supported for the higher models in future PANOS software.

We ended up separating our MPLS and Internet connections into non-aggregate interfaces.  We only kept the zones/vlans for our actual resources, such as PCI vlans, VDI vlans, etc... If you were using aggregate interface to allow for redundancy and/or more bandwidth, you can accomplish that with HA firewalls and/or using bgp/ospf routing.  This worked great for us, we went with ibgp. Now we are able to do QOS and traffic shaping for traffic to MPLS and/or Internet. Hope this helps.

L1 Bithead

Any news on feature request ID 1058 ? we're also waiting for the feature. PA-3020.

Patrick,

Palo Alto does not discuss road map items in public forums.  You should contact your Palo Alto sales engineer and do two things.

1-vote for the FR 1058 so your desire is recorded

2-ask for what road map updates he is able to provide

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Another vote for QoS support on Aggregate Ethernets! I see it is still missing in 6.1. Have not looked at 7.0.

It's in 7.0.  Supports 5000, 3000, 2000, and 500s.  (The 7000 supported QoS on AE interfaces in 6.1). 

  • 1 accepted solution
  • 4733 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!