- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
tags: next-generation firewall, network security, routing, QoS, advanced administration
This Nominated Discussion Article is based on the post " Confused about QoS on Palo, need some assistance" by @latechguy and answered by Cyber Elite @TomYoung Read on to see his response!
My understanding is that QoS only really applies to egress.
The issue I faced this week was with Apple updates killing the ingress and impacting sip trunks.
Egress didn't appear to be an issue.
Now with that said, would applying QoS within our Palos help in any way when it comes to the sip trunks if the issue is with ingress being saturated?
What could you possibly do in this case?
Yes! This can be done. See the 2nd paragraph in this article. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS0CAK
" An important concept to keep in mind is that a QoS profile is applied on the egress interface of a packet that is traveling through the firewall. This would mean, for example, that to limit upload, a QoS profile needs to be enabled on the untrust interface and to limit download, a QoS profile needs to be enabled on the trust interface. "
You can limit your untrust ingress by applying policy to your trust egress, especially with TCP-based traffic, which will decrease the sliding window based upon packet loss. The article also has good stuff for your SIP trunks.
Thanks,
Tom