Bandwith shaping on complete subnet

@kiwi

But when I want to add an interface under Network -> QoS, it only shows me my physical interfaces.

But that doesn't matter. I can switch the subinterfaces to physical interfaces.

The more important question is: Can I apply a maximum bandwith to all hosts in a subnet for all traffic?

For example guest users.

Hi @MPI-AE,

QoS needs to be enabled per physical interface but you can define subinterfaces in the configuration :

sub-interface

Cheers,

-Kiwi.

Hi @kiwi

will be very nice if you guide me through the configuration. That's very complex imo.

- Do I need a QOS profile with classes?

- Do I need a QOS Policy Rule where I define ssl and web-browsing and refer it to a class?

Questions over questions..

My subinterface is ae1.140  . That's the interface where all guest hosts are connected and I want to set a bandwith limit of 50Mbps to this subinterface for the complete internet download traffic.

Could you please help me with that?

Hi @MPI-AE,

I suggest you start out here :

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Quality-of-Service/ta-p/68633

The above artice is an excellent resource explaining how to configure QoS.

Cheers !

-Kiwi.

Hi @kiwi

that means when I set up a Qos policy rule with the guest zone only and in the Qos interface rule I only mention ae1.140, the bandwith limitation is only applied to the ae1.140 subinterface?

Because there are 30 more subinterfaces beneath ae1.

That would be very dreadful if the limitation is applied to all ae1 subinterfaces.

And I'm afraid about the default profile:

@MPI-AE,

The default profile is going to apply to the interface but unless you are actually utilizing QoS policies all traffic is just going to map to class4 which is the default on the Palo Alto.

If you are worried about effecting production traffic I would contact your SE and ask for a time to walk through this with him to make sure that you actually configure everything correctly and you aren't going to be applying bandwidth constraints where you don't want to. 

@BPry,

is the following configuration correct?

@MPI-AE,

You would need to actually enable QoS on that interface but otherwise if your intention is to simply limit the egress bandwidth then this would function fine. 

@BPry

I enabled it on the interface, but unfortunately traffic from the guest  network isn't limited.

When I download a file, I have a download rate of 200Mbit/s.

But it want it to be 50 Mbit/s.

When I take a look on the QoS Interface Statistics, I observe that the download rate increases at the default-group, not in the guest group:

What is wrong?

@MPI-AE,

Not knowing how your network is setup I just want to verify that we are talking about egress traffic here right. In this scenario where you are downloading a file this is ingress traffic right; because egress is traffic leaving the subinterface. Downloading a file is going to have the subinterface as the ingress interface. 

So say for example I look at this 1.1 gig file I just downloaded. The Egress interface is ethernet1/2 which is my untrust/outside interface, this means that my ingress interface is ae2 or my trust/inside network. The reason this isn't working is because you have egress max setup for the ingress interface when it comes to downloading. 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-assign-different-bandwidth-for-multipl...

That has a good explination of how to go about limiting downloads, although it's not the focus of the document you can get a good understanding of it from there. 

@BPry,

now I'm confused!

Please take a look at that link:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of-service/qos-egress-interf...

My external interface is 1/20. My internal interface is ae1. The Guest Network is a subinterface of ae1. (-> ae1.140)

So when I download a file, the packets come in at 1/20, and leave the firewall at ae1.140 to my client.

So in my opinion, the egress interface is ae1.

"For example, in an enterprise network, if you are limiting employees’ download traffic from a specific website, the egress interface in the QoS configuration is the firewall’s internal interface, as the traffic flow is from the Internet, through the firewall, and to your company network. "

@MPI-AE,

Queary the traffic in your threat logs and see what the firewall itself is labeling as the Egress/Ingress interface. On the traffic log you can search '(addr in 10.191.16.61)  and ( bytes geq 180000000 )' replacing the IP address obviously with whatever the machines IP address was. This will catch the 200mb file you downloaded. 

In your column options you will need to likely check Egress I/F and Ingress I/F so that it's actually displayed. This will tell you exactly what your Ingress and Egress were recorded as. My guess would be that you'll see what I have laid out below, where your Ingress will be your subinterface and your Egress is going to be your 1/20 interface.