Basic QoS Understanding

Showing results for 
Search instead for 
Did you mean: 

Basic QoS Understanding

Not applicable

So, I'm trying to get a clear understanding of QoS on the PA's.  Any feedback / answers would be appreciated:

Maximum Egress - Straight forward - the maximum amount of traffic you are allowing out.

Guaranteed Egress - This one I'm foggy on.  Is it only applied during congestion?  Or does it literally "carve out" that much of the pipe for that class?

The different classes - Do these funcion only to map traffic to priority queues or are classes serviced in order?  As in, if I have class 2, 5 and 7 mapped to "High" will the PA service class 2 before 5?  Or are priority queues just handled FIFO within themselves (as in if packes from Class 2 and 7 hit the egress queue at the same time, it's whichever packet hit first).



L6 Presenter

I guess you have already read QoS in PAN-OS 4.1?

The guaranteed egress is applied at all times but the setting is of course how much bandwidth should the specific class get during congestion/overload of the interface.

However im not sure if guaranteed bandwidth also means that the same amount of bandwidth cannot be used by the other classes - perhaps someone from PA could enlighten us? 🙂

Sure did.

And that is the big caveat about guaranteed bandwidth.  After talking with my SE it would seem that the guaranteed egress is NOT automatically carved out.  So, if I give YouTube 5Mb of guaranteed bandwidth and there isn't any YouTube traffic, that 5Mb should be availbe for other traffic.  But if YouTube hits the stream, it should start using that 5Mb for that traffic...

...unless YouTube is set to the Medium queue and some High-Priority traffic hits the scheduler?  Smiley Happy

I'm probably making this more difficult than it really is.

The queues are not absolute such that High Priority traffic when congested would prevent any Medium Priority from flowing.  From the command line, if you run "show qos counter" you will see that each class has the base (guaranteed) and max bandwidth you supplied. These two settings along with the priority help generate an amount of "shares" that the class has. Here is a shot of what mine looks like:

QoS counter for interface ethernet1/2:

number of queued packets: 5

Parent     Qid node            base-bw ldshare  max-bw   pass-pak   drop-pak   time-out delay      vtime qlen qlmt


      1       0 default-group     90000       0   90000          0          0          0                0    0  150

                -Class 1           2000   38000   40000        521          0          0     0         16    0  150

                -Class 2           8000   32000   40000     233882          0          0     1       2228    0  150

                -Class 3           9000   31000   40000      28091         63          0     0         10    0  150

                -Class 4          11000   14750   70000     527197        190          0     0          0    0  150

                -Class 5           7000   13250   60000      75099          7          0     0          0    0  150

                -Class 6           4000    6500   30000      19273          0          0     0        523    0  150

                -Class 7          10000    4375   80000    1061396        133          0     1      14701    2  150

                -Class 8          10000    4375   80000     895142       1149          0     0          0    0  150

      4       1 regular-traffic   90000       0   90000          0          0          0                0    0  150

      4       2 tunnel-traffic        1   89999   90000          0          0          0                0    0  150

      4       3 bypass-traffic    90000       0   90000          0          0          0                0    0  150

      *         -Class 4          90000       0   90000        330          0          0     0          0    0  150

     -1       4 ethernet1/2       90000       0   90000          0          0          0                0    0  150

hi all,

I'd like to continue this thread cause I've got some doubts as well Smiley Happy

1) In the doc "QoS in PAN-OS 4.1" they mention:

3) Configure QoS on the interface

b) The sum of the “Egress Max” bandwidth on clear text tab and tunnel traffic tab should be less or equal to the interfaces egress max bandwidth.

It doesn't make sense for me cause if there is no tunnel traffic I want my clear traffic to use the max available bandwidth of the int, however it makes sense for me that the sum of Guaranteed Egress (10 + 10) should be less or equal the max egrees of the int.


2) considering these settings

Qos-profile (G: 2Mbps, Max: 2Mbps)

class 1 (G: 1Mbps, Max: 2Mbps) - priority high

class 2 (G: 1Mbps, Max: 2Mbps) - priority medium

class 3 (G: 0 - so unlimited?, Max: 2Mbps) priority realtime

if there is a congestion and both traffic of class1, class2 and 3 hits the PA accordingly

class3 - 1,5Mbps

class2 - 1Mbps

class1 - 1Mbps

what will the result be?

I guess that class3 and 1 would not prevent the class2 from flowing but the share for this one would be minimum?

3) Default QoS profile and its classes 6,7,8 have low priority.

If there is a congestion and traffic hits all of the classes will it be shared equeally?

4) in situation when traffic enteres PA form source int 1/1 and 1/2.110 but uses the same egress int 1/10


considering that both QoS profiles has the same parameters for class 2 (the same priority) and there is only class 2 traffic (from both src int) should the bandwidth be shared equally when using egress int 1/10?



For Basic QoS.....

Eth1-------[ PA Virt Router ]------- Eth2

Trust                                             Untrust

Max BW :  If you have a limit like 30Mbps, set this to 30. Otherwise set it to the Negotiated speed (1000).  The older code used to assume the negotiated speed is the MAX in the event that this was left empty.

Guaranteed BW:  Leave this blank

QoS Profile: select the default profile. There are no MAX or Guarantee values configured. Leave it this way.

QoS Policy: Pick and application or group or a filter  (All VOIP Apps) and assign this class 1.  All undefined apps default to class 4. You can specify zones and addresses but why bother?

Configuring QoS on Eth2 will limit how much traffic (my example was 30M) gets sent to the internet.

Configure QoS on Eth1 will limit traffic from internet to user to 30M.

This is Weighted Fair Queueing. You have 8 buckets. Application packets are placed in a Queue. Real Time ques are emptied more often than the other queues. You can click on the statistics link in  the NETWORK tab and the QoS panel on the left edge. This will display a nice graph and stats for each class.

If you choose to use values in the QoS profile, all of the classes added together need to match the total value used in MAX Egress and Guarantee Egress. Guarantee Egress is a method to reserve a certain minimum BW for certain types of traffic. If the basic method fails to provide the performance you need. then test the guarantees.

One down side to this is if you have Multiple LAN side interfaces and you limit all of them to 30M, even traffic from LAN1 to LAN2 will be limited to 30M.

One method around this would be to create a VRouter just for rate limitting, or a virtual-wire, and a second VR for security policies. User to User traffic would be unlimited in this case.

Steve Krall


can you descrive this configuration?

"One method around this would be to create a VRouter just for rate limitting"

i will appriciate

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!