Drop DSCP marked traffic

Showing results for 
Search instead for 
Did you mean: 

Drop DSCP marked traffic

L1 Bithead

Hi,  I am looking for a way to define a DSCP value as a condition for a rule.  I would like to drop traffic that was previously marked before entering the PAN FW. 

Any ideas?



L6 Presenter

Hi...We cannot define security rule to match on the DSCP marking/value.  We can override the DSCP value and set it to another value by matching on the application, traffic, etc.

Maybe you can describe what you're trying to enforce?

Thanks for the reply

I am marking specific traffic elswhere on the network that I would like to block outbound before reaching the Internet acces point.  I was hopping to use PAN to block this marked traffic, with additional higher priority exception rules for OS updates/AV updates/etc.

I guess that you have confirmed what I was able to find in the config, so I will address this through other means


Since this marked traffic will reach the PA device anyway, may I suggest we let the PA device ID the traffic.  The traffic may match one of our 1500 apps and you can simply define a policy to block the app/traffic.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!