DSCP TAGING

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DSCP TAGING

L4 Transporter

Hi

could you confirm me, if the tagging DSCP is not flushed via the Palo Alto.

I need to use an avaya VOIP solution and a dscp tag 46 is added to the packet.

thank's

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Sir,


Packet Marking/Rewriting :

The PAN-OS QoS module is application centric and packets are forwarded to a class/queue based on the application, user and the type of traffic, but not based on IP precedence or DSCP bits. However if an upstream device marks the DSCP bits, PAN-OS maintains those bits as is. PAN-OS provides the flexibility to mark the DSCP or IP precedence bits in the packet to facilitate classification in downstream nodes. This functionality is decoupled from the QoS module, whether or not QoS is configured, you can still configure the system to mark certain flows. The configuration of which is in the options settings of the security policy rule.

Example:

DSCP.JPG.jpg

Please follow below mentioned doc for more detail information.

QoS in PAN-OS 4.1

Hope this helps.

Thanks

View solution in original post

4 REPLIES 4

L7 Applicator

Hello Sir,


Packet Marking/Rewriting :

The PAN-OS QoS module is application centric and packets are forwarded to a class/queue based on the application, user and the type of traffic, but not based on IP precedence or DSCP bits. However if an upstream device marks the DSCP bits, PAN-OS maintains those bits as is. PAN-OS provides the flexibility to mark the DSCP or IP precedence bits in the packet to facilitate classification in downstream nodes. This functionality is decoupled from the QoS module, whether or not QoS is configured, you can still configure the system to mark certain flows. The configuration of which is in the options settings of the security policy rule.

Example:

DSCP.JPG.jpg

Please follow below mentioned doc for more detail information.

QoS in PAN-OS 4.1

Hope this helps.

Thanks

L5 Sessionator

Hi,

If the tagging is happening before the traffic enters into the firewall. The firewall should not change the marking on the packets and should pass it as it is.  However is you need to mark it on the firewall that can be done as well.

Following taggings/marking are available in the Palo Alto firewalls.

What DSCP Markings are Available on the Palo Alto Networks Firewall?

Thank you

Numan

many thank's

For a remote user on GP SSL VPN with a softphone which is dscp marked on the computer at dscp 46 then I can just add this to the vpn security rule and it will maintain this dscp markings from end to end QoS?  Its seems there's many methods of making this work, so I'm trying to find the one that fits us.  

  • 1 accepted solution
  • 7705 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!