DSCP TAGING

Reply
Highlighted
L4 Transporter

DSCP TAGING

Hi

could you confirm me, if the tagging DSCP is not flushed via the Palo Alto.

I need to use an avaya VOIP solution and a dscp tag 46 is added to the packet.

thank's


Accepted Solutions
Highlighted
L7 Applicator

Re: DSCP TAGING

Hello Sir,


Packet Marking/Rewriting :

The PAN-OS QoS module is application centric and packets are forwarded to a class/queue based on the application, user and the type of traffic, but not based on IP precedence or DSCP bits. However if an upstream device marks the DSCP bits, PAN-OS maintains those bits as is. PAN-OS provides the flexibility to mark the DSCP or IP precedence bits in the packet to facilitate classification in downstream nodes. This functionality is decoupled from the QoS module, whether or not QoS is configured, you can still configure the system to mark certain flows. The configuration of which is in the options settings of the security policy rule.

Example:

DSCP.JPG.jpg

Please follow below mentioned doc for more detail information.

QoS in PAN-OS 4.1

Hope this helps.

Thanks

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: DSCP TAGING

Hello Sir,


Packet Marking/Rewriting :

The PAN-OS QoS module is application centric and packets are forwarded to a class/queue based on the application, user and the type of traffic, but not based on IP precedence or DSCP bits. However if an upstream device marks the DSCP bits, PAN-OS maintains those bits as is. PAN-OS provides the flexibility to mark the DSCP or IP precedence bits in the packet to facilitate classification in downstream nodes. This functionality is decoupled from the QoS module, whether or not QoS is configured, you can still configure the system to mark certain flows. The configuration of which is in the options settings of the security policy rule.

Example:

DSCP.JPG.jpg

Please follow below mentioned doc for more detail information.

QoS in PAN-OS 4.1

Hope this helps.

Thanks

View solution in original post

Highlighted
L5 Sessionator

Re: DSCP TAGING

Hi,

If the tagging is happening before the traffic enters into the firewall. The firewall should not change the marking on the packets and should pass it as it is.  However is you need to mark it on the firewall that can be done as well.

Following taggings/marking are available in the Palo Alto firewalls.

What DSCP Markings are Available on the Palo Alto Networks Firewall?

Thank you

Numan

Highlighted
L4 Transporter

Re: DSCP TAGING

many thank's

Highlighted
L3 Networker

Re: DSCP TAGING

For a remote user on GP SSL VPN with a softphone which is dscp marked on the computer at dscp 46 then I can just add this to the vpn security rule and it will maintain this dscp markings from end to end QoS?  Its seems there's many methods of making this work, so I'm trying to find the one that fits us.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!