Fail to configure download limitation on my pa firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Fail to configure download limitation on my pa firewall

L1 Bithead

 

I want to limit download for our subnets. I configured a qos policy and a traffic class profile,  next apply on trust zone interface.  Then I saw in the statistic, there was  runtime bandwidth  in class 4,  it seemed that all traffic was defined as class 4,  there was not runtime in any other class.  Could you tell me where I wrongly configured ? Thanks.

 

image.pngimage.pngimage.png

1 accepted solution

Accepted Solutions

Let's make sure we have the concepts right:

You're trying to limit downloads, but in your first screenshot your policies have destination IP addresses, which would actually mean 'upload' (from the internet destined to the ip addresses)

 

The QoS policies first need to match the direction of a session:

You first need to determine in which direction your session is going to be initiated: will the session start from a client on your network, or from the internet.

You then create a QoS policy that matches that direction (don't mind up/down load just yet, we'll get to that in a second).

 

So if you want to apply policy to your internal client, you make a QoS policy from trust to untrust and apply a class.

If you want to limit what a client on the internet can do, create a policy from untrust to trust and apply a class.

 

 

Next step is to determine _what_ you want to limit: upload or download.

This is where it gets interesting: up- or download depends on the direction of your session; a download for your LAN clients flows in the exact opposite direction as a download for an internet based client (in this case he/she is "downloading" from your server, which in regards to your network is an upload but in regards of the session direction is a download).

 

To prevent all the confusion above QoS is set up this way.

 

You already created a policy based on the direction of the flow.

Now you need to add QoS profiles to your interfaces: QoS is applied on the egress interface

 

So, if you add a QoS profile on your untrust interface, you can limit everything going TO the internet (regardless if it's up- or download) and if you apply a QoS profile to your trust you can control everything going TO your LAN network.

 

Any sessions that previosuly hit a QoS policy will now be categorized as a certain class and an appropriate QoS action will be applied.

This also means that each flow can be controlled by 2 separate QoS profiles: one for the outgoing packets and one for incoming packets (eg you could limit outgoing packets to internet to 1mbps and limit returning packets to LAN to 5mbps)

 

 

 

tl;dr you probably need to switch your QoS policy to "trust to untrust"

 

Hope this helps

T

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

L4 Transporter

Hello

 

Please take a look into https://live.paloaltonetworks.com/t5/Configuration-Articles/Apply-QoS-for-Youtube-or-Streaming-Media...

This is simple but should be a good start for You, as always please use "search" using QoS as a pattern there is a lot of topics with that

 

 

Regards

Slawek

also check out the Getting Started: Quality of Service

 

are you using NAT in your environment and are those hosts known to the outside as a public IP? you may need to set the pre-NAT IPs in the destination

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

My firewall outside interface connects to a router, the router translates all our private subnets into a public IP. Do you mean I need to define specified IP addresses insteaof any in the Qos of the policy ?

image.png

My failed configuration is referred from the link you mentioned. I want to limit all download traffic for my subnets, not for a special application.

Let's make sure we have the concepts right:

You're trying to limit downloads, but in your first screenshot your policies have destination IP addresses, which would actually mean 'upload' (from the internet destined to the ip addresses)

 

The QoS policies first need to match the direction of a session:

You first need to determine in which direction your session is going to be initiated: will the session start from a client on your network, or from the internet.

You then create a QoS policy that matches that direction (don't mind up/down load just yet, we'll get to that in a second).

 

So if you want to apply policy to your internal client, you make a QoS policy from trust to untrust and apply a class.

If you want to limit what a client on the internet can do, create a policy from untrust to trust and apply a class.

 

 

Next step is to determine _what_ you want to limit: upload or download.

This is where it gets interesting: up- or download depends on the direction of your session; a download for your LAN clients flows in the exact opposite direction as a download for an internet based client (in this case he/she is "downloading" from your server, which in regards to your network is an upload but in regards of the session direction is a download).

 

To prevent all the confusion above QoS is set up this way.

 

You already created a policy based on the direction of the flow.

Now you need to add QoS profiles to your interfaces: QoS is applied on the egress interface

 

So, if you add a QoS profile on your untrust interface, you can limit everything going TO the internet (regardless if it's up- or download) and if you apply a QoS profile to your trust you can control everything going TO your LAN network.

 

Any sessions that previosuly hit a QoS policy will now be categorized as a certain class and an appropriate QoS action will be applied.

This also means that each flow can be controlled by 2 separate QoS profiles: one for the outgoing packets and one for incoming packets (eg you could limit outgoing packets to internet to 1mbps and limit returning packets to LAN to 5mbps)

 

 

 

tl;dr you probably need to switch your QoS policy to "trust to untrust"

 

Hope this helps

T

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks. It works. By the way, how can I limit download bandwidth base on per-IP instead of per-subnet?

you can use the /32 subnet but i would advise against this as this will most likely not produce the desired result and make things very complex

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4085 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!