How to Create QoS rule based on application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Create QoS rule based on application

L1 Bithead

Hi,

 

We need to create QoS rule based on application, like (business application it will use ISP1 and General browsing it will ISP2).

 

 

5 REPLIES 5

Community Team Member

Hi @ali.mathur,

 

I believe you are mixing up QoS with PBF.

 

With QoS (Quality of Service) you can limit or guarantee bandwidth based on application.

With PBF (Policy Base Forwarding) you can choose to have certain applications use a different link without needing to tweak the routing table.

 

Based on your initial post I'm guessing you are looking for a PBF solution instead of QoS.

 

Check out the following article that expains PBF in detail :

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Policy-Based-Forwarding/ta-p/...

 

Hope it helps !

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

 

Thanks for your reply, now i understand diffrence between QoS and PBF. 

 

I need to more clarification on PBF with application, how to inlcude non business related to PBF. As per the below document we can select web-browsing, but most of traffic detecting as diffrent application (example, if i access facebook.com its showing facebook-base) and its utilising our main link bandwidth.

 

 

 

@ali.mathur,

You would generally take the path of least resistance so it's easier. So instead of applying a PBF for general-browsing, because it would be alot of applications, focus on your business traffic instead and set your default route to route the general traffic to the proper interface.

One thing to remember about application based PBF is the PBF is only going to be applied once your listed application is actually identified, which means the first few packets will go out your default route until it passes to what you've identified in the PBF policy.  

Hi BPry, The main issue with PBF is, its not showing the main applications, like email, business-system and etc.(as PA detecting under "Application Usage"). There is any way to detect business application under PBF.

Hi @ali.mathur

 

No, this is not possible - at least not for the first session.

 




Service Versus Applications in PBF
 
PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.
 
However, if you specify an application in a PBF rule, the firewall performs App-ID caching . When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.
 
Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter

 

Source: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499

 

This will also be a "problem" in your other topic with 3 ISPs on one firewall

  • 3197 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!