- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-20-2017 04:44 AM
Hi,
We need to create QoS rule based on application, like (business application it will use ISP1 and General browsing it will ISP2).
07-20-2017 05:03 AM
Hi @ali.mathur,
I believe you are mixing up QoS with PBF.
With QoS (Quality of Service) you can limit or guarantee bandwidth based on application.
With PBF (Policy Base Forwarding) you can choose to have certain applications use a different link without needing to tweak the routing table.
Based on your initial post I'm guessing you are looking for a PBF solution instead of QoS.
Check out the following article that expains PBF in detail :
Hope it helps !
-Kiwi
07-20-2017 07:30 AM
Hi Kiwi,
Thanks for your reply, now i understand diffrence between QoS and PBF.
I need to more clarification on PBF with application, how to inlcude non business related to PBF. As per the below document we can select web-browsing, but most of traffic detecting as diffrent application (example, if i access facebook.com its showing facebook-base) and its utilising our main link bandwidth.
07-21-2017 06:06 AM
You would generally take the path of least resistance so it's easier. So instead of applying a PBF for general-browsing, because it would be alot of applications, focus on your business traffic instead and set your default route to route the general traffic to the proper interface.
One thing to remember about application based PBF is the PBF is only going to be applied once your listed application is actually identified, which means the first few packets will go out your default route until it passes to what you've identified in the PBF policy.
07-22-2017 11:04 PM
07-23-2017 12:36 AM - edited 07-23-2017 03:25 AM
Hi @ali.mathur
No, this is not possible - at least not for the first session.
Service Versus Applications in PBFPBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.However, if you specify an application in a PBF rule, the firewall performs App-ID caching . When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter
Source: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_80499
This will also be a "problem" in your other topic with 3 ISPs on one firewall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!