Palo Alto Bandwidth Throttling

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Bandwidth Throttling

L2 Linker

Hello Everyone,

I have a question regarding Palo Altos and bandwidth throttling. I know that the Palo Altos can do QoS to limit the bandwidth for specific applications, but can the Palo Altos just do bandwidth throttling with different networks? Say for instance, we have an office and guest network going to a Palo Alto firewall. Can you do a QoS with the Guest network so that its bandwidth doesn't go above a specific limit, say 20Mbps? Any help is appreciated.

Thanks,

Mark

1 accepted solution

Accepted Solutions

Of course Yes. Please read this two documents:

https://live.paloaltonetworks.com/docs/DOC-3439

Also you can look at the following doc as well:

https://live.paloaltonetworks.com/docs/DOC-3158

and some about limitation od QoS and subinterfaces:

Re: QoS on Tagged VLAN Sub-interface

Hopefully this helps.

Regards

Slawek

View solution in original post

16 REPLIES 16

L6 Presenter

I've got a screen shot where Internal zone traffic destined for the External zone has QoS applied for 'any' application but sourced from a specific subnet within that internal zone. Is this what you're referring to?10-3-2013 9-00-44 PM.png

That was exactly what I was looking for. Though, does QoS in Palo Altos only do egress limiting or can it do ingress as well?

QoS on the PAN is for egress only traffic

Got it. I think I'm getting the handle of this. One more question, is there any functionality for dynamic QoS? Say for instance, we have our office and guest network, and our office network requires more bandwidth for whatever reason. Is there an automation available to increase the max bandwidth of the office network and lower the max bandwidth of the guest network?

Of course Yes. Please read this two documents:

https://live.paloaltonetworks.com/docs/DOC-3439

Also you can look at the following doc as well:

https://live.paloaltonetworks.com/docs/DOC-3158

and some about limitation od QoS and subinterfaces:

Re: QoS on Tagged VLAN Sub-interface

Hopefully this helps.

Regards

Slawek

the qos doc slawek mentions would be ideal to get your feet wet. perhaps case 2 would be suited to what you're trying to accoomplish.

L1 Bithead

The document is somewhat confusing as to what exactly is supported on the 2050.  Is Bandwidth throttling supported on the 2050 as well?

Joe

tech note indicates 2000 series devices is not able to support policing but does perform traffic shaping.

Policing is performed to avoid unintentional starvation of the QoS priority queues.

Not all Palo Alto Networks firewalls support policing, refer to the following table:

Platform Policing

PA-200

Not Supported

PA-500

Not Supported

PA-2000 Series

Not Supported

PA-4000 Series

Supported (on egress interface)

PA-5000 Series

Supported (on egress interface)

All platforms support shaping, which is at the egress interface only. In PA-200/500 and PA-2000 Series devices, Shaping is performed in software only

Thanks Nato

L4 Transporter

QOS on the palo alto device is applied only on the egress interfaces, however you can apply Qos profiles for traffic ingressing from a specific source subnet.

So for example if you want to rate limit upload traffic from your guest/office network:

Guest/office---ingress--->PAN---egress--->Untrust

Here QOS is enabled on the Untrust (egress)interface, but you can configure multiple QOS profiles for traffic egressing Untrust, based on the source  interface/subnet as well.

Snip20131007_1.png

I'm guessing this may answer your original question partially unless you want to rate limit traffic ingressing Untrust interface like downloads, hope it helps.

Aditi

so can we use this for download by selecting WAN interface on clear tab section ?

Yes, you will enable QOS on the egress interface i.e. LAN and can select the WAN interface as the source interface for download traffic from the internet. Source subnet will be any.

Thanks,

Aditi

I tried that with choosing Wan on subnet but physical interface was Layer2 and it did not work.is that normal ?

L2 Linker

Thanks for all the input everyone!

Does anyone know of documentation besides the one posted above that can better explain QoS profiles? I keep trying to test QoS in the labs and whenever I set up my profile and QoS settings, it gives me an error that states "the regular traffic guaranteed bandwidth is less than the sum of the total guaranteed bandwidth of its children." I tried modifying my bandwidth settings, but I'm not sure what to change. I know that the max/guaranteed bandwidth for each class has to be less than or equal to the max/guaranteed of the profile, but is there any other rules that I should know about?

  • 1 accepted solution
  • 22864 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!