This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto Bandwidth Throttling

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Bandwidth Throttling

Go to solution
MarkTan
L2 Linker

‎10-03-2013 09:28 AM

Hello Everyone,

I have a question regarding Palo Altos and bandwidth throttling. I know that the Palo Altos can do QoS to limit the bandwidth for specific applications, but can the Palo Altos just do bandwidth throttling with different networks? Say for instance, we have an office and guest network going to a Palo Alto firewall. Can you do a QoS with the Guest network so that its bandwidth doesn't go above a specific limit, say 20Mbps? Any help is appreciated.

Thanks,

Mark

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
_slv_
L4 Transporter
In response to MarkTan

‎10-04-2013 09:00 AM

Of course Yes. Please read this two documents:

https://live.paloaltonetworks.com/docs/DOC-3439

Also you can look at the following doc as well:

https://live.paloaltonetworks.com/docs/DOC-3158

and some about limitation od QoS and subinterfaces:

Re: QoS on Tagged VLAN Sub-interface

Hopefully this helps.

Regards

Slawek

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
16 REPLIES 16

Go to solution
gswcowboy
L6 Presenter

‎10-03-2013 09:02 PM

I've got a screen shot where Internal zone traffic destined for the External zone has QoS applied for 'any' application but sourced from a specific subnet within that internal zone. Is this what you're referring to?10-3-2013 9-00-44 PM.png

0 Likes Likes

Go to solution
MarkTan
L2 Linker
In response to gswcowboy

‎10-04-2013 07:19 AM

That was exactly what I was looking for. Though, does QoS in Palo Altos only do egress limiting or can it do ingress as well?

0 Likes Likes

Go to solution
gswcowboy
L6 Presenter
In response to MarkTan

‎10-04-2013 07:20 AM

QoS on the PAN is for egress only traffic

0 Likes Likes

Go to solution
MarkTan
L2 Linker
In response to gswcowboy

‎10-04-2013 08:26 AM

Got it. I think I'm getting the handle of this. One more question, is there any functionality for dynamic QoS? Say for instance, we have our office and guest network, and our office network requires more bandwidth for whatever reason. Is there an automation available to increase the max bandwidth of the office network and lower the max bandwidth of the guest network?

0 Likes Likes

Go to solution
_slv_
L4 Transporter
In response to MarkTan

‎10-04-2013 09:00 AM

Of course Yes. Please read this two documents:

https://live.paloaltonetworks.com/docs/DOC-3439

Also you can look at the following doc as well:

https://live.paloaltonetworks.com/docs/DOC-3158

and some about limitation od QoS and subinterfaces:

Re: QoS on Tagged VLAN Sub-interface

Hopefully this helps.

Regards

Slawek

1 person found this solution to be helpful.
0 Likes Likes

Go to solution
gswcowboy
L6 Presenter
In response to _slv_

‎10-04-2013 09:03 AM

the qos doc slawek mentions would be ideal to get your feet wet. perhaps case 2 would be suited to what you're trying to accoomplish.

0 Likes Likes

Go to solution
jangeja
L1 Bithead

‎10-04-2013 02:22 PM

The document is somewhat confusing as to what exactly is supported on the 2050.  Is Bandwidth throttling supported on the 2050 as well?

Joe

0 Likes Likes

Go to solution
gswcowboy
L6 Presenter
In response to jangeja

‎10-04-2013 02:43 PM

tech note indicates 2000 series devices is not able to support policing but does perform traffic shaping.

Policing is performed to avoid unintentional starvation of the QoS priority queues.

Not all Palo Alto Networks firewalls support policing, refer to the following table:

Platform Policing

PA-200

Not Supported

PA-500

Not Supported

PA-2000 Series

Not Supported

PA-4000 Series

Supported (on egress interface)

PA-5000 Series

Supported (on egress interface)

All platforms support shaping, which is at the egress interface only. In PA-200/500 and PA-2000 Series devices, Shaping is performed in software only

0 Likes Likes

Go to solution
jangeja
L1 Bithead
In response to gswcowboy

‎10-05-2013 10:40 AM

Thanks Nato

0 Likes Likes

Go to solution
apasupulati
L4 Transporter

‎10-06-2013 10:24 PM

QOS on the palo alto device is applied only on the egress interfaces, however you can apply Qos profiles for traffic ingressing from a specific source subnet.

So for example if you want to rate limit upload traffic from your guest/office network:

Guest/office---ingress--->PAN---egress--->Untrust

Here QOS is enabled on the Untrust (egress)interface, but you can configure multiple QOS profiles for traffic egressing Untrust, based on the source  interface/subnet as well.

Snip20131007_1.png

I'm guessing this may answer your original question partially unless you want to rate limit traffic ingressing Untrust interface like downloads, hope it helps.

Aditi

Go to solution
panos
L6 Presenter
In response to apasupulati

‎10-06-2013 11:32 PM

so can we use this for download by selecting WAN interface on clear tab section ?

0 Likes Likes

Go to solution
apasupulati
L4 Transporter
In response to panos

‎10-06-2013 11:40 PM

Yes, you will enable QOS on the egress interface i.e. LAN and can select the WAN interface as the source interface for download traffic from the internet. Source subnet will be any.

Thanks,

Aditi

Go to solution
panos
L6 Presenter
In response to apasupulati

‎10-07-2013 12:34 AM

I tried that with choosing Wan on subnet but physical interface was Layer2 and it did not work.is that normal ?

0 Likes Likes

Go to solution
MarkTan
L2 Linker

‎10-07-2013 12:47 PM

Thanks for all the input everyone!

Does anyone know of documentation besides the one posted above that can better explain QoS profiles? I keep trying to test QoS in the labs and whenever I set up my profile and QoS settings, it gives me an error that states "the regular traffic guaranteed bandwidth is less than the sum of the total guaranteed bandwidth of its children." I tried modifying my bandwidth settings, but I'm not sure what to change. I know that the max/guaranteed bandwidth for each class has to be less than or equal to the max/guaranteed of the profile, but is there any other rules that I should know about?

0 Likes Likes
  • 1 accepted solution
  • 22749 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks