- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-04-2016 08:12 AM
Hello
I will migrate fom PA200 to PA500. I have some local networks (DMZ, Wifi for students, Wifi for stuff, LANs)
I need to use QoS but I need some advice with that.
I know that I can controll only on outgoing interfaces but I have no idea how to get it working with one condition: I wouldnt limit traffic from/to my local servers in DMZ.
Now I have all my lans as a subinterfaces of ethernet1/4
Should I separate my lans ir: DMZ to ethernet 1/2, WIfi to 1/3, LAN_1 to 1/4 and so on?
I assume that ISP is on ethernet 1/1 as an Untrust zone.
How to _not_ limit traffc to ie. Wifi from DMZ?
I will be grateful for any suggestions
Regards
SLawek
08-05-2016 11:38 AM
Hi,
You cannot apply QoS on subinterfaces, so you don't really have a choice here. Each network will need his own physical interface. You can apply multiple QoS profiles on an interface, based on the source interface or subnet, so you could have different limits depending on the source of the traffic.
Benjamin
08-08-2016 07:01 AM - edited 08-08-2016 07:02 AM
Hi,
100% agree with Baudy, QoS can't be configured on sub-interface.
QoS only impact outcomming traffic. Mean if you want to limit donwload / Streaming traffic from wifi, you need to configure QoS rule not on your ISP interface but on your physical wifi interface.
link: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configure-qos
Make sense ?
V.
08-11-2016 11:58 PM
Let's say you have an interface for untrust zone, another for trust zone, a third for wifi, and a fourth for DMZ. Seems you want to be able to use QoS on all interfaces but not mess with DMZ. The process is to setup QoS on each interface with no limitations, so it functions as a monitor. Then use the QoS levels as buckets to hold your apps (see below). Finally, apply the actual caps to the QoS profile.
There are a couple very good articles describing in detail how to setup QoS. Here is a quick summary of what I would do in your situation:
First define QoS profiles for each zone, with a max set to 1000, and define the levels such that each has a guaranteed min of .01 & max of 1000. This setup allows you to begin monitoring the traffic on each interface. Once you apply each named policy to each interface (Trust-profile to Trust interface, etc.), you'll notice that all the traffic is in the default level 4. The next step is to actually control the traffic. So set levels 1-3 as bogus stuff, and levels 5 & above as time-sensitive and critical. Leave Level 4 alone, since that is your normal business traffic and catch all. For example, level 1 can be reserved for "games" and the highest level for "VoIP" - Using just this simple Q0S profile example, apply it to the Trust Interface and monitor QoS in the Network tab. You'll see the actual usage of these apps that you defined for each level. Once you understand what bandwidth the applications are actually using, go back to the profile and in the coresponding level, set a max limit for the bandwidth.
By defining separate QoS profiles for each interface, you can monitor them all, with minimal configuration. Customize the profile assigned to the interface you want to manage, and you can actually control the traffic.
08-15-2016 04:14 AM
Hello
Thx for your replays. I had a lot of work with migration and network rearranging...
I used all my phisical interfaces.
But I still ned advice ..
I have 50Mbit link from ISP. I'd like to share on ethernet1/2 10Mbit max but when this bandwith is not used on this interface I would to consume that bandwitch on other interfaces.
How to get it working?
I know article https://live.paloaltonetworks.com/t5/Configuration-Articles/Incorrect-QoS-Configuration-Caused-Netwo... and other
But I cant find exact examples with ISP speed and limitation on interfaces like in my example.
Regards
SLawek
08-16-2016 02:54 AM
Hi Slawek
there is no configuration that would allow you to share 'leftover' bandwidth from one interface with another interface
could you illustrate the scenario you're trying to achieve? maybe there's different solution
right now you can simply divy up available bandwidth on a single interface in terms of maximum allowed usage or minimum guaranteed bandwidth. on a policy where only a guarantee is defined, any 'leftover' bandwidth on that same interface will be used up until another guarantee is enforced. if no sessions exist for a guaranteed policy, that bandwidth will also be available to other policies
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!