QOS and internet traffic

cancel
Showing results for 
Search instead for 
Did you mean: 

QOS and internet traffic

L4 Transporter

Can PANOS controll / rate limit  internet downloads ?

 

On my squid boxes I can ratelimit and it does this by delaying acks.

 

Can the PA QOS do this work as well ?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Alex_Samad

 

yes, the Palo Alto Networks firewall can also perform Quality of Service, please check out this article: Getting Started: Quality of Service

Tom Piens
PANgurus

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @Alex_Samad

 

yes, the Palo Alto Networks firewall can also perform Quality of Service, please check out this article: Getting Started: Quality of Service

Tom Piens
PANgurus

View solution in original post

Thought I would come back to this.

 

So it can only apply QOS to the egress interface.

 

so if you have a PA with eth1 -> internet and eth2 -> proxy server.

 

you apply QOS for internet download traffic to eth2

 

you can't apply QOS on eth1 for inbound.

 

Not exactly what I wanted but atleast now I know

 

The advantage of applying QoS on the egress interface is that at that time paloalto already knows a lot about the traffic that it is processing (specially the app) so it gives you the possibility for very granular bandwidth limitations per app/app group/app filter group...

The problem is QOS doesn't just work on sub interfaces it works on the whole interface.

 

I have a 80G LACP ae and QOS only works up to 40G from memory, so to turn on QOS I have seperarte out interface. I prefer a single trunk with sub int on it.

 

it would be nice if it slowed ACK's back to the web site for web site downloads.. like squid does

 

A

This one I did not know (I am planning actually to do the same with an 80G AE Interface). So as soon you have QoS enable the max total bandwidth you can specify is 40G? But you can have multiple 40G channels and so you can also have multiple 40G QoS configurations? 

I thought they removed the artificial limits to QoS with 7.1.11?  Meaning, that QoS would support whatever the physical interfaces could support.

 

7.1.10 and earlier were limited to 1 Gbps when QoS was enabled, regardless of what the physical / aggregate interfaces could handle.

 

Granted, we don't have access to any ports greater than 10 Gbps, and have no switches with 10 Gbps to test with, so ... 

I just tried panoram 8.0.8 set template to 5200 and tried to set Phy ae1 to 80000 max is 60000

 

think i confirmed this with PA support.  strange and annoying !

 

so lose 20Gb for QOS.

 

or even more if you are using active / active cause you can share QOS between nodes !

Thanks for testing.  Sucks that there's still an artificial limit.  😞

 

But, good to know the limit is much higher than we will need it to be for the next decade or so.  🙂

I would like to add that when employing Active-Active your throughput per chassis should be calculated to be less than half of the chassis maximum throughput, as the cluster is intended to be a fail-over redundancy and not a capacity increasing measure (if both systems are at 60% capacity and one fails, the remaining chassis will be at 120% and potentially also cause serious impact)

 

so for a cluster of PA-5280 you would ideally not exceed 34Gbps per chassis

Tom Piens
PANgurus
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!