01-09-2018 05:39 PM
Can PANOS controll / rate limit internet downloads ?
On my squid boxes I can ratelimit and it does this by delaying acks.
Can the PA QOS do this work as well ?
01-10-2018 12:20 AM
Hi @Alex_Samad
yes, the Palo Alto Networks firewall can also perform Quality of Service, please check out this article: Getting Started: Quality of Service
01-10-2018 12:20 AM
Hi @Alex_Samad
yes, the Palo Alto Networks firewall can also perform Quality of Service, please check out this article: Getting Started: Quality of Service
04-16-2018 11:45 PM
Thought I would come back to this.
So it can only apply QOS to the egress interface.
so if you have a PA with eth1 -> internet and eth2 -> proxy server.
you apply QOS for internet download traffic to eth2
you can't apply QOS on eth1 for inbound.
Not exactly what I wanted but atleast now I know
04-17-2018 10:13 AM
The advantage of applying QoS on the egress interface is that at that time paloalto already knows a lot about the traffic that it is processing (specially the app) so it gives you the possibility for very granular bandwidth limitations per app/app group/app filter group...
04-17-2018 02:40 PM
The problem is QOS doesn't just work on sub interfaces it works on the whole interface.
I have a 80G LACP ae and QOS only works up to 40G from memory, so to turn on QOS I have seperarte out interface. I prefer a single trunk with sub int on it.
it would be nice if it slowed ACK's back to the web site for web site downloads.. like squid does
A
04-17-2018 03:02 PM
This one I did not know (I am planning actually to do the same with an 80G AE Interface). So as soon you have QoS enable the max total bandwidth you can specify is 40G? But you can have multiple 40G channels and so you can also have multiple 40G QoS configurations?
04-17-2018 03:09 PM
I thought they removed the artificial limits to QoS with 7.1.11? Meaning, that QoS would support whatever the physical interfaces could support.
7.1.10 and earlier were limited to 1 Gbps when QoS was enabled, regardless of what the physical / aggregate interfaces could handle.
Granted, we don't have access to any ports greater than 10 Gbps, and have no switches with 10 Gbps to test with, so ...
04-17-2018 04:13 PM
I just tried panoram 8.0.8 set template to 5200 and tried to set Phy ae1 to 80000 max is 60000
think i confirmed this with PA support. strange and annoying !
so lose 20Gb for QOS.
or even more if you are using active / active cause you can share QOS between nodes !
04-18-2018 11:48 AM
Thanks for testing. Sucks that there's still an artificial limit. 😞
But, good to know the limit is much higher than we will need it to be for the next decade or so. 🙂
04-23-2018 05:47 AM
I would like to add that when employing Active-Active your throughput per chassis should be calculated to be less than half of the chassis maximum throughput, as the cluster is intended to be a fail-over redundancy and not a capacity increasing measure (if both systems are at 60% capacity and one fails, the remaining chassis will be at 120% and potentially also cause serious impact)
so for a cluster of PA-5280 you would ideally not exceed 34Gbps per chassis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
