QoS Best Practices - complete concept/configuration - big picture for QoS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

QoS Best Practices - complete concept/configuration - big picture for QoS

L0 Member

Hi there,

I already read the QoS in PAN-OS 4.1 document and the QoS section in the Panorama Administrator's Guide 6.0 (English).

But there a still big question marks hovering over my head. :smileyconfused:

The examples show only one use case/qos-profile at one time: "QoS for a Single User" or "QoS for Voice and Video Applications" or "restrict downloads to 15 Mbps".

But I dont see a configuration where all these use cases are combined together.

Maybe someone can provide me with proper screenshots of their qos configuration?

So lets say:

ethernet1/1 - zone untrust = 300MBit internet link

ethernet1/22 with different sub-interfaces = 10GBit = development clients

ethernet1/23 with different sub-interfaces = 10GBit = server infrastructure

ethernet1/24 with different sub-interfaces = 10GBit = clients also different wireless clients/interfaces

At first I didn't understand the need to setup the Egress Max (Mbps) on the physical interface.

Ok at ethernet1/1 this is the only place where it makes sense, I have a 300MBit internet link. (Physical connected to 1GB)

But it's only the egress traffic (uploading to the internet).

But what should I do with the ingress traffic from the internet?

I can't limit the egress max on the physical interface for ethernet1/22-24 to 300MBit (as seen in other discussions) because there is a lot of other traffic not only from/to the internet.

And also different interfaces connects to the internet (ethernet1/1)

To classify the traffic is easy-peasy but then?

To start with:

a) I want all salesforce traffic to be in class3 (prio high) and a "Egress Guaranteed" with 30MBit

b) I want all video application to be in class1 (prio real-time) and a "Egress Guaranteed" with 20MBit

c) normal web-browsing to be in class5 (prio medium) and a "Egress Guaranteed" with 20MBit but should not have an effect when I browse to an internal server (standing in ethernet1/23)

I should not create a single QoS-Profile for salesforce and video application and web-browsing?

Should i create a QoS-Profile incoming-untrust and outgoing-untrust?

Where is the right place to set the egress maximum for the ethernet1/1 (ingress/downloading)?

On the QoS-Interface it would affect all traffic not only the traffic that is coming from ethernet1/1 is'nt it?

So I have to do that on the QoS Profile?

Seems that correct to you?

And what happends to all the other traffic?
Goes than untouched bypass-traffic?

Phew! Smiley Sad



L5 Sessionator

Hello Sebastian,

Lemme clarify this, QoS policy is session based. So if you have a QoS policy for outbound traffic then all the return traffic will also follow the QoS policy and bandwidth limiting is done based on the QoS profile applied to inside interface.

Please take a look at below screenshots and let me know if that makes sense to you.

In below screenshots ethernet1/1(Untrust-L3) is outside interface and ethernet1/2(trust-L3) is inside interface.






Hari Yadavalli

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!