i need to create a qos policy to limit downloads and uploads of user addresses objects created on palo alto device
i know that i will ceate a qos profile for down and up , choose a class , priority and type guaranteed and max BW
then create a qos policy and qos interface
1-regarding the qos policy , do i need a policy for upload and policy for download??
2-regarding the qos egress interface and source subnet , will it difer between the upload and the download
3-if i make a download policy and apply it on say 10 user addresses , will that BW be given to the whole group f users or for each user individually
\thanks in advance
@AKabary you are right, you will need a QoS profile and assign it to the Egress interface. Broadly speaking, you can have up to 8 Classes for traffic type. So lets say that you will create Class8 restricting downloads to particular value. The QoS policy can match traffic on specified criteria, but as an action you can only choose 1 of the classes or assign DSCP/ToS to be processed by another device.
So the answers will be:
QoS on Palo Alto is not as granular as some routers from other vendors and it has its limitations. So depending on how advanced you QoS set up need to be, you may need to consider offloading the functionality to another device.
You are mixing the two concepts. Polcies match on sessions, download and upload only realte to in and out interface.
Presuming that the discussion is around your internal users. Your Upload QoS profile will apply to your external interface. Download will be internal.
If you want to apply the restrictions to user web traffic, in your case the policies will probably be always from trusted to untrusted zone assigning the traffic to a class.
if iam going to restrict upload and download
i will create 2 qos profiles and assign to 2 classes
then add 2 physical interfaces , one for each direction (download and upload) and add the qos profile here
now, in the qos policy section , i will create 1 policy or two?
if 2 polcies , one fron trust to untrust and the other from untrust to trust // which one to add the class of upload and which one to add the class of download
thanks in advance
You only need one QoS Profile. In that profile, you specify your various classes with limits to bandwidth based on the class (lower numbered classes have higher priority). Or, you just define the classes with priority levels and just limit the total bandwidth to the Profile.
Then you create as many QoS Policies as you need to separate your traffic into the classes.
The Policies separate the traffic into the various classes. The Profile determines what those classes mean and how the traffic is handled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!