QOS for multiple user addresses

Reply
AKabary
L2 Linker

QOS for multiple user addresses

Hi

 

i need to create a qos policy to limit downloads and uploads of user addresses objects created on palo alto device

 

i know that i will ceate a qos profile for down and up  , choose a class , priority and type guaranteed and max BW

 

then create a qos policy and qos interface

 

1-regarding the qos policy , do i need a policy for upload and policy for download??

2-regarding the qos egress interface  and source subnet , will it difer between the upload and the download

3-if i make a download policy and apply it on say 10 user addresses , will that BW be given to the whole group f users or for        each user individually


\thanks in advance

Tags (3)
BatD
L4 Transporter

@AKabary you are right, you will need a QoS profile and assign it to the Egress interface. Broadly speaking, you can have up to 8 Classes for traffic type. So lets say that you will create Class8 restricting downloads to particular value. The QoS policy can match traffic on specified criteria, but as an action you can only choose 1 of the classes or assign DSCP/ToS to be processed by another device.

So the answers will be:

  1. I think you need to clarify what do you mean by upload and download. You need to really follow the Palo Alto policy logic. For example if user initiates a session to dropbox your QoS policy will be matching on source user, application Dropbox and action assign to class, then the policy will match this session regardless if the user is uploading or downloading files. Bandwidth restrictions will, however be applied only on the egress interface. So if you have restrictions on the external interface, but not on the internal, the policy will be the same, but only upload will have its bandwidth restricted.
  2. The egress interface will differ for download and upload. Regarding source subnet, if you mean in policy, the logic is based on you policy and the type of traffic you need to match. If you are referring to “Source Subnet” configured under “QoS Interface”, then it will differ.
  3. The policy is not relevant, but the action, which for example can be “Class 8”. You can have different conditions assigning traffic to Class 8 and anything assigned to Class 8 will share the Class 8 configured limit per egress interface.

QoS on Palo Alto is not as granular as some routers from other vendors and it has its limitations. So depending on how advanced you QoS set up need to be, you may need to consider offloading the functionality to another device.

AKabary
L2 Linker

Thank u
So , the policy can be applied to only obe phy interface
So by your example if i want to restrict download and upload speed

I need to create 2 qos profiles with 2 classes
and create 2 policies ,so what will he egress interface be for upload and downoad

Also in the policy for downoad ,the source and destination zones are blurry to me
BatD
L4 Transporter

You are mixing the two concepts. Polcies match on sessions, download and upload only realte to in and out interface. 

Presuming that the discussion is around your internal users. Your Upload QoS profile will apply to your external interface. Download will be internal. 

If you want to apply the restrictions to user web traffic, in your case the policies will probably be always from trusted to untrusted zone assigning the traffic to a class. 

AKabary
L2 Linker

Yes the interface is assigned a profile which is assigned a class

Now i will have 2 interfaces ext for upload traffic with its class and profile

Int for download traffic with its class and profile

Now i will create two policies or one policy ?
In the policy options u select the class
So i think i create 2 policies?
AKabary
L2 Linker

if iam going to restrict upload and download

i will create 2 qos profiles and assign to 2 classes

 

then add 2 physical interfaces , one for each direction (download and upload) and  add the qos profile here

 

now, in the qos policy section , i will create 1 policy or two?   
if 2 polcies , one fron trust to untrust and the other from untrust to trust // which one to add the class of upload and which one to add the class of download

 

thanks in advance

vsys_remo
Cyber Elite

@AKabary

You only need one QoS policy. This one policy will assign client-to-server and server-to-client traffic to the specified class. And based on this class you can then specify the bandwith/priority for upload and download seperately as already mentionned and explained by @BatD

AKabary
L2 Linker

But i created 2 classes for 2 qos profiles
One for upload and one for download

So if it is one qos policy , then which class should i add
fjwcash
L4 Transporter

You only need one QoS Profile.  In that profile, you specify your various classes with limits to bandwidth based on the class (lower numbered classes have higher priority).  Or, you just define the classes with priority levels and just limit the total bandwidth to the Profile.

 

Then you create as many QoS Policies as you need to separate your traffic into the classes.

 

The Policies separate the traffic into the various classes.  The Profile determines what those classes mean and how the traffic is handled.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!