This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

QOS for multiple user addresses

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

QOS for multiple user addresses

AKabary
L2 Linker

‎06-28-2018 05:16 AM

Hi

 

i need to create a qos policy to limit downloads and uploads of user addresses objects created on palo alto device

 

i know that i will ceate a qos profile for down and up  , choose a class , priority and type guaranteed and max BW

 

then create a qos policy and qos interface

 

1-regarding the qos policy , do i need a policy for upload and policy for download??

2-regarding the qos egress interface  and source subnet , will it difer between the upload and the download

3-if i make a download policy and apply it on say 10 user addresses , will that BW be given to the whole group f users or for        each user individually


\thanks in advance

0 Likes Likes
8 REPLIES 8

BatD
L4 Transporter

‎06-29-2018 12:23 AM - edited ‎07-01-2018 11:19 PM

@AKabary you are right, you will need a QoS profile and assign it to the Egress interface. Broadly speaking, you can have up to 8 Classes for traffic type. So lets say that you will create Class8 restricting downloads to particular value. The QoS policy can match traffic on specified criteria, but as an action you can only choose 1 of the classes or assign DSCP/ToS to be processed by another device.

So the answers will be:

  1. I think you need to clarify what do you mean by upload and download. You need to really follow the Palo Alto policy logic. For example if user initiates a session to dropbox your QoS policy will be matching on source user, application Dropbox and action assign to class, then the policy will match this session regardless if the user is uploading or downloading files. Bandwidth restrictions will, however be applied only on the egress interface. So if you have restrictions on the external interface, but not on the internal, the policy will be the same, but only upload will have its bandwidth restricted.
  2. The egress interface will differ for download and upload. Regarding source subnet, if you mean in policy, the logic is based on you policy and the type of traffic you need to match. If you are referring to “Source Subnet” configured under “QoS Interface”, then it will differ.
  3. The policy is not relevant, but the action, which for example can be “Class 8”. You can have different conditions assigning traffic to Class 8 and anything assigned to Class 8 will share the Class 8 configured limit per egress interface.

QoS on Palo Alto is not as granular as some routers from other vendors and it has its limitations. So depending on how advanced you QoS set up need to be, you may need to consider offloading the functionality to another device.

0 Likes Likes

AKabary
L2 Linker
In response to BatD

‎06-29-2018 12:36 AM

Thank u
So , the policy can be applied to only obe phy interface
So by your example if i want to restrict download and upload speed

I need to create 2 qos profiles with 2 classes
and create 2 policies ,so what will he egress interface be for upload and downoad

Also in the policy for downoad ,the source and destination zones are blurry to me
0 Likes Likes

BatD
L4 Transporter
In response to AKabary

‎06-29-2018 12:51 AM - edited ‎06-29-2018 12:52 AM

You are mixing the two concepts. Polcies match on sessions, download and upload only realte to in and out interface. 

Presuming that the discussion is around your internal users. Your Upload QoS profile will apply to your external interface. Download will be internal. 

If you want to apply the restrictions to user web traffic, in your case the policies will probably be always from trusted to untrusted zone assigning the traffic to a class. 

0 Likes Likes

AKabary
L2 Linker
In response to BatD

‎06-29-2018 01:04 AM

Yes the interface is assigned a profile which is assigned a class

Now i will have 2 interfaces ext for upload traffic with its class and profile

Int for download traffic with its class and profile

Now i will create two policies or one policy ?
In the policy options u select the class
So i think i create 2 policies?
0 Likes Likes

AKabary
L2 Linker
In response to BatD

‎07-01-2018 05:20 AM

if iam going to restrict upload and download

i will create 2 qos profiles and assign to 2 classes

 

then add 2 physical interfaces , one for each direction (download and upload) and  add the qos profile here

 

now, in the qos policy section , i will create 1 policy or two?   
if 2 polcies , one fron trust to untrust and the other from untrust to trust // which one to add the class of upload and which one to add the class of download

 

thanks in advance

0 Likes Likes

Remo
L7 Applicator
In response to AKabary

‎07-01-2018 10:50 AM

@AKabary

You only need one QoS policy. This one policy will assign client-to-server and server-to-client traffic to the specified class. And based on this class you can then specify the bandwith/priority for upload and download seperately as already mentionned and explained by @BatD

0 Likes Likes

AKabary
L2 Linker
In response to Remo

‎07-01-2018 01:09 PM

But i created 2 classes for 2 qos profiles
One for upload and one for download

So if it is one qos policy , then which class should i add
0 Likes Likes

fjwcash
L4 Transporter
In response to AKabary

‎07-05-2018 04:07 PM

You only need one QoS Profile.  In that profile, you specify your various classes with limits to bandwidth based on the class (lower numbered classes have higher priority).  Or, you just define the classes with priority levels and just limit the total bandwidth to the Profile.

 

Then you create as many QoS Policies as you need to separate your traffic into the classes.

 

The Policies separate the traffic into the various classes.  The Profile determines what those classes mean and how the traffic is handled.

0 Likes Likes
  • 5808 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks