I was wondering if anyone can tell me if there is a limit to the number of 'Clear Text Traffic - to QOS Profile' mappings you can create under the advanced options within a new QOS Interface? PANOS 4.0.2.
I want to setup a couple of QOS profiles, then tie these both to an egress interface depending on Source Subnet. I have about 400 subnets that I need to add. Does this list work like a rulebase whereby it will check down until it finds a match? If so I could look at supernetting a large number of these and putting the smaller more specific subnets higher up hence would not need nearly as many lines.
Most of the models will allow 32 total QOS nodes per interface. The bigger boxes (PA-5060, PA-5050, and PA-4060) will allow 64. The list is processed first match top-down.
The number varies depending on the model of the PAN device. See the matrix.png file for the capacity matrix.
Paloalto’s philosophy on QOS is that we use QOS to restrict bandwidth accorded applications vs. guaranteeing bandwidth to specific users or subnets. Of course our devices support both methods and any combinations of methods you might need but I would be remiss if I didn’t point this out.
I can't work out why on the 5060 you can have 4000 QOS policies but only 64 nodes. Anyway...what I am actually doing is looking to deploy a pair of 5060's on the edge of a WAN network that has up to 400 LAN's hanging off it each assigned a /24 subnet range. I need to be able to QOS control traffic coming from each of those subnets individually. Without deploying a PAN at the end of each one of those links (obviously not going to happen!!) I need to know if I can treat each subnet as a seperate instance and effectively QOS control the individual links coming in to the WAN.
If I can only have 64 nodes then I would assume then I need to supernet the /24's some way in order to get them all covered in the list but I think the problem then is that each supernetted subnet would be assigned a profile instance and I am effectively having to treat them all like they are one. So for example then a QOS class that says max b/w 1Mbps for ftp would mean that collectively my group of LANs are restricted to only 1Mbps ftp instead of allowing each individual subnet to go up to 1Mbps which is what I would want.
I hope this makes some sense!
Ths is indeed a complex problem that requires an indepth solution.
Maybe we can sit down offline and go through the network diagram and so on?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!