QoS Methods, Design & Configuration

Showing results for 
Show  only  | Search instead for 
Did you mean: 

QoS Methods, Design & Configuration

L3 Networker

I have a site that only has 5 megs of upload speed and its constantly getting fully utilized.  I know I should probably get more bandwidth from the ISP but thats simply not an option right now.  Anyway here is my goal.  I would like to make the firewall perform strict allocations of gaurenteed bandwidth for 3 different classes I have configured but it is not doing what I have configured it to do.  QoS rule 1 should get 3 megs of guarenteed bandwidth (class1), QoS rule 2 should get 2 megs of guarenteed bandwidth (class 2) & QoS rule 3 should get no guarenteed bandwidth (class 8).  In addition to this structure I would like all non priority traffic (QoS rule 3/class 😎 to be able to use the full 5 megs of traffic if class 1 & 2 are not currently being used so that all 5 megs are available when higher priority traffic is not egressing the WAN interface.  I am using the default QoS profile & have configured the following guarenteed bandwidth amounts into classes 1, 2 & 8...


class 1-  3 megs guarenteed

class 2-  2 megs guarenteed

class 3 to 8-  0 megs guarenteed


In order to configure this structure of QoS I needed to set the interface bandwidth (egress max) to 10 so that I can allocate my desired gaurenteed bandwidth values.  There were no errors after configuration & the values do show accordingly in all menu's how ever when I test I notice that the firewall is not strictly enforcing the gaurenteed bandwidth that I have configured for each class.  I see that all 3 QoSpolicies are getting hit & in the QoS interface statistics I see the test traffic crossing the right class.  Am I missing something?  This seems like an easy configuration to make but the palo is just not strictly enforcing the configuration of the QoS profile & policy.   See the statistics in the pic...QoS Statistics.PNG



Cyber Elite
Cyber Elite

you're allocating 10 mbps of total bandwidth while only 5 is available

the interface limit should be set to 5 and then split up between  classes 1,2,8 and ipsec

your ipsec is taking up 2.85 mbit, so the system can already no longer provide more than 2,15 physical mbps while the profile promisses there's 5 more guaranteed for the regular sessions

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!