Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

QoS: only ever matches default-group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

QoS: only ever matches default-group

L4 Transporter

I'm obviously missing something simple here, but nothing I've tried makes a difference.

 

Creating a QoS Profile to configure the 8 classes:  works great.

Creating a series of QoS Policies to classify AppIDs, URLs, users, etc into difference classes:  works great.

Creating multiple QoS Profiles to limit bandwidth for separate networks:  nothing works everything ends up in default-group (when viewing the live QoS Statistics on ethernet1/4).

 

ethernet1/4 is the WAN interface.  100 Mbps symmetric link shared between two sites.

ethernet1/3 is the LAN interface for site 1.

ethernet1/2 is the LAN interface for site 2.

 

What I want to do is:

  • give site 1 a guaranteed 49 Mbps for uploads
  • give site 1 a guaranteed 49 Mbps for downloads
  • give site 2 a guaranteed 49 Mbps for uploads
  • give site 2 a guaranteed 49 Mbps for downloads
  • allow either site to use the full 100 Mbps if the other site is idle

What I'm trying to prevent is having one site hog all the bandwidth, but I also don't want to limit each site.  I just want to guarantee a minimum bandwidth for each site (they can use more if the other site isn't using it).

 

Seems pretty simple in theory, according to the docs.

 

Just create a QoS Profile with guaranteed egress of 49 Mbps and max egress of 99 Mbps for each site (to keep it under the 100 Mbps max for the interface).  Then in the QoS setup for ethernet1/4, on the Clear Text Traffic tab, add separate entries for each source subnet and/or source interface and attach the corresponding QoS Profile to it.

 

Nope, doesn't work.  All traffic gets classified into the default-group.  The other two groups never see any traffic.

 

Doesn't matter if both source interface and source subnet are set, only one or the other is set, or neither of them is set.  All traffic shows in the Statistics as being in the default-group.  (On the bright side, all the QoS Policies are working, and traffic is being classified correctly into the 8 classes.)

 

Assigning the QoS profile to the LAN interfaces works, but that's not the shared interface where we need the QoS to apply.

 

So, what am I missing?

9 REPLIES 9

Cyber Elite
Cyber Elite

Howdy

 

QoS is applied on the 'egress' interface (out of firewall), so for uploads you need to have a profile on the WAN interface and downloads have another profile on the LAN interface (I.e. a single session touches 2 different QoS profiles on the c2s and s2c)

The class is applied on the c2s flow and applies to both profiles

 

Hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@reaper I think you have a typo there.

QoS is on egress not ingress.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egres...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

I tested and works well.

What PANOS are you running?

 

Raido_Rattameister_0-1680702498987.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

I found interesting discrepancy.

 

I pushed config from Panorama and in Panorama there is also destination interface option that firewall QoS setting don't have.

Not sure if it made difference. Will test directly setting QoS on firewall when I have time.

 

Raido_Rattameister_1-1680703188100.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

PA-220 firewall running PanOS 9.1.15-h1.

 

Your setup appears to be almost identical to mine, but yours works and mine doesn't.  Wonder if it's a PanOS version issue (you appear to be running 10.x?).

 

Doesn't matter if I use the physical interface, or the VLAN sub-interface on the Clear Text Traffic tab, the traffic never gets assigned to the different groups in the Statistics dialog.  Always shows under default-group only.

 

Could it be a layer2 vs layer3 interface configuration?

The larger firewalls (3x00, 5x00, 7x00) allow you to set the destination interface.  The smaller firewalls only support the source interface.  Panorama shows both and only pushes the relevant interface based on the destination hardware.

The docs show QoS is applied on egress.

 

I have QoS configured on 3 interfaces in the firewall:

  • ethernet1/2 has the Pineridge-QoS-Profile assigned (LAN for Pineridge, for "download" traffic)
  • ethernet1/3 has the Maint-QoS-Profile assigned (LAN for Maint, for "download" traffic)
  • ethernet1/4 has both Pineridge-QoS-Profile and Maint-QoS-Profile assigned under the Clear Text Traffic tab, with the source interface set to 2 and 3 respectively (WAN for both sites, for "upload" traffic)


@Raido_Rattameister wrote:

@reaper I think you have a typo there.

QoS is on egress not ingress.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-egres...


yep my bad, made a booboo there 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

I'm observing the same issue on VM-series 11.0.3-h3. I can successfully configure QoS in all directions and there are no misunderstandings about ingress/egress etc., but for the life of me I can't make traffic hit anything else than the default-group, in other words, the "Clear Text Traffic" tab in "QoS Interface" does not have any effect.

 

Anyone ever found out something useful?

Good advice is expensive but free advice is never appreciated
  • 5006 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!