04-04-2023 04:11 PM - edited 04-04-2023 04:16 PM
I'm obviously missing something simple here, but nothing I've tried makes a difference.
Creating a QoS Profile to configure the 8 classes: works great.
Creating a series of QoS Policies to classify AppIDs, URLs, users, etc into difference classes: works great.
Creating multiple QoS Profiles to limit bandwidth for separate networks: nothing works everything ends up in default-group (when viewing the live QoS Statistics on ethernet1/4).
ethernet1/4 is the WAN interface. 100 Mbps symmetric link shared between two sites.
ethernet1/3 is the LAN interface for site 1.
ethernet1/2 is the LAN interface for site 2.
What I want to do is:
What I'm trying to prevent is having one site hog all the bandwidth, but I also don't want to limit each site. I just want to guarantee a minimum bandwidth for each site (they can use more if the other site isn't using it).
Seems pretty simple in theory, according to the docs.
Just create a QoS Profile with guaranteed egress of 49 Mbps and max egress of 99 Mbps for each site (to keep it under the 100 Mbps max for the interface). Then in the QoS setup for ethernet1/4, on the Clear Text Traffic tab, add separate entries for each source subnet and/or source interface and attach the corresponding QoS Profile to it.
Nope, doesn't work. All traffic gets classified into the default-group. The other two groups never see any traffic.
Doesn't matter if both source interface and source subnet are set, only one or the other is set, or neither of them is set. All traffic shows in the Statistics as being in the default-group. (On the bright side, all the QoS Policies are working, and traffic is being classified correctly into the 8 classes.)
Assigning the QoS profile to the LAN interfaces works, but that's not the shared interface where we need the QoS to apply.
So, what am I missing?
04-05-2023 04:52 AM - edited 04-17-2023 03:58 AM
Howdy
QoS is applied on the 'egress' interface (out of firewall), so for uploads you need to have a profile on the WAN interface and downloads have another profile on the LAN interface (I.e. a single session touches 2 different QoS profiles on the c2s and s2c)
The class is applied on the c2s flow and applies to both profiles
Hope this helps
04-05-2023 05:59 AM
@reaper I think you have a typo there.
QoS is on egress not ingress.
04-05-2023 06:51 AM
I tested and works well.
What PANOS are you running?
04-05-2023 07:01 AM
I found interesting discrepancy.
I pushed config from Panorama and in Panorama there is also destination interface option that firewall QoS setting don't have.
Not sure if it made difference. Will test directly setting QoS on firewall when I have time.
04-05-2023 08:34 AM - edited 04-05-2023 08:46 AM
PA-220 firewall running PanOS 9.1.15-h1.
Your setup appears to be almost identical to mine, but yours works and mine doesn't. Wonder if it's a PanOS version issue (you appear to be running 10.x?).
Doesn't matter if I use the physical interface, or the VLAN sub-interface on the Clear Text Traffic tab, the traffic never gets assigned to the different groups in the Statistics dialog. Always shows under default-group only.
Could it be a layer2 vs layer3 interface configuration?
04-05-2023 08:35 AM
The larger firewalls (3x00, 5x00, 7x00) allow you to set the destination interface. The smaller firewalls only support the source interface. Panorama shows both and only pushes the relevant interface based on the destination hardware.
04-05-2023 08:41 AM
The docs show QoS is applied on egress.
I have QoS configured on 3 interfaces in the firewall:
04-17-2023 03:58 AM
@Raido_Rattameister wrote:
@reaper I think you have a typo there.
QoS is on egress not ingress.
yep my bad, made a booboo there 🙂
07-06-2024 06:23 AM
I'm observing the same issue on VM-series 11.0.3-h3. I can successfully configure QoS in all directions and there are no misunderstandings about ingress/egress etc., but for the life of me I can't make traffic hit anything else than the default-group, in other words, the "Clear Text Traffic" tab in "QoS Interface" does not have any effect.
Anyone ever found out something useful?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!