Qos profile

if you use the 'QoS marking' option, then yes, an upstream device needs to do the shaping

if you configure QoS on the PANW, it will apply shaping just fine and you wont need external devices

Hi,

If we configure the qos on PANOS and the packet reached on upstream asa or router , How the asa will treat this packet if there is no qos related service enabled ( policy )

Thanks

sensing much confusion, I am

😉

ok ok lemme start fresh

1) there are QoS policies and QoS profiled on the panw firewall which allow you to set maximum throughput or guaranteed throughput for certain classes of traffic. you can also set a priority which, in case the firewall is starved for resources (high DP load) can prioritize the IO of certain sessions. all this is achieved on the firewall without the outside being aware something is being limited or prioritized

2) QoS marking through a security policy: the firewall adds a QoS 'color' to the packets in a session (DSCP codepoint, like a flag in tcp header) so external devices can pick up on these colored packets (upstream loadbalancers or other firewalls/routers) and prioritize/deprioritize based on the 'color' of the packet, IF they understand DSCP codepoints

@sib2017 if you're putting the time and effort to do QOS mappings on your ASA and PA then you really should enable it on the access layer. When setting up QOS you pretty much want to have it on the full stream if possible, but usually most people would do QOS on the access and distribution layer and then would have the firewall scaled to the point they don't have to worry about doing QOS on it as much, as most ISPs won't listen to DSCP codepoints. 

I would really recommend that you work on creating QOS statements on your access layer before you worry to much about working with QOS on your firewall unless your dataplane is constantly starved for resources. It is far more likely that the access or distribution layer is dropping packets in the queue than your firewall dropping them, unless of course your ASA or PA is not scaled for your network properly. 

Also yes if you have the PA set to do DSCP codepoints you also need to tell your ASA what to do with them so that it prioritizes things properly. It's important to note that QOS simply tells the device how it should be processing the traffic; so if the traffic can all be processed almost instantly and not build up in the queue then you really never take advantage of your QOS statements, but if the queue starts to fill up then the device uses the QOS statements to know what you want to prioritize and actually process first, second, third, and so on.