03-29-2017 01:10 AM
Hi reaper ,
Usually the enforcing device must be the upstream device ( router or firewall ) ? .
I have deployed pa in vw mode. my upstream device is asa fw and then router
03-29-2017 01:17 AM
if you use the 'QoS marking' option, then yes, an upstream device needs to do the shaping
if you configure QoS on the PANW, it will apply shaping just fine and you wont need external devices
03-29-2017 02:01 AM
If we configure the qos on PANOS and the packet reached on upstream asa or router , How the asa will treat this packet if there is no qos related service enabled ( policy )
03-29-2017 02:45 AM
sensing much confusion, I am
ok ok lemme start fresh
1) there are QoS policies and QoS profiled on the panw firewall which allow you to set maximum throughput or guaranteed throughput for certain classes of traffic. you can also set a priority which, in case the firewall is starved for resources (high DP load) can prioritize the IO of certain sessions. all this is achieved on the firewall without the outside being aware something is being limited or prioritized
2) QoS marking through a security policy: the firewall adds a QoS 'color' to the packets in a session (DSCP codepoint, like a flag in tcp header) so external devices can pick up on these colored packets (upstream loadbalancers or other firewalls/routers) and prioritize/deprioritize based on the 'color' of the packet, IF they understand DSCP codepoints
03-29-2017 06:25 AM - edited 03-29-2017 06:29 AM
@sib2017 if you're putting the time and effort to do QOS mappings on your ASA and PA then you really should enable it on the access layer. When setting up QOS you pretty much want to have it on the full stream if possible, but usually most people would do QOS on the access and distribution layer and then would have the firewall scaled to the point they don't have to worry about doing QOS on it as much, as most ISPs won't listen to DSCP codepoints.
I would really recommend that you work on creating QOS statements on your access layer before you worry to much about working with QOS on your firewall unless your dataplane is constantly starved for resources. It is far more likely that the access or distribution layer is dropping packets in the queue than your firewall dropping them, unless of course your ASA or PA is not scaled for your network properly.
Also yes if you have the PA set to do DSCP codepoints you also need to tell your ASA what to do with them so that it prioritizes things properly. It's important to note that QOS simply tells the device how it should be processing the traffic; so if the traffic can all be processed almost instantly and not build up in the queue then you really never take advantage of your QOS statements, but if the queue starts to fill up then the device uses the QOS statements to know what you want to prioritize and actually process first, second, third, and so on.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!