- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-22-2017 11:04 AM
05-22-2017 12:25 PM
Hi,
I am not talking about the qos policy rule , I am talking about the profile .
I just to mentioned 'youtube ' for easy understanding .
If I rephrase my question , It would be like below
If a user browsing internet , Do I need to set download and upload profile (egress and ingress)
Thanks
05-22-2017 07:33 PM
To get best results you should decrypt traffic.
I have seen cases when Youtube was identified as SSL without decyption.
As traffic comes from outside and heading inside you can't apply QoS to outside interface because at that point you don't know yet what this traffic is.
You need to let it into firewall to be analyzed and apply QoS profile to internal interface where traffic exits the firewall.
On the other hand if you want to QoS Youtube upload then you apply QoS to outside interface as traffic egress point is outside interface.
05-23-2017 12:07 AM
QoS shaping is applied the moment a packet is about to leave the firewall (on the egress interface):
- to limit downloads the QoS profile on the internal interface is used (packets flowing from the internet and exiting onto your local network)
- to limit uploads, the QoS profile of the untrust interface is applied (packet flowing from the lan and exiting onto the internet
in a single session 2 different QoS profiles can be hit (outbound and inbound packets)
05-24-2017 12:12 AM
Hi,
A user just browsing cnn.com ,that means useer downloads and uploads the same time . Is there any issue If we just applied profile for limiting download only . What I mean does this effect CIR which is committed by ISP
Thanks
05-24-2017 02:29 AM
its perfectly possible to only create a profile to linit downloads and not interfere with uploads at all (QoS does not even need to be enabled on the upstream interface)
hope this helps
05-24-2017 03:26 PM
Hi @reaper
Thank you for your reply . You are always great help ! .
I just want rearrange my very basic and general qos question , Let's say we have a 10 Mb download commitement with ISP .And we have not yet applied any qos profile ,so the user will be able to take all the bandwidth which is 10 Mb .
Now we have created a profile and applied on egress with 5 classes and each class is 2 Mb limit with same priority and the user is in class 1 .What will happen in this case ? .How the qos will help us
2) How this help us ISP's dropping the traffic ?
Thanks a million
05-24-2017 04:20 PM
I don't think it makes sense to set up 5 classes with 2Mbit each as if other classes are not in use then you don't use your full capability.
Few things that make sense to throttle are Dropbox application, Update applications using Application filter, Update URLs (for example create custom URL category and add MS update URL into it) etc.
Can you explain your issue?
ISP is dropping packets?
So what? If you enable QoS then it will be Palo who will drop packets to throttle traffic. Palo has to throw away packet from here and packet from there but TCP is smart and "tcp flow control" will keep traffic around the range you set with QoS.
05-25-2017 12:54 AM
05-25-2017 03:27 AM - edited 05-25-2017 06:05 AM
Just be sure that you create class 4 in your profile.
Class 4 is default class for traffic that is does not match to any QoS policy.
If class 4 is missing from profile it can cause big issues.
Edit: So I went to look up article about issue if class 4 is not set and here it is.
Issue is that there are other guidelines that suggest not to set class 4.
Final note says "Note: Only desired classes can be defined in the QoS profile. The rest of the traffic would default to class 4."
or
@reaper as those articles are quite old can you check internally what is current suggestion. And it is a bit unclear if policy needs to exist for class 4 or both policy and class in profile.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!