Qos question

Hi,

I am not talking about the qos policy rule , I am talking about the  profile  .

I just to mentioned 'youtube ' for easy understanding . 

If I rephrase my question ,  It would be like below 

If a user browsing internet  , Do  I need to set  download and upload profile (egress and ingress)

Thanks

To get best results you should decrypt traffic.

I have seen cases when Youtube was identified as SSL without decyption.

 

As traffic comes from outside and heading inside you can't apply QoS to outside interface because at that point you don't know yet what this traffic is.

You need to let it into firewall to be analyzed and apply QoS profile to internal interface where traffic exits the firewall.

 

On the other hand if you want to QoS Youtube upload then you apply QoS to outside interface as traffic egress point is outside interface.

QoS shaping is applied the moment a packet is about to leave the firewall (on the egress interface):

- to limit downloads the QoS profile on the internal interface is used (packets flowing from the internet and exiting onto your local network)

- to limit uploads, the QoS profile of the untrust interface is applied (packet flowing from the lan and exiting onto the internet

 

in a single session 2 different QoS profiles can be hit (outbound and inbound packets)

Hi,
A user just browsing cnn.com ,that means useer downloads and uploads the same time . Is there any issue If we just applied profile for limiting download only . What I mean does this effect CIR which is committed by ISP

Thanks

its perfectly possible to only create a profile to linit downloads and not interfere with uploads at all (QoS does not even need to be enabled on the upstream interface)

 

hope this helps

Hi @reaper

Thank you for your reply . You are always  great help ! . 

I just want rearrange my  very basic  and general qos question   , Let's say we have a  10 Mb download   commitement  with  ISP .And we have not yet applied  any qos profile ,so the user will be able to take all the bandwidth  which is 10 Mb .

Now we  have created a profile and applied on egress  with 5 classes  and each class  is 2 Mb limit  with same priority  and the user is in class 1 .What will happen in this case ? .How the qos will help us 

 

2)  How this help us ISP's dropping the traffic  ?

 

Thanks a million 

 

 

 

 

I don't think it makes sense to set up 5 classes with 2Mbit each as if other classes are not in use then you don't use your full capability.

 

Few things that make sense to throttle are Dropbox application, Update applications using Application filter, Update URLs (for example create custom URL category and add MS update URL into it) etc.

 

Can you explain your issue?

ISP is dropping packets?

So what? If you enable QoS then it will be Palo who will drop packets to throttle traffic. Palo has to throw away packet from here and packet from there but TCP is smart and "tcp flow control" will keep traffic around the range you set with QoS.

I agree with @Raido_Rattameister , if you only have 10mbit it doesn't make much sense to limit all your classes to 2mb as this will limit the sessions every step of the way and will not change the fact packets need to get discarded to limit the bandwidth usage (if it's not the ISP, it's the firewall)

You could work with one or a few classes that do have a guarantee for business critical apps, so that when your users are using your full bandwidth, your business critical applications will still function normally (while everything else will be dreadfully slow)
And a class (or a few) for bad applications you really want to limit (like streaming or online storage, ...) Set to 1mb limit for example
And finally a class that you use for your generic browsing with no limit or guarantee. It will be able to use all bandwidth unless one of your guarantee classes is active at which time it will surrender the bandwidth to those classes (make sure to set the profile limit to 10mb)

(Class priority should not be a factor as that relates to platform IO and 10mb should not be an issue, but you can put the business critical class on real-time just to make sure it gets priority queueing if it's ever needed)

Hope this helps! 🙂

Just be sure that you create class 4 in your profile.

Class 4 is default class for traffic that is does not match to any QoS policy.

If class 4 is missing from profile it can cause big issues.

 

Edit: So I went to look up article about issue if class 4 is not set and here it is.

https://live.paloaltonetworks.com/t5/Management-Articles/Firewall-Slows-Down-and-Stops-Forwarding-Tr...

 

Issue is that there are other guidelines that suggest not to set class 4.

Final note says "Note: Only desired classes can be defined in the QoS profile. The rest of the traffic would default to class 4."

https://live.paloaltonetworks.com/t5/Configuration-Articles/Incorrect-QoS-Configuration-Caused-Netwo...

or

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/ConfigurationArticles/article-id/11...

 

@reaper as those articles are quite old can you check internally what is current suggestion. And it is a bit unclear if policy needs to exist for class 4 or both policy and class in profile.