Qos question

Reply
Highlighted
L4 Transporter

Qos question

Hi,

Let's say user wathing youtube , to limit the user's traffic ,
do we need to create qos profile for upload and download ?
Thanks

Highlighted
L1 Bithead

  1. Policy -> QoS
  2. Add
    • Name: Youtube
    • Source: Trusted
    • Destination:Untrusted
    • Application: [youtube]
    • Class:

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Quality-of-Service/ta-p/68633...

Highlighted
L4 Transporter

Hi,

I am not talking about the qos policy rule , I am talking about the  profile  .

I just to mentioned 'youtube ' for easy understanding . 

If I rephrase my question ,  It would be like below 

If a user browsing internet  , Do  I need to set  download and upload profile (egress and ingress)

Thanks

Highlighted
L7 Applicator

To get best results you should decrypt traffic.

I have seen cases when Youtube was identified as SSL without decyption.

 

As traffic comes from outside and heading inside you can't apply QoS to outside interface because at that point you don't know yet what this traffic is.

You need to let it into firewall to be analyzed and apply QoS profile to internal interface where traffic exits the firewall.

 

On the other hand if you want to QoS Youtube upload then you apply QoS to outside interface as traffic egress point is outside interface.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

QoS shaping is applied the moment a packet is about to leave the firewall (on the egress interface):

- to limit downloads the QoS profile on the internal interface is used (packets flowing from the internet and exiting onto your local network)

- to limit uploads, the QoS profile of the untrust interface is applied (packet flowing from the lan and exiting onto the internet

 

in a single session 2 different QoS profiles can be hit (outbound and inbound packets)

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
L4 Transporter

Hi,
A user just browsing cnn.com ,that means useer downloads and uploads the same time . Is there any issue If we just applied profile for limiting download only . What I mean does this effect CIR which is committed by ISP

Thanks

Highlighted
L7 Applicator

its perfectly possible to only create a profile to linit downloads and not interfere with uploads at all (QoS does not even need to be enabled on the upstream interface)

 

hope this helps

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
L4 Transporter

Hi @reaper

Thank you for your reply . You are always  great help ! . 

I just want rearrange my  very basic  and general qos question   , Let's say we have a  10 Mb download   commitement  with  ISP .And we have not yet applied  any qos profile ,so the user will be able to take all the bandwidth  which is 10 Mb .

Now we  have created a profile and applied on egress  with 5 classes  and each class  is 2 Mb limit  with same priority  and the user is in class 1 .What will happen in this case ? .How the qos will help us 

 

2)  How this help us ISP's dropping the traffic  ?

 

Thanks a million 

 

 

 

 

Highlighted
L7 Applicator

I don't think it makes sense to set up 5 classes with 2Mbit each as if other classes are not in use then you don't use your full capability.

 

Few things that make sense to throttle are Dropbox application, Update applications using Application filter, Update URLs (for example create custom URL category and add MS update URL into it) etc.

 

Can you explain your issue?

ISP is dropping packets?

So what? If you enable QoS then it will be Palo who will drop packets to throttle traffic. Palo has to throw away packet from here and packet from there but TCP is smart and "tcp flow control" will keep traffic around the range you set with QoS.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

I agree with @Raido , if you only have 10mbit it doesn't make much sense to limit all your classes to 2mb as this will limit the sessions every step of the way and will not change the fact packets need to get discarded to limit the bandwidth usage (if it's not the ISP, it's the firewall)

You could work with one or a few classes that do have a guarantee for business critical apps, so that when your users are using your full bandwidth, your business critical applications will still function normally (while everything else will be dreadfully slow)
And a class (or a few) for bad applications you really want to limit (like streaming or online storage, ...) Set to 1mb limit for example
And finally a class that you use for your generic browsing with no limit or guarantee. It will be able to use all bandwidth unless one of your guarantee classes is active at which time it will surrender the bandwidth to those classes (make sure to set the profile limit to 10mb)

(Class priority should not be a factor as that relates to platform IO and 10mb should not be an issue, but you can put the business critical class on real-time just to make sure it gets priority queueing if it's ever needed)

Hope this helps! :)
Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!