Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

qos

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

qos

L4 Transporter

Hi,

After egress max set  in the following order ,

If  100 Mb is the internet speed and   through the trust link (1 GB)  traffic is going other than untrust ( internet zone ) , 

the below configuration is ok ? .

 

 

class 1 10

class 2 10

class 3 10

class 4  40

class 5 10

class 6 10

class 7 5 

class 8 5

 

Thanks

6 REPLIES 6

L7 Applicator

Sorry, I'm not understanding the question fully.  

 

I think you are wondering about applying a QoS setting to trust that would perhaps limit traffic pre-maturely because the internet bandwidth is much more limited than your local one. 

 

This would be a concern and you should have the internet QoS only applied to your untrust internet facing interface and NOT the trust interface.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

Thanks for the reply 

"This would be a concern and you should have the internet QoS only applied to your untrust internet facing interface and NOT the trust interface"

To limit  the download bandwidth we should apply on our trust interface (egress )  , correct me if i am wrong ?

 

Thanks

Download traffic is also egress on the untrust side as well.  

 

I guess I don't follow what limitations you are trying to support.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

I was trying to limit download from the internet by the user  who is sitting inside the campus network .

If I have internet bandwidth 100 Mbps, all the suers ( from class 1 - 8 ) should not send traffic to the service provider more than that ( I mean ISP should not have a chance to drop the traffic ) .

 

Hope I could clarify 

Thanks

 

QoS has to be applied to the interface where traffic will exit firewall.
For download traffic it has to be applied to trust interface.

Only be careful if you have multiple zones.
Assume you have 3 zones - internet, servers, users.
If you apply QoS on "users" zone then it means that download is limited from internet>users and also servers>users.


To avoid that you should tune QoS interface > Clear Text Traffic
Also same place is where you set your Egress Max 100Mbit.
It does not make sense to set Classes so that aggregate max is 100Mbit becase your traffic will never balance between classes to get full 100Mbit.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,
We should apply all the egress interface (inside and outside ) to limit the download and upload .
For example user a is trying to access website cnn.com from the internal host ,
the traffic is flowing from the internal network to internet and also in reverse direction .
let 's say if we have 100 Mbps internet bandwidth and if we have profile only to limit the download (on the inside interface)
the traffic will flow from the internal network to the internet ,So there is chance ISP drop this traffic(so the traffic does not exceed network capacity which is alotted by the  ISP )
Please correct me if I am wrong

So we should have profile on both egress( internal and wan) .

Thanks

  • 2497 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!