segmentation of bandwidth:

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

segmentation of bandwidth:

Not applicable

Hi All,

           One of our customers has an internet acces of 20Mbits and 4 types of users so he wants to segment the internet acces into  4  acces in order to ensure that every user groups has a bandwidth of 5Mbits.

           is it possible to do this treatment with a Palo Alto firewall ?

BR,

6 REPLIES 6

L6 Presenter

You can use Active directory user groups in QOS rules.

For eaach group you can use a max 5mbit class and all for the related qos profile.

QoS in PAN-OS 4.1 You can configure details related to document.

L4 Transporter

Look for the QoS use cases in the doc - QoS in PAN-OS 4.1

Case 2 – Sharing Bandwidth with Fairness

Hope this helps.

Not applicable

Thank you for your reply.

I have another question is it possible to limit the bandwidth for users (users are defined by IP adress) I mean if a user exceeds a bandwith threshold example 1Go per day the internet connection for this user will be denied and he will not be able to connect to the internet till the next bussines day.

This function is not supported for now.

thanks.

While true out of the box, there is a way to accomplish this manually using the API interface and the dynamic address object feature.

1. You could create a dynamic address object that is referenced by the QoS policy. This policy is committed even though the DAO is empty.

2. When a user is manually detected as consuming too much bandwidth (DDoS protection looks at session levels, not bandwidth), you would add those users to the XML document referenced by a script (several ways to do that - manual script manipulation or the use of a block list API added into the GUI)

3. A process on your server would detect that the script was updated and execute the API to push the document to firewall(s) directly or via Panorama to populate the DAO on the firewall with your bad user(s)

4. Another automated process on your server would then remove the IP address of the bad actors at a set time every day based on the timestamp of the actor's addition

See here as a potential basis for your workflow - Sample API workflow for Dynamic Address Objects

Obvious challenges here - besides writing scripts and monitoring CRON (or CRON-like processes) is tracking on bandwidth consumption by user. The function that is missing on the appliance is the lack of such a report. The only way to get that out of the appliance is to apply QoS as a reporting only (i.e. no max bandwidth) function, but you would need to create a policy per user - which is unrealistic. You would want to look to an external tool to gather this kind of information.

  • 2522 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!