08-30-2013 02:38 AM
Hi All,
One of our customers has an internet acces of 20Mbits and 4 types of users so he wants to segment the internet acces into 4 acces in order to ensure that every user groups has a bandwidth of 5Mbits.
is it possible to do this treatment with a Palo Alto firewall ?
BR,
08-30-2013 02:45 AM
You can use Active directory user groups in QOS rules.
For eaach group you can use a max 5mbit class and all for the related qos profile.
QoS in PAN-OS 4.1 You can configure details related to document.
08-30-2013 02:50 AM
Look for the QoS use cases in the doc - QoS in PAN-OS 4.1
Case 2 – Sharing Bandwidth with Fairness
Hope this helps.
08-30-2013 03:58 AM
Thank you for your reply.
I have another question is it possible to limit the bandwidth for users (users are defined by IP adress) I mean if a user exceeds a bandwith threshold example 1Go per day the internet connection for this user will be denied and he will not be able to connect to the internet till the next bussines day.
08-30-2013 04:00 AM
This function is not supported for now.
08-30-2013 07:26 AM
While true out of the box, there is a way to accomplish this manually using the API interface and the dynamic address object feature.
1. You could create a dynamic address object that is referenced by the QoS policy. This policy is committed even though the DAO is empty.
2. When a user is manually detected as consuming too much bandwidth (DDoS protection looks at session levels, not bandwidth), you would add those users to the XML document referenced by a script (several ways to do that - manual script manipulation or the use of a block list API added into the GUI)
3. A process on your server would detect that the script was updated and execute the API to push the document to firewall(s) directly or via Panorama to populate the DAO on the firewall with your bad user(s)
4. Another automated process on your server would then remove the IP address of the bad actors at a set time every day based on the timestamp of the actor's addition
See here as a potential basis for your workflow - Sample API workflow for Dynamic Address Objects
Obvious challenges here - besides writing scripts and monitoring CRON (or CRON-like processes) is tracking on bandwidth consumption by user. The function that is missing on the appliance is the lack of such a report. The only way to get that out of the appliance is to apply QoS as a reporting only (i.e. no max bandwidth) function, but you would need to create a policy per user - which is unrealistic. You would want to look to an external tool to gather this kind of information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
