Upload and Download QoS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Upload and Download QoS

L1 Bithead

May I ask how to configure upload and download QoS?

I have tested whether I perform upload or download, the QoS always hit LAN->WAN policy. The result is different from what this article said.

https://live.paloaltonetworks.com/t5/general-topics/qos-bandwidth-limitation-download-amp-upload/m-p...

 

My customer wants to do so is that their link bandwidth is different for upload and download (i.e. 100M/50M)

 

Also, I have viewed youtube about upload and download QoS

https://www.youtube.com/watch?v=BJbwm1pXvlk

https://www.youtube.com/watch?v=OHMiHw0zDrk&t=1s

But the result comes as what I said, the QoS always hit LAN->WAN policy when perform upload or download. It means I can only control in egress WAN interface, but it has no effect when I control in LAN interface.

Thank you.

1 accepted solution

Accepted Solutions

Hi @WilsonHuang ,

To be fair configuring QoS on Palo Alto firewall could be confusing. There are couple of components that work together to apply QoS:

- QoS Policy rules - are used only to match the traffic you want to apply QoS policing. Matched traffic is tagged with a class defined in the QoS policy rule. Important note to remember - QoS policy rules are working like security rules and are "session oriented".  Which means the entire session in the session table is tagged with QoS class, not individual packet. But for that reason QoS policy rules are evaluated only when new session is established, which also means QoS rule must match the direction in which session is initiated. Return traffic is not evaluated by QoS policy rules, because it is associated with existing session and QoS class is already assigned.

- QoS Profile - is used to define classes and bandwidth limits and priority for each class. You can define up to eight classes in one profile

- QoS interface (named QoS in the GUI under Network tab) - here you define on which interface you want to apply QoS, by applying QoS policy created earlier.

- QoS Interface "rules" - when defining QoS interface, you specify which is the default QoS profile that will be applied by this interface. But you can also have different QoS profiles, based on source interface/addresses. This could be useful if you need to have more than eight QoS queues. But lets ignore this for a moment as it brings a lot of complexity

 

In addition to the above, you need to take in consideration the great explantion by @SutareMayur from the previous discusion - QoS is applied on the egress interface only.

 

To make it more clear lets see how you can configure the setup you need - apply different QoS for upload and download

1. You will need QoS policy rules, that will match initial direction of the traffic. In your case this will be rule matching LAN to WAN (users accessing public Internet) and applying class1

2. You need to create two QoS profiles one for download and one for upload. Define the same class number in each profile with the required bandwidth. Let say class1 = 50Mbps in download profile and class1 = 100Mbps for upload profile

3. You need to create two QoS interfaces, one will be your Internet facing interface and second will be your LAN facing interface. Apply upload profile to WAN interface and download profile to LAN interface

 

Lets explain what will happend:

- User will try to connect to some reasources in Internet

- Your QoS policy rule will match that traffic and apply QoS class1 for both directions of this session

- Traffic from user to Internet server (upload) will be tagged with class1 and traffic will be shaped by QoS profile upload before exiting WAN interface

- Return traffic from server to user (download) will be also tagged with class1 and traffic will be shaped by QoS profile download before exiting LAN interface

 

 It is also important to note that QoS is applied on interface level, which means all traffic exiting this interface will be shaped by the QoS profile applied on that interface, no matter if you have created QoS policy rule or not. If there is traffic that doesn't match any QoS policy rule, but still exiting via QoS interface, it will be tagged with/put in class4 queue. Which means any traffic that does not match QoS policy rule will share the same class4 queue. This shouldn't be a problem, because if you don't define bandwidth limit for that class in your QoS profiles this traffic will actually not be limited by QoS.

View solution in original post

2 REPLIES 2

Hi @WilsonHuang ,

To be fair configuring QoS on Palo Alto firewall could be confusing. There are couple of components that work together to apply QoS:

- QoS Policy rules - are used only to match the traffic you want to apply QoS policing. Matched traffic is tagged with a class defined in the QoS policy rule. Important note to remember - QoS policy rules are working like security rules and are "session oriented".  Which means the entire session in the session table is tagged with QoS class, not individual packet. But for that reason QoS policy rules are evaluated only when new session is established, which also means QoS rule must match the direction in which session is initiated. Return traffic is not evaluated by QoS policy rules, because it is associated with existing session and QoS class is already assigned.

- QoS Profile - is used to define classes and bandwidth limits and priority for each class. You can define up to eight classes in one profile

- QoS interface (named QoS in the GUI under Network tab) - here you define on which interface you want to apply QoS, by applying QoS policy created earlier.

- QoS Interface "rules" - when defining QoS interface, you specify which is the default QoS profile that will be applied by this interface. But you can also have different QoS profiles, based on source interface/addresses. This could be useful if you need to have more than eight QoS queues. But lets ignore this for a moment as it brings a lot of complexity

 

In addition to the above, you need to take in consideration the great explantion by @SutareMayur from the previous discusion - QoS is applied on the egress interface only.

 

To make it more clear lets see how you can configure the setup you need - apply different QoS for upload and download

1. You will need QoS policy rules, that will match initial direction of the traffic. In your case this will be rule matching LAN to WAN (users accessing public Internet) and applying class1

2. You need to create two QoS profiles one for download and one for upload. Define the same class number in each profile with the required bandwidth. Let say class1 = 50Mbps in download profile and class1 = 100Mbps for upload profile

3. You need to create two QoS interfaces, one will be your Internet facing interface and second will be your LAN facing interface. Apply upload profile to WAN interface and download profile to LAN interface

 

Lets explain what will happend:

- User will try to connect to some reasources in Internet

- Your QoS policy rule will match that traffic and apply QoS class1 for both directions of this session

- Traffic from user to Internet server (upload) will be tagged with class1 and traffic will be shaped by QoS profile upload before exiting WAN interface

- Return traffic from server to user (download) will be also tagged with class1 and traffic will be shaped by QoS profile download before exiting LAN interface

 

 It is also important to note that QoS is applied on interface level, which means all traffic exiting this interface will be shaped by the QoS profile applied on that interface, no matter if you have created QoS policy rule or not. If there is traffic that doesn't match any QoS policy rule, but still exiting via QoS interface, it will be tagged with/put in class4 queue. Which means any traffic that does not match QoS policy rule will share the same class4 queue. This shouldn't be a problem, because if you don't define bandwidth limit for that class in your QoS profiles this traffic will actually not be limited by QoS.

Hi Astardzhiev,

 

Thank you very much for your reply!!! I have tried your method: to restrict in one class, divide the class to two profiles with different speed and apply them in QoS Interfaces(LAN & WAN). It works!!!

 

And I have discovered that the following: Since our environment is under SDWAN, for LAN which has two different download speed:

Eth1/1(Zone: WAN), speed 140M/50M

Eth1/2(Zone: WAN), speed 100M/20M

Eth1/3(Zone: LAN)

 

We can configure the "Clear Text Traffic" for the QoS interface to use specific source interface, then I can also divide them to two different download speeds when traffic coming from different WAN interfaces and egress to same LAN interface. Just for a reference to the one who will have the same SDWAN deployment structure.

 

Thank you Astardzhiev.~~

  • 1 accepted solution
  • 4053 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!