Using QOS to control Internet download usage

Showing results for 
Search instead for 
Did you mean: 

Using QOS to control Internet download usage

L1 Bithead


I've read through the documentation and forum posts, and tinkered with QOS config but still am not clear on whether what I'd like to do is possible.  Hopefully I can explain this clearly... here goes...

I've got a PA-4020 HA running 3.1.5.  Interface 1 is our Internet connection which 20Mbps... Interfaces 2, 3, and 4 (1Gbps) are internal networks which all utilize the Interface 1 Internet connection and also pass traffic between each other.

I can manage Internet upload usage for all of my internal networks by setting Maximum Egress to 20Mbps on the QOS Profile for Interface 1 and appying/configuring QOS policies for that interface.

As for managing download usage, is there any way for me to configure so that each Interface (2, 3, and 4) has the ability to use the entire 20Mbps available but QOS will be performed when there is congestion?  I can't set QOS Profile - Maximum Egress below 1Gbps because I don't want to affect traffic flow between those networks.  So if the PA interfaces doesn't know about the 20Mbps limitation and the bottleneck actually doesn't occur on the PA-4020 but rather on our Internet router on the other side of Interface 1, how can I control/manage Internet download traffic?

Thanks in advace for your help!



L6 Presenter

I dont know if the QoS have changed between 3.1.5 and 4.1.1 but in 4.1.1 you can set speed limits per class (if I remember correctly :-)

For example (the default is regarding egress settings):

QoS-Internetdownload: default

Class1: egress 20Mpbs

Class2: default

Class3: default

Class4: default <- this is where "unmatched" traffic by default goes into

Class5: default

Class6: default

Class7: default

Class8: default

Then in the QoS policy you set to match the internet traffic (like srczone:Internet, dstzone:any), instruct it to use QoS-Internetdownload and to put matched traffic into Class1.

And finally attach the QoS-Internetdownload on all downlink interfaces (since the QoS in PaloAlto only acts on egress interface).


Thanks for the reply.  Hmmm... that makes sense... I will test it out and post back with an update.



There is a technote released just before christmas who also describes how the QoS in PA works (and how to set it up).

What I have not yet learned (or figured out) is how many classes one need in your custom QoS profile?

Let say I want to prioritize down some traffic going to/from a specific zone but let everything else at default.

Should this custom QoS profile only contain lets say class1 or should this profile contain all classes where I then in the QoS policy define that traffic to/from this zone should be put into the class1 flow (lowest prio)?

Or should this QoS profile just contain class1 (which I want to match my lowprio traffic into) and class4 (which is the default class for unmatched traffic)?

Edit: And the link to that technote aswell :smileysilly: QoS in PAN-OS 4.1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!