Data cap limits for users in specific network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Data cap limits for users in specific network

L0 Member

Hi, just like the title says, I'm looking to cap data usage for users in a subnet, something like this: https://github.com/hiep4hiep/PANW-Bandwidth-quota, but without having to use scripts, is there a way to do something similar inside the PA firewall?

3 REPLIES 3

Cyber Elite
Cyber Elite

Check if this gives you ideas.

Instead of QoS you can block traffic if quota is exceeded.

https://www.youtube.com/watch?v=7fU91SZ5xDk

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

@FellowCurious,

If you're trying to create an aggregate amount over time, you'll need to use an external script instead of relying on the firewall. Just scanning over both solutions they also don't appear to take into account long-running sessions, so you'll need a way to account for those. That could be just closing any sessions that exceed a certain duration (via a script), or some other negate for expected sessions.

Essentially what you'll run into from a brief glance is that some users will have long sessions that will eventually end. They've passed enough traffic to keep it open and it's potentially been open for days if a user just locks their endpoint instead of logging off or shutting down at the end of the day. You might end up with someone closing a session that's technically passed tens or hundreds of GBs that doesn't quite line up with reality.

 

Just something to keep in mind that this won't be explicitly clean due to how you're pulling the data. 

This one requires a script to remove devices afterwards, can't have that done manually daily, too much overhead.

  • 953 Views
  • 3 replies
  • 0 Likes
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!