Not able to apply QoS profile to interface

raji_toor · ‎01-16-2023

I am preparing firewall for interface change, and moving 2 sub interfaces to a separate aggregate ethernet.

Current

AE1.10, .20, .30, .40

Upcoming

AE1.10, .20

AE10.30, .40

I have already created aggregate and its subinterfaces and are disabled, added fake IP/s routes and created NAT rules using new interfaces, to make it easier on the change day.

What I can't do is apply QoS profile to these subinterfaces. They are L3 perfectly valid although fake IPs.

Under Physical interface, I can see other interfaces but not AE10

I also enabled one of the physical interfaces(although link is down), in aggregate but no change.

FWs are panorama managed(10.1.6), What am I missing?

Raido_Rattameister · ‎01-16-2023

You should talk to support.

I tested and see similar issue.

Worked with lower ae id's up to 8.

9 and 10 were not visible any more.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Raido_Rattameister · ‎01-16-2023

Are you checking under "Clear Text Traffic" tab and "Destination Interface" droppdown and subinterface is not there?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

raji_toor · ‎01-16-2023

@Raido_Rattameister Here is the screenshot. Adding QoS interface and under Physical Interface > Interface Name , there is no AE10

aleksandar.astardzhiev · ‎01-16-2023

Hi @raji_toor ,

Have you commited the configuration that is creating the new aggregated interface? And I think you may need to push it to the firewall and not only commit to Panorama.

Raido_Rattameister · ‎01-16-2023

Subinterfaces are not accessible from "Physical Interface" tab.

You can configure subinterface based settings under "Clear Text Traffic" tab.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

raji_toor · ‎01-16-2023

I never said I am trying to access subinterfaces from 'Physical Interface' I always said there is no AE10 and that is not a subinterface.

I should be able to see AE10 in the drop down for physical interface, but it does not come up.

Like I can see AE1 and AE2, I should be able to see AE10.

Raido_Rattameister · ‎01-16-2023

You should talk to support.

I tested and see similar issue.

Worked with lower ae id's up to 8.

9 and 10 were not visible any more.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

raji_toor · ‎01-17-2023

@aleksandar.astardzhiev Yes it was commited

raji_toor · ‎01-17-2023

@Raido_Rattameister Thanks for testing this out. I can confirm when I changed AE10 to AE5, I do indeed get to apply QoS.

I am in a bit of a hurry for the change, so i moved all my config to AE5. It will help someone else facing this issue and maybe someone else can notify Palo of this bug.

TTNhan · ‎01-04-2024

I have the same case.

Is there any work around, or is this a limit of features that need to be requested?

Justin_Ng · ‎01-05-2024

Hi Nhan,

This may be PAN-OS bug, and fixed in the 10.1.11, 10.2.6 and 11.0.3 versions as well.

TChristieBCI · ‎09-12-2024

I've just stumbled upon this in 10.2.8, but it seems AE20 does work (but my stupid hardware only supports up to AE14. They need a published matrix of non-feature limited ae numbers.

OR, remove these limits altogether. GRRR

In my screenshot i've already deleted ae20, but as you can see on the cli, it was there.

anazarta · ‎10-17-2024

On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, QoS is supported on only the first eight AE interface groups.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network-interfaces/a....

Unlock your full community experience!

Not able to apply QoS profile to interface

Not able to apply QoS profile to interface

Show your appreciation!