Not able to apply QoS profile to interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Not able to apply QoS profile to interface

L4 Transporter

I am preparing firewall for interface change, and moving 2 sub interfaces to a separate aggregate ethernet.

 

Current

AE1.10, .20, .30, .40

 

Upcoming

AE1.10, .20

AE10.30, .40

 

I have already created aggregate and its subinterfaces and are disabled, added fake IP/s routes and created NAT rules using new interfaces, to make it easier on the change day. 

 

What I can't do is apply QoS profile to these subinterfaces. They are L3 perfectly valid although fake IPs.

Under Physical interface, I can see other interfaces but not AE10

I also enabled one of the physical interfaces(although link is down), in aggregate but no change.

FWs are panorama managed(10.1.6), What am I missing?

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

You should talk to support.

I tested and see similar issue.

Worked with lower ae id's up to 8.

9 and 10 were not visible any more.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

12 REPLIES 12

Cyber Elite
Cyber Elite

Are you checking under "Clear Text Traffic" tab and "Destination Interface" droppdown and subinterface is not there?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister Here is the screenshot.  Adding QoS interface and under Physical Interface > Interface Name , there is no AE10

image.png

image.pngimage.png

 

Hi @raji_toor ,

 

Have you commited the configuration that is creating the new aggregated interface? And I think you may need to push it to the firewall and not only commit to Panorama.

Cyber Elite
Cyber Elite

Subinterfaces are not accessible from "Physical Interface" tab.

You can configure subinterface based settings under "Clear Text Traffic" tab.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I never said I am trying to access subinterfaces from 'Physical Interface' I always said there is no AE10 and that is not a subinterface.

I should be able to see AE10 in the drop down for physical interface, but it does not come up.

Like I can see AE1 and AE2, I should be able to see AE10.

Cyber Elite
Cyber Elite

You should talk to support.

I tested and see similar issue.

Worked with lower ae id's up to 8.

9 and 10 were not visible any more.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@aleksandar.astardzhiev Yes it was commited

@Raido_Rattameister Thanks for testing this out. I can confirm when I changed AE10 to AE5, I do indeed get to apply QoS.

I am in a bit of a hurry for the change, so i moved all my config to AE5. It will help someone else facing this issue and maybe someone else can notify Palo of this bug.

I have the same case.

Is there any work around, or is this a limit of features that need to be requested?

 

Hi Nhan,

This may be PAN-OS bug, and fixed in the 10.1.11, 10.2.6 and 11.0.3 versions as well.

 

I've just stumbled upon this in 10.2.8, but it seems AE20 does work (but my stupid hardware only supports up to AE14. They need a published matrix of non-feature limited ae numbers.

OR, remove these limits altogether. GRRR

 

In my screenshot i've already deleted ae20, but as you can see on the cli, it was there.

TChristieBCI_0-1726166801344.png

 

L1 Bithead

On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, QoS is supported on only the first eight AE interface groups.

 

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network-interfaces/a....

  • 1 accepted solution
  • 3737 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!