11-27-2022 05:12 AM
First of all few key notes to remember when working with Palo QoS:
- QoS is applies always only on egress interface
- QoS profiles define each class bandwidth allocation
- QoS policy rules (Policy tab -> QoS) are tagging traffic with QoS classes. Any traffic that is not explicitly tagged (doesn't match any rule) will automatically be tagged with class 4 (that is why with gray text you will see "class 4 is default class")
- QoS policy rules are session oriented - rules will match session, which means any packet that belongs to this session will be tagged with corresponding class. Rule must match initiation direction, but replies are automatically tagged with same class.
Now regarding your questions:
- To control the download you need QoS profile on the inside interface, yes. It may want to have second profile on outside interface to control the upload as well
- Egress max define what is the actual throughput of that interface. I would say your assumption and understanding is correct.
- You don't have to limit the inside interface to 30Mbps. You should set it to 1Gbps, for the exact reason you mentioned - it will affect traffic between internal networks over the same interface. Here the "QoS interface rules" comes in hand. (more in the next anwser)
- When creating QoS interface (Network -> QoS -> Add), on first tab you specify the default QoS profile that this interface will use. On Clear Text (and tunnel) you have an option to define more granular control and apply different QoS profiles for specific traffic. Any traffic that does not match any of these "rules" will use the default profile (set in physical int tab). Here source address and interface are per packet (not per session), which means those will match the direction of the packet. As you assume here you can define a rule matching any source and outside interface - this will match the return traffic for your Outbound/Internet traffic. This way you can apply QoS profile with corresponding classess and limits. Any other traffic that pass over this internal interface (traffic between internal vlan/networks) will not match this "rule" and will use the default QoS profile, which you can leave without any classes so it will not apply any restrictions.
