@AKabary you are right, you will need a QoS profile and assign it to the Egress interface. Broadly speaking, you can have up to 8 Classes for traffic type. So lets say that you will create Class8 restricting downloads to particular value. The QoS policy can match traffic on specified criteria, but as an action you can only choose 1 of the classes or assign DSCP/ToS to be processed by another device. So the answers will be: I think you need to clarify what do you mean by upload and download. You need to really follow the Palo Alto policy logic. For example if user initiates a session to dropbox your QoS policy will be matching on source user, application Dropbox and action assign to class, then the policy will match this session regardless if the user is uploading or downloading files. Bandwidth restrictions will, however be applied only on the egress interface. So if you have restrictions on the external interface, but not on the internal, the policy will be the same, but only upload will have its bandwidth restricted. The egress interface will differ for download and upload. Regarding source subnet, if you mean in policy, the logic is based on you policy and the type of traffic you need to match. If you are referring to “Source Subnet” configured under “QoS Interface”, then it will differ. The policy is not relevant, but the action, which for example can be “Class 8”. You can have different conditions assigning traffic to Class 8 and anything assigned to Class 8 will share the Class 8 configured limit per egress interface. QoS on Palo Alto is not as granular as some routers from other vendors and it has its limitations. So depending on how advanced you QoS set up need to be, you may need to consider offloading the functionality to another device.
... View more