Saucepan

User Tools

Site Tools

Trace: licence_information firewall_resources firewall-hardware bad_session_end zone_protection url_override useful_security_policies response_pages qos set_configuration
paloaltonetworks:configuration:qos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:qos [2020/08/31 06:30] – external edit 127.0.0.1paloaltonetworks:configuration:qos [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 2: Line 2:
 To control upload and download speeds with respect to internal endpoints browsing the web, apply the following. To control upload and download speeds with respect to internal endpoints browsing the web, apply the following.
  
-  - You will need a QoS policy that says "From Internal zone to External Zone", then apply application and service details as appropriate. Finally, set the class to a value between 1 and 8.+  - You will need a QoS policy that says "From Internal zone to External Zone", then apply application and service details as appropriate. Finally, set the class to a value between 1 and 8. Remember, QoS policy applies after all other policy and that means 'source IP' will be the external IP if you apply Source Nat to traffic. That is why just using Zones can be good.
   - Create two QoS profiles. One for the external interface and one for the internal interface.   - Create two QoS profiles. One for the external interface and one for the internal interface.
   - Apply QoS to your external and internal interfaces (e.g. Ethernet1/1 and Ethernet1/2 respectively) and apply the appropriate QoS profiles to the clear text and tunnel fields on the first tab (ignore the other tabs).   - Apply QoS to your external and internal interfaces (e.g. Ethernet1/1 and Ethernet1/2 respectively) and apply the appropriate QoS profiles to the clear text and tunnel fields on the first tab (ignore the other tabs).
   - To control download speeds from websites to laptops, edit the internal QoS profile. Edit the class you set in the first step.   - To control download speeds from websites to laptops, edit the internal QoS profile. Edit the class you set in the first step.
   - To control upload speeds from laptops to websites, edit the external QoS profile. Edit the class you set in the first step.   - To control upload speeds from laptops to websites, edit the external QoS profile. Edit the class you set in the first step.
 +
 +In a QoS policy rule, the contents of the DSCP/ToS tag are match criteria only. To affect what QoS is applied, using the "Other Settings" tab and set the class. The class that is actually applied depends on what the egress interface is and what QoS profile is applied to that egress. Further more, the interface's QoS settings can have specific QoS profiles applied to traffic depending on the source interface.
 +
 +In the security policy rule, when you set QoS marking under the Actions tab, what you set will be evaluated by the QoS policy. Remember QoS policy is applied last of all so you can use the Security policy rule to set a QoS Marking (e.g. IP DSCP cs1). This can then be used by the QoS policy rule based for matching traffic to apply actions to. Remember though, when you do this in Security policy, you are actually tagging the traffic with the marking and the tag will remain on the packet as it is transmitted from the firewall. i.e. you can mess up existing tagging.
 +
 ===== Sub-Interface Limitation ===== ===== Sub-Interface Limitation =====
 In PAN-OS 9.0+, you can apply QoS at a sub-interface level but only on PA-3200 series and higher. In PAN-OS 9.0+, you can apply QoS at a sub-interface level but only on PA-3200 series and higher.
paloaltonetworks/configuration/qos.1598855443.txt.gz · Last modified: (external edit)