How to configure QoS on a sub-interface
29507
Created On 06/11/20 21:27 PM - Last Modified 11/13/20 22:12 PM
Objective
The article explains how to configure QOS on a subinterface on supported platforms.
Environment
- Any PAN-OS
- Palo Alto PA-3200 series, PA-5200 series and PA-7000 series
- QoS configuration on a subinterface.
Procedure
1. Step1: Configure a new QoS policy
- Start with adding a new QoS policy. GUI: Policies > QOS > Add
- Define Source Zone/Source Address and Source User
- Define Destination zone / Destination address
- Configure application that will be subjected to QoS
- Configure Service/URL Category
- Configure the QoS class
Traffic matching the previous conditions will be marked as class 8.
2. Step2: Configure QoS Profile
Use GUI: Network > Network Profiles > QoS Profiles > Add
3. Step3: Apply the QoS Profile on the egress interface
Use GUI: Network > QoS > Add
In this example, egress (untrust interface) is Ethernet1/1. As a Clear Text profile, we choose the default QoS profile which does not have any settings modified.
Note: The Default Profile on the physical interface will be applied to everything that is not explicitly matched by the configuration under Clear text and Tunneled Traffic tabs
Apply the QoS profile that we created in step 2 on a logical sub-interface
In this example, Ethernet1/2 is our Trust zone and Ethernet1/1.10 is our Untrust zone interface. As QoS is applied in the egress direction, youtube traffic marked as class 8 will be limited to 3Mbps when leaving through Ethernet1/1.10.
Additional Information
Platforms supporting QoS on a sub-interface:
- PA-3200 series
- PA-5200 series
- PA-7000 series
- QoS profile is applied to the egress interface of a packet that is traveling through the firewall.
- Class4 is the default class for any session not matched to a QoS policy.
- QoS policy, like security policy, is processed top to bottom and the first policy match will be applied.
For more information on QoS, Refer to Getting Started: Quality of Service.