Palo Alto Networks Knowledgebase: Speed Bump Policy: Using QoS to Control Upload Speed

Speed Bump Policy: Using QoS to Control Upload Speed

Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM

Blocking uploads for specific applications may be difficult or impossible, but slowing uploads to discourage using the application--a passive deny approach--might be an option. Also, some applications try to evade firewall security when completely blocked (change port, switch to encrypted communication and so on), which makes a Speed Bump policy a better option than completely blocking. A Speed Bump policy uses QoS to control upload but not download speeds.

  1. Create a new QoS profile. The example leaves all classes with full speed, but makes class 8 very slow (0.01 Mbps). The minimum selectable speed is 0.01 Mbps. Putting any Mbps setting at 0 means unlimited.


  2. Create a QoS policy that applies class 8 to the application that should be slowed. This rule is generic and applies to all zones, users, and on on. It can be restricted based on all available parameters.


  3. Attach the QoS profile to the egress interface that an upload would hit. In this case, ethernet1/1 is the Internet-facing interface. Notice that the Outbound profile is attached to that interface, which was set up in step 1. The Inbound profile has no speed restrictions for any QoS class, allowing unrestricted bandwidth for inbound traffic (downloads).


Once committed, the class 8 traffic is slowed when egressing the 1/1 interface. Note that this can affect uploads if a significant amount of outbound traffic is required by an application to initiate a download.

owner: gwesson

  • Print
  • Copy Link

Choose Language