Palo Alto Networks Knowledgebase: How to Provide Quality of Service to a Single IP adress

How to Provide Quality of Service to a Single IP adress

Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
Mobile Network Infrastructure

Steps to provide Quality of Service (QoS) for a single IP address or group of IP's.

  1. Create a profile.  Device > Network  > QoS Profile

     I have created 2 classes each for a 2 different users and they have different bandwidth restrictions as shown below.


  1. Assign the profile to the interface where we are limiting the Bandwidth, in the example the interface ethernet1/3 is the Untrust Interface.  Device > Network Tab > QOS

    QoS profile is assigned to the clear text traffic.


  2. Create the QoS Rules.  Select the user IP address and  define a class for the user.  In the QoS profile, set the Bandwidth limitation for this class.  Device > Policies > QOS Rules

    Test with the IP (QOS Rule User2)

    User 1 with IP ending .40 gets max egress bandwidth of 2MB and user 2 with IP ending .41 gets 10MB as per the classes defined in the first image.


  3. Results can be tested by looking at the Statistics in the web interface.  Device > Network > QOS


Troubleshooting commands


Displays the sessions related to QoS only.

show session all filter qos-class 2

show session all filter qos-rule User2


To find the throughput of the QoS traffic,

show qos interface ethernet1/3 throughput 0

Where 0 is the Qid for the default group.


QoS throughput for interface ethernet1/3, node default-group (Qid 0):

class 1:      299 kbps

class 4:        6 kbps


A sample QoS Session shows all the details.

show session id  26680

Session           26680

        c2s flow:

                source: [L3-T]


                proto:       6

                sport:       31160           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/3, qos member N/A Qid 0


        s2c flow:

                source: [L3-U]


                proto:       6

                sport:       80              dport:      27607

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown


        start time                    : Sat Jun 30 15:21:55 2012

        timeout                       : 30 sec

        time to live                  : 18 sec

        total byte count(c2s)         : 837

        total byte count(s2c)         : 506

        layer7 packet count(c2s)      : 6

        layer7 packet count(s2c)      : 5

        vsys                          : vsys1

        application                   : web-browsing

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : In-Out(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/3

        session QoS rule              : User2 (class 2)


owner: ssunku

  • Print
  • Copy Link

Choose Language