Palo Alto Networks Knowledgebase: How to Provide Quality of Service to a Single IP adress

How to Provide Quality of Service to a Single IP adress

(1633 Views)
Created On 09/25/18 17:30 PM - Last Updated 09/25/18 23:10 PM
Categories:  Mobile Network Infrastructure

Issue:


Solution:


Steps to provide Quality of Service (QoS) for a single IP address or group of IP's.

  1. Create a profile.  Device > Network  > QoS Profile

     I have created 2 classes each for a 2 different users and they have different bandwidth restrictions as shown below.

          qos5.PNG

  1. Assign the profile to the interface where we are limiting the Bandwidth, in the example the interface ethernet1/3 is the Untrust Interface.  Device > Network Tab > QOS

    QoS profile is assigned to the clear text traffic.

    qos4.PNG

  2. Create the QoS Rules.  Select the user IP address and  define a class for the user.  In the QoS profile, set the Bandwidth limitation for this class.  Device > Policies > QOS Rules

    Test with the IP 192.168.141.41 (QOS Rule User2)

    User 1 with IP ending .40 gets max egress bandwidth of 2MB and user 2 with IP ending .41 gets 10MB as per the classes defined in the first image.

    Qos3.PNG

  3. Results can be tested by looking at the Statistics in the web interface.  Device > Network > QOS

    qos10.png

Troubleshooting commands

 

Displays the sessions related to QoS only.

show session all filter qos-class 2

show session all filter qos-rule User2

 

To find the throughput of the QoS traffic,

show qos interface ethernet1/3 throughput 0

Where 0 is the Qid for the default group.

 

QoS throughput for interface ethernet1/3, node default-group (Qid 0):

class 1:      299 kbps

class 4:        6 kbps

 

A sample QoS Session shows all the details.

show session id  26680

Session           26680

        c2s flow:

                source:      192.168.141.41 [L3-T]

                dst:         204.160.102.126

                proto:       6

                sport:       31160           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/3, qos member N/A Qid 0

 

        s2c flow:

                source:      204.160.102.126 [L3-U]

                dst:         172.17.128.141

                proto:       6

                sport:       80              dport:      27607

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

 

        start time                    : Sat Jun 30 15:21:55 2012

        timeout                       : 30 sec

        time to live                  : 18 sec

        total byte count(c2s)         : 837

        total byte count(s2c)         : 506

        layer7 packet count(c2s)      : 6

        layer7 packet count(s2c)      : 5

        vsys                          : vsys1

        application                   : web-browsing

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : In-Out(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/3

        session QoS rule              : User2 (class 2)

 

owner: ssunku

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: