Palo Alto Networks Knowledgebase: Getting Started: Quality of Service

Getting Started: Quality of Service

26329
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:12 PM
Content Release Deployment
Resolution

What more can my firewall do? Quality of Service!

 

In this installment of the Getting Started series we'll take a closer look at how to enable Quality of Service, or QoS. QoS is a technology that manages bandwidth for a network segment and can limit applications in their consumption while guaranteeing capacity for other applications. This enables you, as the administrator, to prioritize, for example, VoIP calls over other traffic, and limit the amount of bandwidth those YouTube videos consume.

 

An important concept to keep in mind is that a QoS profile is applied on the egress interface of a packet that is traveling through the firewall. This would mean, for example, that to limit upload, a QoS profile needs to be enabled on the untrust interface and to limit download, a QoS profile needs to be enabled on the trust interface.

 

QoS network diagram

 

To get started, you first need at least one QoS profile. Go to the network tab and in the QoS Profile, create a new profile.

QoS profile 

 

In this view, you can add several classes. These classes identify flows and apply a bandwith characteristic to them and determine if packets  get prioritized in the dataplane over other packets.

 

The default class is class4. Any session that does not have a specific class assigned to it will be controlled by this class, so we need to make sure a profile exists that can carry the brunt of the traffic.

 

Let's assume you have an internet bandwidth of 100Mbps and want to limit your generic traffic to half. To accomplish this, you need to set the Egress Max to 100Mbps for this profile and 50Mbps for class4.

 

Next, you want to make sure your VoIP traffic does not suffer from any download spikes, so create a class with 'real-time' priority, which will ensure that if the dataplane is heavily loaded, these packets get priority over other packets. Set a guaranteed bandwidth of 30Mbps so calls dont suffer from congestion as bandwidth is reserved.

 

*When creating classes, setting the priority determines in which order packets are handled by the firewall in case of heavy load, with real-time being the highest priority and low being the lowest priority.

 

Lastly, you want to limit some applications from consuming much bandwidth while still allowing these to go through, like YouTube. Create a 'low' priority class with an Egress Max set to 0.1Mbps, or 100Kbps.

 

QoS profile

 

 

Next, activate the profile on all the relevant interfaces. For now, we will use the same profile for both internal and external interface. Go to the QoS menu and add interfaces.

QoS interface

 

Select the appropriate interface from the dropdown, make sure the checkbox to enable QoS is checked, and set the Clear Text Default Profile to your newly created profile. We can leave the interface-specific Egress Max set to 0 for now, as we only have two interfaces and the profile will apply to all traffic.

 

QoS interface

 

The last step before we can test our configuration is to create a QoS policy. Just like a security policy, a QoS policy can be built to more granularly control the classes you just created and apply a class to certain traffic only.

Go to the Policies tab and create a new policy in QoS.

QoS policy

 

To create the VoIP policy, set the source zone to trust, destination zone to untrust, choose the relevant applications. I've selected Skype and some streaming protocols. Then classify this traffic as class1.

QoS policy

 

Repeat this step for the applications you want to severely limit.

QoS policy

 

The schedule in the last tab could be used to apply Quality of Service based on the time of day. For example, limit YouTube from 7am-12pm and 1pm to 7pm, so users are allowed to watch videos as class4 during the lunch break. Several rules for the same class can be created and will be processed top to bottom.

 

Since class4 is the default, no policy needs to be created. Go ahead and commit this configuration to enable QoS.

 

You can now go ahead and test if the QoS configuration is being applied. There is a live statistics page on the QoS page that can help visualize how bandwidth is being used. Open the Networks tab and in the Qos page, open the statistics for ethernet1/2 as we will be testing downloads.

 QoS Statistics

 

You should now get a popup similar to this.

QoS statistics

On your GUI, the colors may be slightly different, but in my example above, you can see from the purple that represents class4, I've downloaded the FileZilla client, from the internet, which caused a little spike up to 8Mbps in my bandwidth.

 

If you start downloading a file through FTP onto your client, you'll notice the transfer is extremely slow. The statistics page will reflect that by showing class8 traffic using up its full 0.1Mbps allotted bandwidth.

 

QoS statistics

 

Another way to verify which class a session is assigned to is through the CLI.

 

> show session all

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1105         ftp-data       ACTIVE  FLOW  ND   198.51.100.1[20]/untrust/6  (198.51.100.1[20])
vsys1                                          198.51.100.230[41094]/trust  (10.0.2.4[4383])
1097         ftp            ACTIVE  FLOW  NS   10.0.2.4[4379]/trust/6  (198.51.100.230[62430])
vsys1                                          198.51.100.1[21]/untrust  (198.51.100.1[21])
1106         dns            ACTIVE  FLOW  NS   10.0.2.4[53048]/trust/17  (198.51.100.230[30096])
vsys1                                          4.2.2.2[53]/untrust  (4.2.2.2[53])
1107         dns            ACTIVE  FLOW  NS   10.0.2.4[49267]/trust/17  (198.51.100.230[26164])
vsys1                                          4.2.2.2[53]/untrust  (4.2.2.2[53])

> show session id 1105

Session            1105

        c2s flow:
                source:      198.51.100.1 [untrust]
                dst:         198.51.100.230
                proto:       6
                sport:       20              dport:      41094
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                qos node:    ethernet1/2, qos member N/A Qid 0

        s2c flow:
                source:      10.0.2.4 [trust]
                dst:         198.51.100.1
                proto:       6
                sport:       4383            dport:      20
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                qos node:    ethernet1/1, qos member N/A Qid 0

        start time                           : Wed Nov 25 14:52:26 2015

... snipped for brevity ...

        ingress interface                    : ethernet1/1
        egress interface                     : ethernet1/2
        session QoS rule                     : bandwidth-hoggers (class 8)
        tracker stage l7proc                 : ctd decoder bypass
        end-reason                           : unknown

 

Here are a couple of thoughts to keep in your pocket while configuring QoS:

 

  • QoS profile applies to the interface any given packet is egressing out of (not the direction of the session).
  • Bandwidth limitations or guarantees are shared within a class, not per session.
  • Combined Max or Reserved throughput may not exceed interface max bandwidth.
  • Class4 is the default class for any session not matched to a QoS policy.
  • QoS policy, like security policy, is processed top to bottom and the first policy match will be applied.

 

I hope you liked this edition of Getting Started. Please feel free to leave a comment or check out the previous episodes at the Getting Started series.

 

Can't wait for the Advanced Series or want to know more? Please check out the QoS section in the admin guide.

 

Tom



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS0CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language