How to use QoS to limit applications to maximum throughput (in Mbps)

How to use QoS to limit applications to maximum throughput (in Mbps)

2292
Created On 04/02/20 23:02 PM - Last Modified 08/21/25 21:25 PM


Objective


  • How to use QoS to limit applications to maximum throughput (in Mbps).
  • This will limit the throughput of the specified applications while still allowing remaining traffic to pass without restriction.
  • QoS can only be applied on the 'egress' of a given interface.
  • In this configuration the interface facing interface will have QoS enabled for outbound traffic (egress).
  • Use of classes of QoS to accomplish task.

Environment

Procedure


  1. QoS Profile - Use this profile to set the 'Egress Max' to limit maximum throughput in Mbps for a specified QoS class
    • Navigate to 'Network >  QoS Profile' and click 'default' to open QoS Profile window
    • Click the '0'  in the Egress Max field for row 'class6' and and enter '30' 
User-added image
    • Using 30 will limit traffic that gets classified in QoS class6 to 30 Mbps maximum throughput 
    • Choosing class6 because it has a lower priority than class4 traffic.  A lower priority is not required for these 2 applications as we are only concerned about limiting maximum throughput
    • Note: 'Priority' and 'Egress Max' are mutually exclusive and in this configuration we prefer these 2 applications also have a lower priority than class4 QoS traffic
User-added image
  1. QoS Interface - Needs to be applied to the Egress interface
    • In this configuration applying the QoS to the internet / untrust interface 
    • Navigate to 'Network > QoS' click 'ethernet1/1' 
    • Select the QoS Physical Interface Tab and use the drop down menu for 'Clear Text' and select 'default'
User-added image
  1. QoS Policy - This policy is used to match the 2 applications to the QoS class6 so that the 30Mbps Egress Max Throughput can be applied
    • Navigate to 'Policies > QoS'  and click 'Add' to add a new QoS Policy 
    • In this configuration we named the QoS Policy Rule 'two_applications' 
    • Source and Destination Tabs - We are using 'any' for the following fields for simplicity, but highly recommend using more narrowed down values on production firewalls
      • For Source Tab - Check 'Any' for Source Zone; 'Any' for Source Address; ensure Source User has 'any' selected in the drop down menu
      • For Destination Tab - ensure 'any' is selected in the drop down menu; Check 'Any' for Destination Address
    • Application Tab - Add the two applications  'apple-update' and 'ms-update' to limit bandwidth to specific applications 'apple-update' and 'ms-update'
User-added image

 

    • 'Service/URL Category' Tab - for this configuration use 'any' 
    • 'DSCP/ToS' - Ensure 'Any' is selected
    • 'Other Settings' - Select 'Class' 6 from the drop down menu
User-added image
  1. Ok and Commit the configuration
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPR5CAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language