limitation on QoS when using loopback interface for GlobalProtect Portal/Gateway interface
7744
Created On 04/18/20 00:12 AM - Last Modified 12/11/20 17:45 PM
Symptom
Loopback interface is often used to configure GlobalProtect Portal/Gateway. If QoS is configured on the physical interface for GlobalProtect traffic, the tunnel traffic is observed as bypass-traffic.
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewall.
- GlobalProtect Portal and Gateway configured on Loopback Interface.
Cause
Currently, QoS is only applicable to a physical interface. When creating a QoS setting (GUI: Network > QoS > Add), only Ethernet and Aggregated Interface can be selected. With GlobalProtect tunnel traffic terminated on the loopback interface, QoS would not be able to process that like it would through the physical interface.
Resolution
Configure GlobalProtect using the physical interface, if applying QoS is necessary.