Quality of Service on Palo Alto Firewall
Reference:
Anyone who has prior experience of Modular QoS CLI (MQC) on
Cisco IOS will know that you first classify traffic that needs to be
prioritized against other types of traffic.
Similar logic is applied while configuring QoS on Palo Alto
firewall.
The first step towards configuring QoS on Palo Alto firewall
is to classify the traffic.
Palo Alto allows you to classify traffic based on several
parameters like:
- Source zone
- Source IP/subnet
- Source user
- Destination zone
- Destination IP/subnet
- Application
- TCP/UDP service
- URL category
You identify the traffic that needs preferential treatment
and assign it to a class.
On Palo Alto firewall, you have 8 classes of traffic; so your
traffic will eventually fall in one of the eight classes.
Also in this step, you are able to leverage App ID and User ID features of Palo Alto to classify traffic.
Let us say that you have classified youtube traffic into
class1
When you create a QoS profile for youtube traffic, you can
set:
a. Priority
There are four configurable priorities – real
time, high, medium and low
Real time being most important.
Maximum bandwidth to be set for this class.
Traffic beyond this rate will be dropped.
This is similar to policer mechanism in Cisco IOS.
c. Egress Guaranteed
Amount of bandwidth which is guaranteed at
all times.
In below example, you are setting 6 Mbps maximum bandwidth
for youtube traffic and also giving youtube traffic guaranteed bandwidth of 3
Mbps
Here you simply apply the QoS profile created in Step 2
above to a physical interface.
To ensure that your configuration is indeed working, you
need to navigate to
Network – QoS –
Statistics
Where you will be able to verify your configuration.