PAN-OS: Using QoS to Monitor Bandwidth Utilization

Goal: Gaining Visibility into Bandwidth Consumption

While the primary goal of Quality of Service (QoS) is often to shape or prioritize traffic, the underlying classification mechanism can also be leveraged purely for monitoring bandwidth utilization. By classifying traffic into different QoS Classes based on criteria like application, user, or zone, you can track how much bandwidth each category consumes on an egress interface without necessarily applying strict bandwidth limits initially.

This approach provides valuable insights into network usage patterns, helping administrators:

Core Concept: Classification for Visibility

The strategy relies on using the standard QoS components primarily for classification and tracking, rather than strict enforcement:

  1. Identify Traffic Categories: Decide which types of traffic you want to monitor separately (e.g., Streaming Video, Business SaaS Apps, Bulk Transfers, General Web Browsing).
  2. Classify Traffic: Create QoS Policy rules that match these traffic categories (using App-ID, User-ID, Zones, Addresses, etc.).
  3. Assign to Classes: Use QoS Profile objects , applied by the QoS policies, to assign each traffic category to a distinct QoS Class (1-8).
  4. Enable Interface QoS Counters: Enable QoS on the target egress interface . This activates the per-class packet and byte counters. Crucially, you don't need to set aggressive shaping limits; the goal is just to enable the counting mechanism.
  5. Monitor Counters: Use firewall monitoring tools (primarily CLI commands or SNMP) to view the statistics for each QoS Class, showing how much bandwidth each classified category is consuming.

Even for monitoring, QoS must be enabled on the egress interface, and an `Interface Egress Max` bandwidth value must be set. This activates the QoS engine and its counters for that interface.

Configuration Steps for Monitoring

Step-by-Step Process:

  1. Enable QoS on Egress Interface (Minimal Shaping):

    Navigate to Network > Interfaces > [Select Egress Interface] > QoS tab.

    • Enable QoS: Check the box.
    • Interface Egress Max: Set this accurately to the interface's known maximum capacity (e.g., ISP link speed). This is required for the QoS engine to function.
    • Per-Class Bandwidth Settings (for Monitoring):
      • Set Guaranteed Egress to 0 Mbps (or a very small value) for all classes.
      • Set Maximum Egress to the same value as the Interface Egress Max (or just ensure it's non-zero and high enough not to cause unintentional limiting) for all classes you intend to monitor.
      • This configuration ensures the QoS engine is active and counting per-class traffic, but it avoids actively restricting bandwidth unless the absolute interface maximum is hit.
    • Assign a Default QoS Profile (e.g., mapping to Class 4 or Class 8) for unclassified traffic.

  2. Create QoS Profile Objects (for Classification):

    Navigate to Objects > QoS Profile .

    • Create simple profiles whose main purpose is class assignment. Name them descriptively for monitoring.
    • Example:
      • Monitor-Streaming-C6 -> Assign to Class 6.
      • Monitor-BusinessApps-C3 -> Assign to Class 3.
      • Monitor-BulkTransfer-C7 -> Assign to Class 7.
      • Monitor-GeneralWeb-C4 -> Assign to Class 4.
    • DSCP remarking is usually not necessary if the goal is purely monitoring firewall bandwidth usage.

  3. Create QoS Policy Rules (for Matching):

    Navigate to Policies > QoS .

    • Create rules to match the traffic categories you want to monitor. Order matters (top-down).
    • Rule for Business Apps:
      • Match Criteria: Application = [List of Business App-IDs], Zones, etc.
      • Action: Apply Profile Monitor-BusinessApps-C3 .
    • Rule for Streaming:
      • Match Criteria: Application = [List of Streaming App-IDs], Zones, etc.
      • Action: Apply Profile Monitor-Streaming-C6 .
    • Rule for Bulk Transfers:
      • Match Criteria: Application = [List of Transfer App-IDs], Zones, etc.
      • Action: Apply Profile Monitor-BulkTransfer-C7 .
    • Rule for General Web:
      • Match Criteria: Application = web-browsing , ssl (potentially broader match below others).
      • Action: Apply Profile Monitor-GeneralWeb-C4 .
    • Traffic not matching any rule will use the interface's Default QoS Profile class.

  4. Commit Changes:

    Commit the configuration to activate QoS and the policy rules.

  5. Monitor Bandwidth Utilization:

    Use the following methods to view the per-class statistics:

    • CLI (Primary Method):
      • Command: show qos interface [interface_name] (e.g., show qos interface ethernet1/1 )
      • Output: Shows statistics for each QoS class (1-8) on that interface, including:
        • packets_queued
        • packets_transmitted
        • packets_dropped
        • bytes_queued
        • bytes_transmitted
        • bytes_dropped
        • Current queue depth
      • By observing the bytes_transmitted counter for each class over time, you can determine the bandwidth consumed by the traffic categories you assigned to those classes. 
      admin@PA-VM> show qos interface ethernet1/1

QoS statistics for interface ethernet1/1
--------------------------------------------------------------------------------
 Class   Pkts queued    Pkts xmitted   Pkts dropped   Bytes queued   Bytes xmitted  Bytes dropped Queue delay(ms) Throughput(kbps) Queue depth
--------------------------------------------------------------------------------
     1             0             0             0             0             0             0               0               0           0
     2             0        512345             0             0      61481400             0               0            1500           0  <-- Business Apps
     3             0             0             0             0             0             0               0               0           0
     4             0      10987654             0             0   13185184800             0               0            8500           0  <-- General Web / Default
     5             0             0             0             0             0             0               0               0           0
     6             0       2345678             0             0    2814813600             0               0            4500           0  <-- Streaming
     7             0        123456             0             0     148147200             0               0             500           0  <-- Bulk Transfer
     8             0          1000             0             0        120000             0               0              10           0
--------------------------------------------------------------------------------
    • SNMP:
      • The PAN-QOS-MIB provides SNMP objects to poll per-class statistics remotely using an SNMP management system.
      • Objects typically include counters for transmitted/dropped packets and bytes per class.
    • GUI (Limited Real-time Class View):
      • The main firewall GUI (ACC, Monitor Tab) provides overall interface bandwidth graphs and session details but typically doesn't offer a direct real-time graph broken down *by QoS class*. You rely primarily on CLI or SNMP for that specific breakdown.

Benefits and Limitations

Benefits of Monitoring via QoS:

Limitations:

PCNSE Exam Focus

For the PCNSE exam, understand:

QoS Monitoring Knowledge Check Quiz

1. To use PAN-OS QoS for monitoring bandwidth per application, what is the first essential step on the egress interface?

The QoS engine and its per-class counters are only activated once QoS is enabled on the interface and its maximum egress bandwidth is defined. This is necessary even if no active shaping is planned.

2. Which PAN-OS component is used to map specific applications (identified by App-ID) to distinct QoS Classes for monitoring purposes?

QoS Policy rules match traffic based on criteria like App-ID, and their action applies a QoS Profile which, in turn, assigns the traffic to a specific QoS Class for tracking/monitoring.

3. What is the primary CLI command to view the bytes and packets transmitted per QoS class on a specific interface?

The `show qos interface [interface_name]` command provides detailed statistics for each of the 8 QoS classes on the specified interface, including transmitted/dropped packets and bytes.

4. When configuring interface QoS settings purely for monitoring (not shaping), how should the 'Maximum Egress' bandwidth for each class ideally be set?

To prevent QoS from actively limiting traffic while still enabling the counters, the Maximum Egress for monitored classes should be set high, typically equal to the total interface capacity, ensuring traffic isn't dropped due to these class limits. Guaranteed can often be set to 0.

5. What is a primary benefit of using QoS for bandwidth monitoring?

The key advantage is visibility – seeing how much bandwidth different types of traffic (as categorized by your QoS policies) are actually consuming on an egress link, which helps in understanding network behavior and planning shaping policies.