PAN-OS QoS: Controlling Bandwidth Per Application

Goal: Application-Specific Bandwidth Control

A common requirement for Quality of Service (QoS) is to manage bandwidth based on the specific application generating the traffic. For example, an organization might want to:

• Guarantee bandwidth for critical business applications (e.g., VoIP, SAP, specific SaaS tools).
• Limit bandwidth for non-essential or recreational applications (e.g., streaming video, social media, large file transfers) during business hours.
• Provide a default level of service for general web browsing and other standard applications.

PAN-OS QoS provides the tools to achieve this granular control by leveraging its powerful App-ID engine in conjunction with the standard QoS components.

The fundamental principle for controlling bandwidth per application is the integration of Application Identification (App-ID) with the QoS framework:

1. Identify the Application: The firewall first uses App-ID to accurately identify the application generating the traffic, regardless of port, protocol, or encryption (with decryption).
2. Match the Application: A QoS Policy rule is configured to specifically match traffic based on the identified application (or application filter/group).
3. Assign Treatment: The QoS Policy rule applies a QoS Profile object to the matched application traffic.
4. Define Treatment (Class): The QoS Profile object assigns the traffic to a specific QoS Class (1-8).
5. Enforce Bandwidth Limits: The QoS settings on the egress interface enforce the pre-configured Guaranteed and/or Maximum bandwidth limits for the assigned QoS Class.

Therefore, limiting bandwidth for an application like YouTube involves identifying YouTube traffic with App-ID, matching it in a QoS Policy rule, using a QoS Profile to assign it to a low-priority class (e.g., Class 6), and setting a specific Maximum bandwidth limit for Class 6 on the relevant egress interface.

Step-by-Step Process:

1. Identify Target Applications:

   Use the Application Command Center (ACC), logs, or the App-ID database ( Objects > Applications ) to determine the exact App-IDs for the applications you want to prioritize or limit (e.g., youtube-base , microsoft-teams-audio-video , bitorrent , sap ).

   Consider application dependencies. Some applications (like Microsoft Teams) might rely on underlying applications (like ssl , stun ). Ensure dependent applications are also handled appropriately if needed.

2. Configure QoS on the Egress Interface:

   Navigate to Network > Interfaces > [Select Egress Interface] > QoS tab (or use Network > Network Profiles > QoS Profile assigned to the interface).

   • Enable QoS.
   • Set the Interface Egress Max bandwidth accurately.
   • Define Guaranteed Egress and Maximum Egress bandwidth for each of the 8 QoS Classes based on your requirements.
     • For applications needing guaranteed bandwidth, ensure their assigned class has sufficient Guaranteed Egress bandwidth.
     • For applications needing limitation, ensure their assigned class has an appropriate Maximum Egress bandwidth limit.
   • Assign a Default QoS Profile (typically mapping to Class 4).

3. Create QoS Profile Objects:

   Navigate to Objects > QoS Profile .

   • Create profiles corresponding to the desired treatment levels. For example:
     • QoS-Critical-Apps -> Assign to Class 1 or 2.
     • QoS-Limited-Apps -> Assign to Class 6 or 7.
     • QoS-Standard-Apps -> Assign to Class 4 (or use the interface default).
   • Optionally configure DSCP remarking within these profiles if needed for downstream devices.

4. Create QoS Policy Rules:

   Navigate to Policies > QoS .

   • Create rules, ensuring they are ordered correctly (top-down, first match). Specific application rules should generally come before broader category rules.
   • Rule for Prioritized Apps:
     • Matching Criteria: Select the specific App-IDs (e.g., microsoft-teams-audio-video , sap ) in the 'Application' tab. Specify relevant zones/addresses if needed.
     • Action: Apply the QoS-Critical-Apps profile (or similar).
   • Rule for Limited Apps:
     • Matching Criteria: Select the specific App-IDs (e.g., youtube-base , bitorrent ) in the 'Application' tab. Specify relevant zones/addresses.
     • Action: Apply the QoS-Limited-Apps profile (or similar).
   • (... potentially other rules for different application categories ...)
   • Default Handling: Traffic not matching any specific rule will fall through and use the Default QoS Profile configured on the egress interface.

5. Commit and Verify:

   Commit the changes.

   • Monitor traffic using ACC, session browser, and QoS statistics (CLI: show qos interface [interface_name] ) to verify applications are being classified correctly and bandwidth limits are being enforced during congestion.

Goal:

• Guarantee 5 Mbps for Panopto video conferencing (App-ID: panopto-video ) - High Priority.
• Limit Netflix streaming (App-ID: netflix-streaming ) to a maximum of 2 Mbps - Low Priority.
• Interface Egress Max: 50 Mbps.

Configuration:

1. Interface QoS (ethernet1/1):
   • Enable QoS, Egress Max: 50 Mbps.
   • Class 2: Guaranteed 5 Mbps, Maximum 10 Mbps.
   • Class 6: Guaranteed 0 Mbps, Maximum 2 Mbps.
   • Default Profile maps to Class 4.
2. QoS Profiles:
   • QoS-Panopto-C2 : Assigns to Class 2.
   • QoS-Netflix-C6 : Assigns to Class 6.
3. QoS Policy Rules:
   • Rule 1: Application = panopto-video | Action = Apply Profile QoS-Panopto-C2
   • Rule 2: Application = netflix-streaming | Action = Apply Profile QoS-Netflix-C6

Result:

During congestion, Panopto traffic will be assigned to Class 2 and is guaranteed at least 5 Mbps (up to 10 Mbps max). Netflix traffic will be assigned to Class 6 and will be capped at a maximum of 2 Mbps, receiving bandwidth only after higher priority classes (like Panopto) have met their needs.

Benefits:

• Granular Control: Prioritize or limit bandwidth based precisely on the application generating the traffic.
• Improved User Experience: Ensures critical applications perform reliably even when the network is busy.
• Resource Optimization: Prevents non-essential applications from consuming excessive bandwidth.
• Policy Enforcement: Aligns network usage with business priorities.

Considerations:

• Accurate App-ID: Relies on correct application identification. Encrypted traffic may require Decryption policies for accurate App-ID.
• Application Dependencies: Some applications use multiple App-IDs or depend on underlying services (like SSL). Ensure all relevant components are considered in QoS policies.
• Egress Enforcement: Remember that bandwidth shaping happens on egress.
• Monitoring: Regularly monitor QoS statistics to ensure policies are having the desired effect and adjust interface bandwidth allocations if necessary.
• Testing: Test during peak load or simulated congestion to verify behavior.

For the PCNSE exam, understand:

• How App-ID is used as a matching criterion in QoS Policy rules.
• The workflow: matching application traffic in a QoS Policy, applying a QoS Profile to assign a Class, and enforcing limits via Interface QoS settings.
• The difference between guaranteeing bandwidth (Guaranteed Egress on interface) and limiting bandwidth (Maximum Egress on interface).
• How to prioritize one application over another using different QoS Classes.
• The importance of configuring QoS on the egress interface *before* policies can enforce limits.