Scribd
Upload
155 views

How To Configure and Test QoS

This document provides steps to configure and test Quality of Service (QoS) policies in PAN-OS 3.0 to rate-limit specific applications like web browsing and video streaming. The steps include creating QoS rules and profiles to limit download bandwidth to 50% for web browsing and 0.1 Mbps for video, then testing the policies by measuring throughput and attempting to stream videos.

Uploaded by

Henry
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
155 views

How To Configure and Test QoS

This document provides steps to configure and test Quality of Service (QoS) policies in PAN-OS 3.0 to rate-limit specific applications like web browsing and video streaming. The steps include creating QoS rules and profiles to limit download bandwidth to 50% for web browsing and 0.1 Mbps for video, then testing the policies by measuring throughput and attempting to stream videos.

Uploaded by

Henry
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

How to Configure and Test QoS in PANOS 3.

0
This document walks through the steps needed for a simple test of the QoS feature. In particular,
these steps will rate-limit applications such as youtube, hulu, and web browsing.
Preparation steps:
Place a Palo Alto Networks firewall inline in your network. The firewall must be running
PANOS 3.0.0 or higher. The firewall interfaces can be in virtual wire mode, or layer 3
mode.
The external interface needs to have network access to the Internet.
You will be performing the throughput tests on a PC located in your trust zone.
Configure routing and policies on the firewall to allow traffic to flow from the trust zone
to untrust zone.

Part 1: Rate-limiting Web-browsing


In this part, you will set up a simple QoS configuration, and test it by going to a speed testing
site on the Internet.
1. Perform an initial throughput test. On the internal PC, use a browser to go to the URL:
http://www.speakeasy.net/speedtest, and click on the city closest to you to check your
throughput. (Or you can use any bandwidth test program on the Internet that you like.)
Run the test a couple times, and record the average throughput:
Download rate: __________
Upload rate:__________
2. Login to the firewall as the administrator. Go to the Policies tab -> QoS screen. Create a
rule from any zone to any zone. On that rule, select application web-browsing, and
configure the class of service to be 5. Your policy should look like this:

3. Go to the Network tab -> Network Profiles -> QoS Profiles screen. Create a new QoS
profile. Define a QoS profile that will assign a maximum egress limit for class 5 traffic.
Set the maximum rate to be 50% or less than download rate you determined step 1. (This
example will use 5 Mbps.) Note that you must click in the empty space in the appropriate
column, and then type a value.
PANOS 3.0.0

Your QoS profile will look like this:

4. Go to Network tab -> QoS screen. Click New to assign the QoS profile to a specific
interface. Note that rate limiting is performed on the EGRESS interface. In this first test,
we want to rate limit files being downloaded via web browsing, therefore assign the
profile to the INTERNAL interface. Next to Clear Text Default Profile, select the
profile you created in the previous step.

PANOS 3.0.0

5. Commit the changes.


6. Perform the throughput test a couple of times, and record the average results.
Download rate: __________
Upload rate:__________
You should find that the download rate is limited, but the upload rate is not. That is
because we assigned the QoS profile on the internal interface only.
7. Go to the Network tab -> Network Profiles -> QoS Profiles screen. Create a new QoS
profile that will assign a different maximum egress limit for class 5 traffic. Set the
maximum rate to be approximately half of the UPLOAD rate you determined in step 1.
(This example will use 2 Mbps.)

8. Go to Network tab -> QoS screen. Click New to add another interface that will be rate
limited. Select the EXTERNAL interface, and select the profile you just created.

PANOS 3.0.0

Your QoS interfaces will now look like this:

9. Commit the changes.


10. Perform the throughput test a few times, and record the average results.
Download rate: __________
Upload rate:__________
You should find that the upload rate is now limited, since you assigned a new QoS profile
on the external interface.

Part 2: Rate-limiting Video Apps


11. Go to the following sites to make sure that you can view videos, and there is no delay in
the video feed:
www.youtube.com
video.google.com
www.hulu.com
12. Go to the Policies tab -> QoS screen. Configure your policy to match the following:

PANOS 3.0.0

13. Go to the Network tab -> Network Profiles -> QoS Profiles screen. Create a new
profile that matches the following:

This profile will still rate-limit class 5 traffic to 5 Mbps, but it will also rate-limit class 8
traffic to a very small amount of bandwidth: .1 Mbps.
14. Go to Network tab -> QoS screen. Since you will be downloading videos, you should
edit your INTERNAL interface, and select the profile you just created.
15. Commit the changes.
16. Go to the video sites you tested previously, and attempt to watch videos. You should find
that the videos will stop and start, or not even be able to be viewed, due to the decrease in
bandwidth.
17. Also go to the throughput testing web site, and test downloading throughput. That should
be rate-limited as well, as defined in the profile.
At this point you can continue testing by adding additional QoS policies, and creating
new QoS profiles. For further information, refer to PANOS 3.0 Administrators Guide,
found on http://support.paloaltonetworks.com

PANOS 3.0.0

You might also like