I was going to to guess that the download took 30 minutes, but then I remembered I don't have to guess. Those details are logged in the firewall's traffic log. 1859 seconds comes in just shy of 31 minutes. For those 31 minutes, while my Internet was pegged (in a good way), I went and ate some lunch.
That got me thinking. What about all of those environments where there are hundreds, or thousands of Macs? Their Internet connections must be getting crushed! What is the user experience for everyone else on that network while their WAN links are getting pegged (in a bad way)?
Palo Alto Networks is known for their application-level visibility and control. The terminal action for identifying an application is not limited to "permit" or "deny". You can also use that intelligence to rate-limit an application.
The process of rate-limiting an application can be a little daunting - thus the purpose of today's blog posting. Application-based rate limiting is a 3-step process:
- Map traffic flows into classes using a "QoS Policy"
- Define how classes are serviced in a "QoS Profile"
- Attach a QoS Profile to a firewall interface
So let's dig into each step in a little more detail:
STEP 1: QoS Policy
Navigate to Policies / QoS. This is where you map traffic into classes.
This particular firewall has 3 simple QoS Policies:
- VoIP Traffic (defined by the applications sip/sccp/h.323/skype) is mapped to class 2
- Apple Applications are mapped to class 8 (only between the hours of 6am-11pm)
- All other traffic is mapped to class 4
(Note: rule #3 is technically redundant, as traffic not explicitly defined in this policy will be placed into class 4).
You can get more granular with your mapping of traffic into classes. You can use src/dst zones, src/dst IP addresses, specific users (as pulled from Active Directory / Exchange / API), and service/destination port. This specific policy is very simple, relying mainly on the application.
STEP 2: QoS Profiles
Navigate to Network / Network Profiles / QoS Profile. This is where you define how to service each of the classes.
In order to keep things simple, call your new QoS Profile "Inbound Traffic QoS Profile". Trust me, proper naming here will help you later in the process. Next, add each of the classes and select a priority for each class. Finally, add your rate-limit value to the Egress Max for class 8. (My example here shows 22.5Mbps). There's quite a bit more you can do with QoS, but that will have to wait for another blog post.
STEP 3: Attach the QoS Profile to a Firewall Interface
Navigate to Network / QoS. This is where you will "Add" a mapping between the previously-created QoS Profile and one of the firewall's physical interfaces.
The QoS engine in PAN-OS acts on traffic as it egresses the firewall. This means that your "Inbound Traffic QoS Profile" must be attached to the inside interface of the firewall. In this example, I am attaching our QoS profile to ethernet1/2.
Be sure to select the newly-created QoS profile for both Clear Text & Tunnel Interface.
As always, you'll need to "Commit" your changes. Finally, in order to validate that the application in question is being rate-limited, navigate to Network / QoS and click on "statistics" to see pretty graphs and charts relating to your QoS policy.
What if you want to rate-limit outbound/upload traffic too? If your goal is symmetric rate-limiting, then just repeat step #3 and attach the same QoS profile to your outside/wan/untrust interface. If you want different limits for upload vs. download, then repeat step #2 and create an "Outbound Traffic QoS Profile", populated with different rate limits, and then repeat step #3 by attaching this profile to your outside interface.
What if you want to rate-limit outbound/upload traffic too? If your goal is symmetric rate-limiting, then just repeat step #3 and attach the same QoS profile to your outside/wan/untrust interface. If you want different limits for upload vs. download, then repeat step #2 and create an "Outbound Traffic QoS Profile", populated with different rate limits, and then repeat step #3 by attaching this profile to your outside interface.
The next time your wan pipe gets pegged by an OS X or iOS update, or when March Madness rolls around again next year, or when your employees/students/users discover bittorrent/netflix/youtube/$excitingnewapp, you'll be prepared to handle it.
Hey man, this is a really well written article. It has helped me figure out how to rate limit necessary traffic. I like how you have broken it down in 3 logical sections. Good job, and thanks!
You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...
ios App Development Company
Mobile App Development Company
It is A Good Article for Applying QOS, Thanks for Sharing.
Thanks for your great information, the contents are quiet interesting.Keep updating more information from your blog.I will be waiting for your next post.
Visit for: PaloAlto Training | Bluecoat Training | SD-WAN / SDN Training