Use Case: QoS for a Single User
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Use Case: QoS for a Single User
A CEO finds that during periods of high network
usage, she is unable to access enterprise applications to respond
effectively to critical business communications. The IT admin wants
to ensure that all traffic to and from the CEO receives preferential
treatment over other employee traffic so that she is guaranteed
not only access to, but high performance of, critical network resources.
- The admin creates the QoS profile CEO_traffic to define how traffic originating from the CEO will be treated and shaped as it flows out of the company network:The admin assigns a guaranteed bandwidth (Egress Guaranteed) of 50 Mbps to ensure that the CEO will have that amount that bandwidth guaranteed to her at all times (more than she would need to use), regardless of network congestion.The admin continues by designating Class 1 traffic as high priority and sets the profile’s maximum bandwidth usage (Egress Max) to 1000 Mbps, the same maximum bandwidth for the interface that the admin will enable QoS on. The admin is choosing to not restrict the CEO’s bandwidth usage in any way.It is a best practice to populate the Egress Max field for a QoS profile, even if the max bandwidth of the profile matches the max bandwidth of the interface. The QoS profile’s max bandwidth should never exceed the max bandwidth of the interface you are planning to enable QoS on.The admin creates a QoS policy to identify the CEO’s traffic (PoliciesQoS) and assigns it the class that he defined in the QoS profile (see prior step). Because User-ID is configured, the admin uses the Source tab in the QoS policy to singularly identify the CEO’s traffic by her company network username. (If User-ID is not configured, the administrator could Add the CEO’s IP address under Source Address. See User-ID.):The admin associates the CEO’s traffic with Class 1 (Other Settings tab) and then continues to populate the remaining required policy fields; the admin gives the policy a descriptive Name (General tab) and selects Any for the Source Zone (Source tab) and Destination Zone (Destination tab):Now that Class 1 is associated with the CEO’s traffic, the admin enables QoS by checking Turn on QoS feature on interface and selecting the traffic flow’s egress interface. The egress interface for the CEO’s traffic flow is the external-facing interface, in this case, ethernet 1/2:Because the admin wants to ensure that all traffic originating from the CEO is guaranteed by the QoS profile and associated QoS policy he created, he selects the CEO_traffic to apply to Clear Text traffic flowing from ethernet 1/2.After committing the QoS configuration, the admin navigates to the NetworkQoS page to confirm that the QoS profile CEO_traffic is enabled on the external-facing interface, ethernet 1/2:He clicks Statistics to view how traffic originating with the CEO (Class 1) is being shaped as it flows from ethernet 1/2:This case demonstrates how to apply QoS to traffic originating from a single source user. However, if you also wanted to guarantee or shape traffic to a destination user, you could configure a similar QoS setup. Instead of, or in addition to this work flow, create a QoS policy that specifies the user’s IP address as the Destination Address on the PoliciesQoS page (instead of specifying the user’s source information) and then enable QoS on the network’s internal-facing interface on the NetworkQoS page (instead of the external-facing interface).