Configure Quality of Service in GlobalProtect Cloud Service

Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to dependably run high-priority applications and traffic under limited network capacity. You can configure QoS in GlobalProtect cloud service to prioritize business-critical traffic or traffic that requires low latency, such as VoIP or videoconferencing. You can also reserve a minimum amount of bandwidth for business-critical applications.
GlobalProtect cloud service uses the same QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as next-generation Palo Alto Networks firewalls. However, the configuration process is different than configuring QoS on next-generation firewalls.
GlobalProtect cloud service can either mark ingress traffic using a security policy or it can honor DSCP markings set by your organization's on-premise device.
You can assign security policies based on destination and source IP, and you can also Define QoS based on App-ID or User IDs the same as you define QoS on a next-generation firewall.

QoS Configuration Overview

Use the following workflow to configure QoS in GlobalProtect cloud service. See Configure QoS in GlobalProtect Cloud Service for the detailed steps.
  1. Mark the ingress traffic using a security policy or using marking from an on-premise device.
    You can create PAN-OS security policies to mark traffic destined to GlobalProtect cloud service for mobile users and for remote network connections. For service connections, GlobalProtect cloud service will honor traffic marking from your organization’s on-premise devices. Optionally, you can also use on-premise devices to mark traffic for remote networks.
    To ensure predictable results, we recommend marking traffic using either security policies in GlobalProtect cloud service or your on-premise device, but not both. If there are differences between the security policies in GlobalProtect cloud service and the on-premise device, the security policy in GlobalProtect cloud service overrides the policy in the on-premise device.
  2. Map the traffic to classes using a QoS policy rule.
  3. Shape the traffic using a QoS profile.
    You can create QoS profiles to shape QoS traffic for service connections and for remote network connections and apply those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an on-premise device, or both PAN-OS-marked and on-premise-marked traffic.
  4. Enable QoS on the service connection or remote network connection and bind the QoS profile to the connection.
The following figure shows the available QoS deployments in GlobalProtect cloud service.
qos-overall-example.png

QoS Examples

The following examples show how GlobalProtect cloud service marks and shapes traffic.
In the following example, the administrator created a security policy on the Mobile_User_Device_Group to mark incoming mobile user traffic. These policies assign traffic an IP precedence value of AF11.
The administrator also created QoS profiles with QoS policy rules, enabled QoS on the service connection and remote network connection, and applied the profiles to those connections to shape the traffic at the traffic’s egress point based on the QoS markings.
GlobalProtect cloud service marks traffic at its ingress point based on security policies or honors marking set by your on-premise devices, and shapes the traffic on egress to your service connections or remote network connections using QoS profiles.
qos-mobile-users-to-remote-networks-and-service-connections.png
The following example shows the QoS traffic flow from a branch office to an HQ/data center. The administrator creates a security policy on the Remote_Network_Device_Group to mark the incoming traffic from the remote network connection and enabled QoS and applied a QoS profile on the service connection to shape the outgoing traffic.
qos-remote-network-to-service-connection-2.png
The following example shows a hybrid deployment with an on-premise firewall at a branch that is connected by GlobalProtect cloud service with a remote network connection, and the on-premise firewall marks the traffic. This deployment honors the marking set on the on-premise firewall. You must enable QoS and apply a QoS profile on the service connection, so that GlobalProtect cloud service can shape the traffic at egress.
GlobalProtect cloud service honors all DSCP marking from the on-premise device as long as that traffic does not match an overriding security policy on GlobalProtect cloud service.
qos-remote-network-with-on-prem-firewall-to-service-connection-2.png

Configure QoS in GlobalProtect Cloud Service

Configure Quality of Service in GlobalProtect cloud service by completing the following task.
  1. Add one or more security policy rules for remote networks and mobile users to mark the ingress traffic for QoS.
    You use these policies to match a traffic flow and assign it a selected DSCP value.
    1. Select PoliciesSecurityPre Rules.
      Alternatively, select PoliciesSecurityPost Rules to add a rule at the bottom of the rule order that is evaluated after a pre-rule.
      Be sure that you select the correct Device Group. To create a security rule for a remote network, select the device group for the remote network (for example, Remote_Network_Device_Group); for mobile users, select the device group for the mobile users (for example, Mobile_User_Device_Group).
    2. Add a security policy rule.
    3. Enter a Name for the rule.
    4. Define the matching criteria for the source or destination fields in the packet.
    5. Click Actions, then select a QoS Marking of either IP DSCP or IP Precedence.
    6. Enter the QoS value in binary form, or select the value from the drop-down.
      The following screenshot shows a security policy rule that matches traffic marked with an IP DSCP value of af11.
      qos-security-policy-rule-qos-marking-actions.png
  2. Add one or more QoS policy rules.
    You use QoS policies to bind DSCP marking to one of eight available classes. You use these classes later when you create one or more QoS profiles.
    1. Select PoliciesQoSPre Rules.
      Alternatively, select PoliciesQoSPost Rules to add a rule at the bottom of the rule order that is evaluated after a pre-rule.
      Be sure that you select the correct Device Group for the service connection (for example, Service_Conn_Device_Group) or remote network connection (for example, Remote_Network_Device_Group).
    2. Add a QoS policy rule.
    3. Click General and enter a name for the policy rule.
    4. Click the DSCP/ToS tab, then click Codepoints and Add one or more new codepoints.
    5. Specify a Name for the DSCP/ToS rule, then select a Type and Codepoint.
      qos-dscp-type-codepoint.png
      Alternatively, keep the default value (Any) to allow the policy to match to traffic regardless of the Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined for the traffic.
    6. Click the Other Settings tab, then Choose the QoS Class to assign to the rule.
      You define class characteristics in the QoS profile.
    7. Click OK.
      qos-policy-define-class.png
  3. Create one or more QoS profiles to shape QoS traffic on egress for service connections and remote network connections.
    You use profiles to shape the traffic at egress point by defining QoS classes and assigning a bandwidth to them. You must select either an existing QoS profile or create a new QoS profile when you enable QoS for GlobalProtect cloud service.
    1. Select the correct template the profile you want to create (Remote_Network_Template or Service_Conn_Template); then, select NetworkNetwork ProfilesQoS Profile and
    2. Add a profile.
    3. Enter a profile Name.
    4. Set the overall bandwidth limits for the QoS profile rule.
      • Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
        For service connections, specify a number of up to 1 Gpbs (1,000 Mbps). For remote network connections, specify a number up to the maximum licensed bandwidth of your remote network connection.
      • Enter an Egress Guaranteed bandwidth that is the guaranteed bandwidth for this profile (in Mbps).
        Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed. Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
    5. In the Classes section, Add one or more classes and specify how to mark up to eight individual QoS classes.
      • Select the Priority for the class (either real-time, high, medium, or low).
      • Enter the Egress Max for traffic assigned to each QoS class you create.
        The Egress Max for a QoS class must be less than or equal to the Egress Max for the QoS profile.
      • Enter the Egress Guaranteed bandwidth in Mbps for each QoS class.
        Guaranteed bandwidth assigned to a class is not reserved for that class—bandwidth that is unused continues to remain available to all traffic. When a class of traffic exceeds the egress guaranteed bandwidth, the firewall passes that traffic on a best-effort basis.
      qos-new-qos-profile.png
    6. Click OK.
  4. Enable QoS for the service connection, remote network connection, or both, and apply the QoS profile to the connection.
    1. Enable QoS.
      • For service connections, select PanoramaCloud ServicesConfigurationService Setup, select a Connection Name, click the QoS tab, and Enable QoS.
      • For remote network connections, select PanoramaCloud ServicesConfigurationRemote Networks, select the hypertext for a remote network connection Name, click the QoS tab, and Enable QoS.
    2. Select the QoS profile you created in Step 3 and click OK.
    qos-enable-qos.png
  5. Check the QoS status.
    1. Select PanoramaCloud ServicesStatusMonitorService Connection or PanoramaCloud ServicesStatusMonitorRemote Networks, then Monitor the Statistics.
    2. Click QoS to view a page with QoS statistics.
      qos-qos-status.png
      This page displays a chart with real-time and historical QoS statistics, including the number of dropped packets per class. This chart displays only for service connections or remote network connections that have QoS enabled, shows the last five minutes of the connection’s network activity, and refreshes every 10 seconds.
      The following figure shows traffic being passed for classes 1,2,3, and 4. The data below the figure shows the number of packets dropped based on the QoS configuration for classes 2, 3, and 4.
      qos-statistics.png

Related Documentation