Configure Lockless QoS for improved QoS performance that results in improved
throughput and latency.
The Palo Alto Networks firewalls supports two types of QoS:
Legacy QoS—In legacy QoS mode, the firewall
supports both QoS and non-QoS traffics, where the legacy QoS shapes the QoS
traffic.
Lockless QoS —In Lockless QoS mode, the firewall supports both QoS and
non-QoS traffics, where the Lockless QoS shapes the QoS traffic. The
firewall shapes the packets from the same interface (or port) by the same
core for achieving Lockless QoS. For firewalls with higher bandwidth QoS
requirements, the Lockless QoS dedicates CPU cores to the QoS function that
improves QoS performance, resulting in improved throughput and latency.
In Lockless QoS mode, as the members in a LAG have to be mapped to
the same core, the overall LAG QoS throughput is limited by the per core
throughput.
The QoS throughput on a 100G, 40G, and 25G port is limited to a
single core throughput.
Whenever more than two ports are mapped to a single core, the
QoS throughput of that core is shared.
We support Lockless QoS mode on the following firewall models.
Regardless of the type of QoS configured, the maximum bandwidth (maximum
rate of transfer) you can allocate at the port level and QoS profile
level for the following platforms is 10G.
PA-3410 firewall
PA-3420 firewall
PA-3430 firewall
PA-3440 firewall
PA-5410 firewall
PA-5420 firewall
PA-5430 firewall
PA-5440 firewall
PA-5445 firewall
Follow these steps to enable, disable, and view the status of the Lockless QoS.
Use the operational command set lockless-qos yes to
enable the Lockless QoS to improve the QoS performance. Commit and reboot the
firewall for the changes to take effect.
username@hostname> set lockless-qos yes
Changing lockless-qos enable requires reboot of the device. Do you want to continue? (y or n)
If you want to configure Lockless QoS where the legacy QoS is already
configured, you can do so by running the set lockless-qos
yes command and reboot your firewall. If you don't run this
command, the firewall retains the legacy QoS behavior. When you disable the
Lockless QoS, the firewall falls back to the legacy QoS behavior, if you
have already configured legacy QoS before enabling Lockless QoS.
Use the operational command set lockless-qos no to
disable the Lockless QoS. As a result, Lockless QoS isn't supported on the
firewall.
username@hostname> set lockless-qos no
Use the operational command show lockless-qos enable to
view the Lockless QoS enable status.
username@hostname> show lockless-qos enable
lockless-qos enable : yes
Use the operational command show lockless-qos
if-core-mapping to view the list of ports with the number of
cores allocated for the QoS process by the Lockless QoS.
username@hostname> show lockless-qos if-core-mapping
interface qos-core
ethernet1/41 71
ethernet1/42 72
(PAN-OS 11.1.3 and later releases) Use the operational command
show lockless-qos core-num to view the number of CPU
cores allocated for the lockless QoS feature. You will be able to view the
number of CPU cores allocated for lockless QoS, only when the lockless QoS
feature is enabled.
username@hostname> show lockless-qos core-num
lockless-qos core-num : 6
The lockless QoS core number provides the number of CPU cores used by the
firewall for lockless QoS. This information gives an approximate idea about an
expected performance degradation on the firewall when this feature is
enabled.