>
    Configure Quality of Service in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Use Remote Networks to Secure Branches
    5. Quick Configs for Remote Network Deployments
    6. Configure Quality of Service in Prisma Access
    Download PDF

    Configure Quality of Service in Prisma Access

    Table of Contents

    Configure Quality of Service in Prisma Access

    This capability is not supported for remote networks if you use bandwidth allocation per compute location.
    Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to dependably run high-priority applications and traffic under limited network capacity. You can configure QoS in Prisma Access to prioritize business-critical traffic or traffic that requires low latency, such as VoIP or videoconferencing. You can also reserve a minimum amount of bandwidth for business-critical applications.
    Prisma Access uses the same QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as next-generation Palo Alto Networks firewalls. However, the configuration process is different than configuring QoS on next-generation firewalls.
    Prisma Access can either mark ingress traffic using a security policy or it can honor DSCP markings set by your organization's on-premises device.
    Prisma Access for Clean Pipe also supports QoS; see Configure Quality of Service for Clean Pipe for details.

    QoS Configuration Overview

    Use the following workflow to configure QoS in Prisma Access. See Configure QoS in Prisma Access for the detailed steps.
    1. Mark the ingress traffic using a security policy or using marking from an on-premises device.
      You can create PAN-OS security policies to mark traffic destined to Prisma Access for mobile users and for remote network connections. For service connections, Prisma Access will honor traffic marking from your organization’s on-premises devices. Optionally, you can also use on-premises devices to mark traffic for remote networks.
      To ensure predictable results, we recommend marking traffic using either security policies in Prisma Access or your on-premises device, but not both. If there are differences between the security policies in Prisma Access and the on-premises device, the security policy in Prisma Access overrides the policy in the on-premises device.
    2. Map the traffic to classes using a QoS policy rule.
    3. Shape the traffic using a QoS profile.
      You can create QoS profiles to shape QoS traffic for service connections and for remote network connections and apply those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an on-premises device, or both PAN-OS-marked and on-premise-marked traffic.
    4. Enable QoS on the service connection or remote network connection and bind the QoS profile to the connection.
    The following figure shows the available QoS deployments in Prisma Access.
    Starting with Prisma Access 1.8, you apply bandwidth for remote networks by compute location, instead of by location. QoS is not supported with these network types.

    QoS Examples

    The following examples show how Prisma Access marks and shapes traffic.
    In the following example, the administrator created a security policy on the Mobile_User_Device_Group to mark incoming mobile user traffic. These policies assign traffic an IP precedence value of AF11.
    The administrator also created QoS profiles with QoS policy rules, enabled QoS on the service connection and remote network connection, and applied the profiles to those connections to shape the traffic at the traffic’s egress point based on the QoS markings.
    Prisma Access marks traffic at its ingress point based on security policies or honors marking set by your on-premises devices, and shapes the traffic on egress to your service connections or remote network connections using QoS profiles.
    The following example shows the QoS traffic flow from a branch office to an HQ/data center. The administrator creates a security policy on the
    Remote_Network_Device_Group
     to mark the incoming traffic from the remote network connection and enabled QoS and applied a QoS profile on the service connection to shape the outgoing traffic.
    The following example shows a hybrid deployment with an on-premises firewall at a branch that is connected by Prisma Access with a remote network connection, and the on-premises firewall marks the traffic. This deployment honors the marking set on the on-premises firewall. You must enable QoS and apply a QoS profile on the service connection, so that Prisma Access can shape the traffic at egress.
    Prisma Access honors all DSCP marking from the on-premises device as long as that traffic does not match an overriding security policy on Prisma Access.
    The following example shows a Clean Pipe configuration that shapes on ingress (from the internet to Clean Pipe side). See Configure Quality of Service for Clean Pipe for configuration details.

    Configure QoS in Prisma Access

    Configure Quality of Service in Prisma Access by completing the following task.
    1. Add one or more security policy rules for remote networks and mobile users to mark the ingress traffic for QoS.
      You use these policies to match a traffic flow and assign it a selected DSCP value.
      1. Select
        Policies
        Security
        Pre Rules
        .
        Alternatively, select
        Policies
        Security
        Post Rules
         to add a rule at the bottom of the rule order that is evaluated after a pre-rule.
        Be sure that you select the correct
        Device Group
        . To create a security rule for a remote network, select the device group for the remote network (for example,
        Remote_Network_Device_Group
        ); for mobile users, select the device group for the mobile users (for example,
        Mobile_User_Device_Group
        ).
      2. Add
         a security policy rule.
      3. Enter a
        Name
         for the rule.
      4. Define the matching criteria for the source or destination fields in the packet.
      5. Click
        Actions
        , then select a
        QoS Marking
         of either
        IP DSCP
         or
        IP Precedence
        .
      6. Enter the QoS value in binary form, or select the value from the drop-down.
        The following screenshot shows a security policy rule that matches traffic marked with an
        IP DSCP
         value of
        af11
        .
    2. Add one or more QoS policy rules.
      You use QoS policies to bind DSCP marking to one of eight available classes. You use these classes later when you create one or more QoS profiles.
      1. Select
        Policies
        QoS
        Pre Rules
        .
        Alternatively, select
        Policies
        QoS
        Post Rules
         to add a rule at the bottom of the rule order that is evaluated after a pre-rule.
        Be sure that you select the correct
        Device Group
         for the service connection (for example,
        Service_Conn_Device_Group
        ) or remote network connection (for example,
        Remote_Network_Device_Group
        ). If a rule in a Shared device group has defined values other than the values in the
        General
        ,
        DSCP/ToS
        , and
        Other
         settings areas, Prisma Access does not apply the rule on the remote network and service connection.
      2. Add
         a QoS policy rule.
      3. Click
        General
         and enter a name for the policy rule.
      4. Click the
        DSCP/ToS
         tab, then click
        Codepoints
         and
        Add
         one or more new codepoints.
        For Clean Pipe deployments, you can specify additional QoS settings in policy, such as source, destination, or application.
      5. Specify a
        Name
         for the DSCP/ToS rule, then select a
        Type
         and
        Codepoint
        .
        Alternatively, keep the default value (
        Any
        ) to allow the policy to match to traffic regardless of the Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined for the traffic.
      6. Click the
        Other Settings
         tab, then Choose the QoS
        Class
         to assign to the rule.
        You define class characteristics in the QoS profile.
      7. Click
        OK
        .
    3. Create one or more QoS profiles to shape QoS traffic on egress for service connections and remote network connections.
      You use profiles to shape the traffic at egress point by defining QoS classes and assigning a bandwidth to them. You must select either an existing QoS profile or create a new QoS profile when you enable QoS for Prisma Access.
      1. Select the correct template the profile you want to create (
        Remote_Network_Template
         or
        Service_Conn_Template
        ); then, select
        Network
        Network Profiles
        QoS Profile
         and
      2. Add
         a profile.
      3. Enter a profile
        Name
        .
      4. Set the overall bandwidth limits for the QoS profile rule.
        • Enter an
          Egress Max
           that represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
          • For service connections, specify a number of up to 1 Gpbs (1,000 Mbps).
            Do not enter a number greater than 1 Gbps; Prisma Access calculates service connection bandwidth per service connection IPSec tunnel and not cumulatively across multiple tunnels.
        • For remote network connections, enter a value of
          0
          .
        • Enter an
          Egress Guaranteed
           value. bandwidth that is the guaranteed bandwidth for this profile (in Mbps).
          • For service connections, enter an
            Egress Guaranteed
             bandwidth that is the guaranteed bandwidth for this profile (in Mbps).
            Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed. Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
          • For remote network connections, enter a value of
            0
            .
      5. In the Classes section,
        Add
         one or more classes and specify how to mark up to eight individual QoS classes.
        • Select the
          Priority
           for the class (either
          real-time
          ,
          high
          ,
          medium
          , or
          low
          ).
        • Enter the
          Egress Max
           for traffic assigned to each QoS class you create.
          • For bandwidth-based QoS profiles (used by service connections or remote networks that allocate bandwidth by location), enter a value in Mbps. The Egress Max for a QoS class must be less than or equal to the Egress Max for the QoS profile.
        • Enter the
          Egress Guaranteed
           percentage or bandwidth in Mbps for each QoS class. For QoS profiles for remote networks, enter a percentage.
          Guaranteed bandwidth assigned to a class is not reserved for that class—bandwidth that is unused continues to remain available to all traffic. When a class of traffic exceeds the egress guaranteed bandwidth, Prisma Access passes that traffic on a best-effort basis.
        • Enter a
          Class Bandwidth Type
           for the profile.
      6. Click
        OK
        .
    4. (
      Service Connections Only
      ) Enable QoS for the service connection and apply the QoS profile to the connection.
      1. Enable QoS by selecting
        Panorama
        Cloud Services
        Configuration
        Service Setup
        , selecting a
        Connection Name
        , clicking the
        QoS
         tab; then
        Enable
         QoS.
        If you allocate your remote network bandwidth by location instead of by compute location, configure QoS in the same way as you do service connections. Select
        Panorama
        Cloud Services
        Configuration
        Remote Networks
        , select the hypertext for a remote network connection
        Name
        , click the
        QoS
         tab, and
        Enable
         QoS.
      2. Select a QoS profile and click
        OK
        .
    5. Check the QoS status.
      1. Select
        Panorama
        Cloud Services
        Status
        Monitor
        Service Connection
         or
        Panorama
        Cloud Services
        Status
        Monitor
        Remote Networks
        , then
        Monitor
         the
        Statistics
        .
      2. Click
        QoS
         to view a page with QoS statistics.
        This page displays a chart with real-time and historical QoS statistics, including the number of dropped packets per class. This chart displays only for service connections or remote network connections that have QoS enabled, shows the last five minutes of the connection’s network activity, and refreshes every 10 seconds.
        The following figure shows traffic being passed for classes 1,2,3, and 4. The data below the figure shows the number of packets dropped based on the QoS configuration for classes 2, 3, and 4.

    Configure Quality of Service for Clean Pipe

    For Clean Pipe deployments, you can create QoS policies to define the traffic that receives QoS treatment and QoS profiles to define the classes of service, including priority, that the traffic can receive. You can define QoS based on DSCP values or zones (Trust or Untrust). To implement QoS with Clean Pipe, select the QoS Profile when you onboard the Clean Pipe. See Configure Prisma Access for Clean Pipe for details.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.