Thursday, January 26, 2017

Palo Alto Networks - Application Prioritization

In many customer environments, administrators may not have the approval from management to block specific applications that are considered to be bandwidth intensive (Netflix). This is particularly evident in the education vertical. Fortunately for Palo Alto Networks users, QoS Policies are very flexible way of throttling or prioritizing traffic based on application, users, URL category, etc. This feature eliminates the need for 3rd party packet shaping or QoS for traffic traversing the network segment where the Palo Alto Networks firewall is deployed. Here is a configuration example based on the Netflix example above:
  • Navigate to Network -> Network Profiles -> QoS Profile -> Add and create a QoS Profile. You can create up to 8 queues. In our example, we will just create one.

In the example above, we have an Egress Max of 100Mbps because that is the size of our WAN interface. We added class1 and assigned it an Egress Max of .01 Mbps. Essentially, even though the traffic is allowed the application itself won't work.
  • Navigate to Network -> QoS -> Add and configure QoS for the appropriate interface(s).

In the example above, we have an Egress Max of 100Mpbs because that is the size of our WAN interface. We select ethernet1/2 for the Interface Name because this is our Trust interface. QoS is always applied to the egress interface for traffic. Since Netflix is a very download-intensive application, we will apply our Throttle Streaming Apps profile to this interface only. 
  • Navigate to Policies -> QoS -> Add and configure a policy to identify the application and apply a specific QoS class.
In the example above, we are applying Class 1 to all Netflix traffic that originates from the Trust zone and is destined for the Untrust zone.

Once the changes are committed, you can then test and verify traffic classification by navigating to Network -> QoS -> Statistics.