Controlling the bandwidth with quality of service policies

Quality of Service (QoS) is the collective name for several technologies that can help improve the quality of applications and the data flows that they are applied to by prioritizing them over other flows or reserving bandwidth to ensure adequate throughput and acceptable latency. In this section, you will learn how QoS marking can be applied to a firewall to interact with network devices downstream.

There are two ways for a firewall to participate in applying QoS to network traffic:

• Differentiated Services Code Point (DSCP) and Type of Service (ToS) headers
• QoS enforcement through built-in capabilities

Let's review external headers first.

DSCP and ToS headers

DSCP headers allow the firewall to let upstream and downstream devices know that certain sessions have a certain priority. These headers can be set in the security policies under the Actions tab, as in the following screenshot:

Figure 4.1 – IP DSCP headers in a security policy

In DSCP, you can set Assured Forwarding (AF), Expedited Forwarding (EF), or Class Selector (CS) code points. The IP Precedence ToS can be used when communicating with legacy network devices and Follow Client-to-Server Flow can be used to apply inbound DSCP marking to a returning outbound flow.

In the next section, we will cover controlling flows directly in the firewall.

QoS enforcement in the firewall

The firewall can also enforce bandwidth restrictions or guarantees, and that's what we will focus on here. The Palo Alto Networks firewall uses a system of eight classes combined with policies.

Each interface is set up with a QoS profile that mandates how each class is treated, and then policies are created to identify sessions as belonging to a certain class. The default class is class4, so anything that is not caught by a QoS rule will automatically become class4 and be subject to the restrictions for that class.

We'll use the following topology to build an example QoS policy:

• An internet link on eth1/1 with a download bandwidth of 200 Mbps per second and an upload bandwidth of 50 Mbps.
• A DMZ network containing some servers on eth1/2 connected to a 1 Gbps interface.
• A LAN where the users sit on eth1/3 connected to a 1 Gbps interface.
• Users need 20 Mbps of guaranteed upload and download bandwidth for their enterprise Voice over Internet Protocol (VoIP), but some internet downloads need to be limited to 50 Mbps.
• File share traffic between users and servers needs to be limited to 300 Mbps.
• Site-to-site VPN connections need a 20 Mbps guarantee for business-critical applications.

This topology is illustrated as follows:

Figure 4.2 – Example topology

Next, we will start laying down the groundwork for what will eventually become QoS enforcement.

Creating QoS profiles

Go to Network | Network Profiles | QoS Profile; you need to create at least one new profile to get started. The classes themselves do not carry any weight, so class1 could be your most important class, but also your lowest, depending on how you configure its parameters.

The priority setting does require special consideration; the real-time priority has its own queue in packet processing, making sure that any packets that end up in the queue (due to bandwidth congestion) go out first. All the lower priorities (high to low) share the main queue, with the lowest priority packets being discarded first if packets need to be let go in favor of higher priority sessions.

Egress Max at the top of the profile is the total of the maximum and reserved bandwidths for the whole profile, while Egress Max next to the class indicates how much bandwidth all of the sessions in that class get to share.

Let's build a few profiles first:

1. Create a profile called internet-upload.
2. Set the profile's Egress Max value to 50 Mbps to limit the total bandwidth usable by the profile to 50 Mbps. This tells the QoS engine that it needs to use its queuing mechanism and prioritize packets once it reaches the maximum limit.
3. Create class1, set it to real-time, and set a guarantee of 20 Mbps.

   This profile can also be created with the following commands in the Command-Line Interface (CLI):

   reaper@pa-220# set network qos profile internet-upload aggregate-bandwidth egress-max 50

   reaper@pa-220# set network qos profile internet-upload class-bandwidth-type mbps class class1 priority real-time class-bandwidth egress-guaranteed 20

4. Create a profile called internet-download.
5. Set the profile's Egress Max value to 200 Mbps.
6. Create class1, set Priority to real-time, and set its guarantee to 20 Mbps.
7. Create class5 and set the Egress Max value to 50.

   This profile can also be created with the following commands:

   reaper@pa-220# set network qos profile internet-download aggregate-bandwidth egress-max 200

   reaper@pa-220# set network qos profile internet-download class-bandwidth-type mbps class class5 priority medium class-bandwidth egress-max 50

   reaper@pa-220# set network qos profile internet-download class-bandwidth-type mbps class class1 priority real-time class-bandwidth egress-guaranteed 20

8. Create a profile called internal.
9. Do not set this profile's Egress Max value; we will be mixing this profile with the internet one, so we will let the interface maximum egress determine the maximum for this profile.
10. Create class8, set it to low priority, and set Egress Max to 300.

    internal can also be created in the CLI, as follows:

    reaper@pa-220# set network qos profile internal class-bandwidth-type mbps class class8 priority low class-bandwidth egress-max 300

11. Create a profile called vpn.
12. Create class4 and set it to guarantee 20 Mbps and to real-time priority; for this profile, we will let IPSec connections default to class4.

    vpn can be created in the CLI, as follows:

    reaper@pa-220# set network qos profile vpn class-bandwidth-type mbps class class4 priority medium class-bandwidth egress-guaranteed 20

    The QoS profiles should look as follows:

Figure 4.3 – QoS profiles

Next, the interfaces need to be set to enforce QoS. In Network | QoS, add all the interfaces. Then, for ethernet1/1, the internet-facing interface, do the following:

1. Check the Turn on QoS feature on this interface box as illustrated in the following screenshot, or execute the following CLI command:

   reaper@pa-220# set network qos interface ethernet1/1 enabled yes

2. Set the interface Egress Max value to 50 Mbps to limit uploads to the internet:

   reaper@pa-220# set network qos interface ethernet1/1 interface-bandwidth egress-max 50

3. Set the internet-upload profile as a Clear Text profile so that classes can be applied:

   reaper@pa-220# set network qos interface ethernet1/1 regular-traffic default-group qos-profile internet-upload

4. Set the vpn profile as the Tunnel Interface profile (as in the following screenshot):

   reaper@pa-220# set network qos interface ethernet1/1 tunnel-traffic default-group per-tunnel-qos-profile vpn

   This applies QoS to any site-to-site VPN connections sourced from the firewall to a remote peer (on a local tunnel interface):

Figure 4.4 – eth1/1 QoS configuration

For ethernet1/2, the DMZ-facing interface, do the following:

1. Check the Turn on QoS feature on this interface box as illustrated in the following screenshot, or use the following CLI command:

   reaper@pa-220# set network qos interface ethernet1/2 enabled yes

2. Set the interface Egress Max value to 1000 Mbps, but leave Clear Text as default and Tunnel Interface as none:

   reaper@pa-220# set network qos interface ethernet1/2 interface-bandwidth egress-max 1000

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic default-group qos-profile default

3. In the Clear Text tab, set the Egress Max value to 1000 Mbps:

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic bandwidth egress-max 1000

4. Add a new profile line:

   --Call it userupload.

   --Assign the internal QoS profile.

   --Set the source interface to ethernet1/3:

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members userupload match local-address address any

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members userupload match local-address interface ethernet1/3

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members userupload qos-profile internal

5. Add a second profile line:

   --Call it internet.

   --Assign the internet-download profile.

   --Set the source interface to ethernet1/1:

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members internet match local-address address any

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members internet match local-address interface ethernet1/1

   reaper@pa-220# set network qos interface ethernet1/2 regular-traffic groups regular-traffic-group members internet qos-profile internet-download

These settings allow different profiles to be applied, as you can see in the following screenshot, depending on where the packets originate from. Downloads from the internet will be limited to 200 Mbps in total, and class5 can be applied to limit sessions to 50 Mbps as needed, while sessions from the user's LAN can use up to 1000 Mbps and limit the bandwidth to 300 Mbps uploads for the class8 sessions:

Figure 4.5 – eth1/2 QoS configuration

For ethernet1/3, the user-facing interface, do the following:

1. Check the Turn on QoS feature on this interface box as illustrated in the following screenshot, or execute the following CLI command:

   reaper@pa-220# set network qos interface ethernet1/3 enabled yes

2. Set the interface's Egress Max value to 1000 Mbps, but leave Clear Text as default and Tunnel Interface as none:

   reaper@pa-220# set network qos interface ethernet1/3 interface-bandwidth egress-max 1000

3. In the Clear Text tab, set Egress Max to 1000 Mbps:

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic bandwidth egress-max 1000

4. Add a new profile line:

   --Call it userdownload.

   --Assign the internal QoS profile.

   --Set the source interface to ethernet1/2:

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members userdownload match local-address address any

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members userdownload match local-address interface ethernet1/2

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members userdownload qos-profile internal

5. Add a second profile line:

   --Call it internetdownload.

   --Assign the internet-download profile.

   --Set the source interface to ethernet1/1:

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members internetdownload match local-address address any

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members internetdownload match local-address interface ethernet1/1

   reaper@pa-220# set network qos interface ethernet1/3 regular-traffic groups regular-traffic-group members internetdownload qos-profile internet-download

These settings will limit the maximum Mbps when downloading (or streaming) things from the internet while guaranteeing that the class1 sessions are not deprived of bandwidth and that the bandwidth from the DMZ server is also maximized for all of the sessions to 1 Gbps, except class8, which is limited to 300 Mbps downloads. This should look as follows:

Figure 4.6 – eth1/3 QoS configuration

We have now created a framework that can apply traffic shaping to sessions. Next, we will define which applications are classified and how that is done.

Creating QoS policies

Without any QoS rules, only class4 will be enforced, which in the previous case will only set Egress Max to the maximum internet speed, but with no guarantees. The first policy we need to set will define enterprise VoIP as class1 so that we can guarantee 20 Mbps downloads over the internet link:

1. Create a new rule by going to Policies | QoS.
2. Call the rule enterprise voip.
3. Set the zone(s) to the trust-L3 and dmz-L3 zones so that outbound calls are classified as class1.
4. Set the destination zone where the sessions will egress the firewall.
5. Set the class to class1:

   reaper@pa-220# set rulebase qos rules "enterprise voip" from [ dmz-L3 trust-L3 ] to Untrust-L3 source any destination any category any application any action class 1

Your policy should look similar to the following:

Figure 4.7 – Setting VoIP to class1 outbound

The second rule sets the same guarantee, but for sessions that are started from the internet (such as an inbound SIP call). Follow these steps to create an inbound rule (if inbound sessions are not allowed by the security policy, you can skip this rule):

1. Create a rule and call it enterprise voip in.
2. Set the source zone to the Untrust-L3 zone.
3. Set the destination zone to the internal zones where calls can be accepted (the internal client or DMZ gateway).
4. Set the class to class1:

   reaper@pa-220# set rulebase qos rules "enterprise voip" to [ dmz-L3 trust-L3 ] from Untrust-L3 source any destination any category any application any action class 1

The inbound rule will look as follows:

Figure 4.8 – Setting VoIP to class1 inbound

We will also need to limit certain sessions between the user's LAN and DMZ networks. Assuming the security policy only allows users to connect to the DMZ and no sessions to be allowed from the DMZ to the user network, only one QoS rule will be needed as QoS classes are assigned to all packets in a session, regardless of their direction (so, class8 will be applied in both directions even if you only have your QoS rule set in one direction). Follow these steps to create an internal QoS rule:

1. Create a new QoS rule and call it fileshares.
2. Set the source zone to the Trust-L3 network.
3. Set the destination zone to the DMZ network.
4. Add the appropriate filesharing applications.
5. Set the class to class8:

   reaper@pa-220# set rulebase qos rules fileshares from trust-L3 to dmz-L3 source any destination any application [ ftp ms-ds-smb scps ] service application-default action class 8

6. Save the changes.

Your internal rule will look as follows:

Figure 4.9 – Setting file transfer applications to class8

To quickly check whether the limitations and guarantees are being enforced properly, you can access a live graph next to each enabled interface from Network | QoS | Statistics:

Figure 4.10 – class 5 is limited to 50 Mbps

To recap, we have learned the following:

• QoS is applied to the egress interface.
• Bandwidth restrictions and guarantees are shared within a class, not per session.
• Real-time priority has its own queue; the others share a queue.
• Egress Guaranteed or Egress Max cannot exceed the interface maximum.
• Class4 is the default class.
• Classes may have different guarantees or limitations, depending on the direction of the packet.
• If a guarantee in a class is not filled, other classes may consume more bandwidth (without exceeding their max) until the guarantee is required.

You can now create QoS profiles and understand the implications of priorities, guarantees, and the egress maximum. You can apply these profiles to interfaces and define different profiles depending on the source interface. You can also create rule sets that classify applications so that they can be shaped according to your profiles.

In the next section, we will see how encrypted sessions can be decrypted and inspected and how applications within an SSL session can be determined and threats stopped.