01/14/19 20:41 PM  

QoS Policies for Palo Alto Networks | RingCentral

« Go Back

Article

 
SummaryWhen SIP ALG is enabled, these functions may result in intermittent call connectivity issues (phone registration or call feature operation) or excessive voice quality impairments (increased latency and jitter). Follow the steps below to disable the Palo Alto Networks Session Initiation Protocol (SIP) application-level gateway ( ALG ) with commands.
Details

How to Implement QoS for Palo Alto Networks using commands

This document assumes that the customer has a known working Palo Alto configuration. Use SSH to log into an administrative account on the Palo Alto and issue the following commands on Table 1 and Table 2 to create the required data structures and to disable the SIP ALG subsystem:
 

Commands on Table 1:Steps to configure on the Palo Alto UI:
Create a Service GroupCreate a Service Group for Palo Alto Networks
Create a Network ProfileCreate a Network Profile for Palo Alto Networks
Disable Palo Alto Networks SIP Application-level Gateway (ALG)Disable Palo Alto Networks SIP Application-level Gateway (ALG)
 
Commands on Table 2:Steps to configure on the Palo Alto UI:
Create a QoS PolicyCreate a QoS Policy for Palo Alto PA-200


Best Practices for Palo Alto Configurations
 

Table 1:

set cli scripting-mode on
set cli terminal width 500
configure


set shared alg-override application sip alg-disabled yes
 
set service SVC-SIP-UDP protocol udp port 5060-5099
set service SVC-SIP-TCP protocol tcp port 5060-5099
set service-group SG-SIP members [ SVC-SIP-TCP SVC-SIP-UDP ]
set address ADR-RingCentral-1 ip-netmask 103.44.68.0/22
set address ADR-RingCentral-2 ip-netmask 104.245.56.0/21
set address ADR-RingCentral-3 ip-netmask 185.23.248.0/22
set address ADR-RingCentral-4 ip-netmask 192.209.24.0/21
set address ADR-RingCentral-5 ip-netmask 199.255.120.0/22
set address ADR-RingCentral-6 ip-netmask 199.68.212.0/22
set address ADR-RingCentral-7 ip-netmask 208.87.40.0/22
set address ADR-RingCentral-8 ip-netmask 80.81.128.0/20

set address-group AG-RingCentral static [ ADR-RingCentral-1 ADR-RingCentral-2 ADR- 
RingCentral-3 ADR-RingCentral-4 ADR-RingCentral-5 ADR-RingCentral-6 ADR-RingCentral-7 ADR-RingCentral-8 ]
set address-group AG-RingCentral description "All RingCentral Public Address Space"

set rulebase security rules RC-MEETINGS to any
set rulebase security rules RC-MEETINGS from any
set rulebase security rules RC-MEETINGS source any
set rulebase security rules RC-MEETINGS destination AG-RingCentral
set rulebase security rules RC-MEETINGS source-user any
set rulebase security rules RC-MEETINGS category any
set rulebase security rules RC-MEETINGS application zoom
set rulebase security rules RC-MEETINGS service application-default
set rulebase security rules RC-MEETINGS hip-profiles any
set rulebase security rules RC-MEETINGS action allow
set rulebase security rules RC-MEETINGS rule-type interzone
set rulebase security rules RC-MEETINGS qos marking ip-dscp af41
set rulebase security rules RC-SIP to any
set rulebase security rules RC-SIP from any
set rulebase security rules RC-SIP source any
set rulebase security rules RC-SIP destination any
set rulebase security rules RC-SIP source-user any
set rulebase security rules RC-SIP category any
set rulebase security rules RC-SIP application any
set rulebase security rules RC-SIP service SG-SIP
set rulebase security rules RC-SIP hip-profiles any
set rulebase security rules RC-SIP action allow

set rulebase security rules RC-SIP rule-type interzone
set rulebase security rules RC-SIP qos marking ip-dscp af31
set rulebase security rules RC-SIP-RTP to any
set rulebase security rules RC-SIP-RTP from any
set rulebase security rules RC-SIP-RTP source any
set rulebase security rules RC-SIP-RTP destination any
set rulebase security rules RC-SIP-RTP source-user any
set rulebase security rules RC-SIP-RTP category any
set rulebase security rules RC-SIP-RTP appli cation [ rtcp rtp ]
set rulebase security rules RC-SIP-RTP service application-default
set rulebase security rules RC-SIP-RTP hip-profiles any
set rulebase security rules RC-SIP-RTP action allow
set rulebase security rules RC-SIP-RTP rule-type interzone
set rulebase security rules RC-SIP-RTP qos marking ip-dscp ef

set rulebase security rules RC-Other to any
set rulebase security rules RC-Other from any
set rulebase security rules RC-Other source any
set rulebase security rules RC-Other destination AG-RingCe ntral
set rulebase security rules RC-Other source-user any
set rulebase security rules RC-Other category any
set rulebase security rules RC-Other application any
set rulebase security rules RC-Other service any
set rulebase security rules RC-Other hip-prof iles any
set rulebase security rules RC-Other action allow
set rulebase security rules RC-Other rule-type interzone
set rulebase security rules RC-Other qos marking ip-dscp af21
move rulebase security rules RC-Other top
move rulebase security rules RC-SIP-RTP top
move rulebase security rules RC-SIP top
move rulebase security rules RC-MEETINGS top


set rulebase qos rules POL-QOS-EF dscp-tos codepoints EF ef codepoint ef
set rulebase qos rules POL-QOS-EF from any
set rulebase qos rules POL-QOS-EF to any
set rulebase qos rules POL-QOS-EF source any
set rulebase qos rules POL-QOS-EF destination any
set rulebase qos rules POL-QOS-EF source-user any
set rulebase qos rules POL-QOS-EF category any
set rulebase qos rules POL-QOS-EF application any
set rulebase qos ru les POL-QOS-EF service any
set rulebase qos rules POL-QOS-EF action class 1
set rulebase qos rules POL-QOS-AF41 dscp-tos codepoints AF41 af codepoint af41
set rulebase qos rules POL-QOS-AF41 from any
set rulebase qos rules POL-QOS-AF41 to any
set rulebase qos rules POL-QOS-AF41 source any
set rulebase qos rules POL-QOS-AF41 destination any
set rulebase qos rules POL-QOS-AF41 source-user any
set rulebase qos rules POL-QOS-AF41 category any
set rulebase qos rules POL-QOS-AF41 application any
set rulebase qos rules POL-QOS-AF41 service any
set rulebase qos rules POL-QOS-AF41 action class 2
set rulebase qos rules POL-QOS-AF31 dscp-tos codepoints AF31 af codepoint af31
set rulebase qos rules POL-QOS-AF31 from any
set rulebase qos rules POL-QOS-AF31 to any
set rulebase qos rules POL-QOS-AF31 source any
set rulebase qos rules POL-QOS-AF31 destination any
set rulebase qos rules POL-QOS-AF31 source-user any
set rulebase qos rules POL-QOS-AF31 category any
set rulebase qos rules POL-QOS-AF31 application any
set rulebas e qos rules POL-QOS-AF31 service any
set rulebase qos rules POL-QOS-AF31 action class 3
set rulebase qos rules POL-QOS-AF21 dscp-tos codepoints AF21 af codepoint af21
set rulebase qos rules POL-QOS-AF21 from any
set rulebase qos rules POL-QOS-AF21 to any
set rulebase qos rules POL-QOS-AF21 source any
set rulebase qos rules POL-QOS-AF21 destination any
set rulebase qos rules POL-QOS-AF21 source-user any
set rulebase qos rules POL-QOS-AF21 category any
set rulebase qos rules POL-QOS-AF21 application any
set rulebase qos rules POL-QOS-AF21 service any
set rulebase qos rules POL-QOS-AF21 action class 4
set rulebase qos rules POL-QOS-AF11 dscp-tos codepoints AF11 af codepoint af11
set rulebase qos rules POL-QOS-AF11 from any
set rulebase qos rules POL-QOS-AF11 to any
set rulebase qos rules POL-QOS-AF11 source any
set rulebase qos rules POL-QOS-AF11 destination any
set rulebase qos rules POL-QOS-AF11 source-user any
set rulebase qos rules POL-QOS-AF11 category any
set rulebase qos rules POL-QOS-AF11 application any
set rulebase qos rules POL-QOS-AF11 service any
set rulebase qos rules POL-QOS-AF11 action class 5
set rulebase qos rules POL-QOS-BE dscp-tos any
set rulebase qos rules POL-QOS-BE from any
set rulebase qos rules POL-QOS-BE to any
set rulebase qos rules P OL-QOS-BE source any
set rulebase qos rules POL-QOS-BE destination any
set rulebase qos rules POL-QOS-BE source-user any
set rulebase qos rules POL-QOS-BE category any
set rulebase qos rules POL-QOS-BE application any
set rulebase qos rules POL-QOS-BE service any
set rulebase qos rules POL-QOS-BE action class 8
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP from any
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP to any
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP source any
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP destination AG-RingCentral
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP port 5060-5099
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP protocol tcp
set rulebase application-override rules POL-AO-RingCentral-SIP-TCP application sip
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP from any
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP to any
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP source any
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP destination AG-RingCentral
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP port 5090-5091
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP protocol udp
set rulebase application-override rules POL-AO-RingCentral-SIP-UDP application sip
set network qos profile default class class1 priority real-time
set network qos profile default class class2 priority high
set network qos profile default class class3 priority high
set network qos profile default class class4 priority medium
set network qos profile default class class5 priority medium
set network qos profile default class class6 priority low
set network qos profile default class class7 priority low
set network qos profile default class class8 priority low

commit
 

Ignore the warnings about QoS rules shadowing other rules. This is a Palo Alto cosmetic bug. The rules do work regardless of the warning.

Now you create at least two (or more) different QoS Profiles, one for the WAN egress and one for the LAN side egress. Some networks may have multiple interfaces serving these functions, each should have their own QoS Profile. In this example, we show two profiles, one for the WAN circuit and one for the LAN circuit. Please note that for the WAN profile you *must* know the supported/contracted upstream bandwidth. We assume that we can utilize 95% of that bandwidth.

There are two bandwidth functions shown here, egress-max and egress-guaranteed.  The egress-guaranteed is used to guarantee that traffic in this classification will *always* have at least this much bandwidth available for immediate use. The egress-max is an absolute maximum; anything over that rate is discarded. The values are specified in Megabits per second. You should use reasonable values for guarantees in the LAN policy.  Insure that there is sufficient bandwidth for the number of concurrent phone/video calls. Adjust the rates and input the configuration as follows:

 

Table 2: 

set network qos profile NW-QOS-PFL-WAN class class1 class-bandwidth egress-max 1.5
set network qos profile NW-QOS-PFL-WAN class class1 class-bandwidth egress-guaranteed 1
set network qos profile NW-QOS-PFL-WAN class class1 priority real-time
set network qos profile NW-QOS-PFL-WAN class class2 class-bandwidth egress-max 3
set network qos profile NW-QOS-PFL-WAN class class2 class-bandwidth egress-guaranteed 1
set network qos profile NW-QOS-PFL-WAN class class2 priority high
set network qos profile NW-QOS-PFL-WAN class class3 class-bandwidth egress-max 0.6
set network qos profile NW-QOS-PFL-WAN class class3 class-bandwidth egress-guaranteed 0.3
set network qos profile NW-QOS-PFL-WAN class class3 priority high
set network qos profile NW-QOS-PFL-WAN class class4 class-bandwidth egress-max 2
set network qos profile NW-QOS-PFL-WAN class class4 class-bandwidth egress-guaranteed 0.8
set network qos profile NW-QOS-PFL-WAN class class4 priority medium
set net work qos profile NW-QOS-PFL-WAN class class5 class-bandwidth egress-max 2
set network qos profile NW-QOS-PFL-WAN class class5 class-bandwidth egress-guaranteed 0.5
set network qos profile NW-QOS-PFL-WAN class class5 priority medium
set network qos profile NW-QOS-PFL-WAN class class8 class-bandwidth egress-max 5
set network qos profile NW-QOS-PFL-WAN class class8 class-bandwidth egress-guaranteed 0.5
set network qos profile NW-QOS-PFL-WAN class class8 priority low
set network qos profile NW-QOS-PFL-WAN aggre gate-bandwidth egress-max 5
set network qos profile NW-QOS-PFL-WAN aggregate-bandwidth egress-guaranteed 5
set network qos profile NW-QOS-PFL-LAN class class1 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class1 class-bandwidth egress-guaranteed 5
set network qos profile NW-QOS-PFL-LAN class class1 priority real-time
set network qos profile NW-QOS-PFL-LAN class class2 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class2 class-bandwidth egress-guarante ed 20
set network qos profile NW-QOS-PFL-LAN class class2 priority high
set network qos profile NW-QOS-PFL-LAN class class3 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class3 class-bandwidth egress-guaranteed 2
set network qos profile NW-QOS-PFL-LAN class class3 priority high
set network qos profile NW-QOS-PFL-LAN class class4 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class4 class-bandwidth egress-guaranteed 8
set network qos profile NW-QOS-PFL-L AN class class4 priority medium
set network qos profile NW-QOS-PFL-LAN class class5 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class5 class-bandwidth egress-guaranteed 20
set network qos profile NW-QOS-PFL-LAN class class5 priority medium
set network qos profile NW-QOS-PFL-LAN class class8 class-bandwidth egress-max 0
set network qos profile NW-QOS-PFL-LAN class class8 class-bandwidth egress-guaranteed 5
set network qos profile NW-QOS-PFL-LAN class class8 priority low
set netw ork qos profile NW-QOS-PFL-LAN aggregate-bandwidth egress-guaranteed 100

commit 

It may be more convenient to use the GUI to create and adjust these values. You also need to use the GUI to apply the QoS Profiles to the interfaces and enable QoS on them. For steps on how to adjust this on the UI, go to 11267. Please note that you *must* apply an appropriate QoS profile to *each* interface and if the interface is running at less than the interface speed you must set the physical interface Egress - max parameter to 95% of the contracted circuit speed.
 

Best Practices for Palo Alto Configurations

• Never create a policy or base a reference on an individual interface, always use Zones. Create a Zone, even it will only contain a single interface. This will enable you to shift/add/change interfaces without having to remove all the referencing items and put them back. It will also allow you to simplify the configuration as you won't have to replicate rules for each interface that is part of the Zone. 

• Create Address Groups to use in lieu of individual address elements.

Ranking
Was this information helpful?
Yes
No
Somewhat

Tell us why and what can we do to improve this information