Why is my Dataplane CPU Higher with Tap Mode traffic?

Why is my Dataplane CPU Higher with Tap Mode traffic?

20782

Created On 09/26/18 13:53 PM - Last Modified 06/11/20 21:26 PM

PA-200

PA-220 Firewall

PA-220R Firewall

PA-3000 Series

PA-3200 Series

PA-5000 Series

PA-5200 Series

PA-7000 Series

PA-820 Firewall

PA-850 Firewall

Tap Mode

Policy

8.1

7.1

9.0

9.1

Hardware

PAN-OS

VM-Series

Symptom

Reported high DP CPU after enabling Security rules for Tap zone traffic with a deny action

Environment

Any platform (Virtual and Physical)
Any PAN-OS
Security rules for Tap zone traffic with a deny action

Cause

In a common packet flow scenario, with non-tap transit traffic the Firewall would see TCP SYN and pass the traffic through first-packet processing to create a session. First-packet processing tends to be CPU intensive. All subsequent packets for that session will match the session and hence do not need to go through first-packet processing again. Therefore this is less load on the CPU.
Also, for transit traffic, if the policy is set to deny then the session would not be created and the end client/server would drop that session and not continue sending anymore data.
Tap mode is different because it will not drop traffic and terminate the TCP sessions. TCP session traffic will continue to be seen despite the deny rule. The result is the Palo Alto device will perform first-packet processing on the SYN packet of a session and deny the session meaning no session would be created. Every subsequent TCP packet for that session will be processed as first-packet again but will be dropped due to the tcp-reject-non-syn option.

Resolution

For tap mode, the tap interface will always drop the packet so it is recommended to configure rules to allow for any TAP interface.