Disable Firewall offloading traffic
Created On 09/27/18 09:07 AM - Last Modified 09/16/21 08:01 AM
- When session traffic is processed by the dataplane of the Palo Alto Networks firewall, session stats and timers will be updated for every packet.
- Most of our high-end platforms have an FPGA chip to entirely offload a session (CTS and STC flows) and bypass the cores completely.
- PA-3200 Series
- PA-5200 Series
- PA-7000 Series
Depending on the platform model, different rules apply:
- PA3050 - 50xx series
- Offload chip is sending a per-flow stat message to the dataplane after 16 packets are received on one flow (CTS or STC).
- The dataplane software will update session statistics and refresh the timer accordingly.
Note: On PA3050 and 50xx series devices, you can have a scenario where a low-traffic session has been aged-out due to TTL expiration. This can happen if the 16 packets condition has not been met before the end of this timer.
- PA70xx/ PA52xx/ PA32xx series
- One flow has accumulated 64 packets of stat
- A scan timer has expired for this particular flow
2. Software will update session statistics and refresh the timer accordingly.
Note :- The behaviour of PA-5200/PA-3200 series is similar to PA-7000. - The scan timer will update the session statistics at most after 8 seconds of receiving a packet for the flow. - This will in-turn update the session timeout values.
Prior to PANOS version 8.1, creating a custom application and adjusting the timeout value for the custom application was a necessary step in the workaround to accommodate the worst-case scenario.
From PANOS version 8.1 and later, this is no longer necessary as is stated in the following techdoc for Service-Based Session Timeouts.