Can the Content Inspection perform ONLY in Software or Hardware on PA-3000 Series Firewalls?

Can the Content Inspection perform ONLY in Software or Hardware on PA-3000 Series Firewalls?

25914
Created On 04/30/19 13:13 PM - Last Modified 02/18/22 08:18 AM


Environment


  • PAN-OS upto 9.0
  • PA-3000 series firewalls

Answer


PAN-OS uses the following algorithms for content and application inspection:

AHO: Pattern/signature matching the algorithm for identifying threats and for DLP (Data Loss Prevention) processing.
DFA: Pattern/signature matching the algorithm for identifying applications.
PSCAN: Pattern/signature matching the algorithm for identifying threats. PSCAN is designed to replace AHO.

Note : 
  • The below document applies to PA 3000 series firewalls running 9.0 and below versions. 
  • Starting for 9.1 AHO and DFA both are done on software by default. 
  • This change was done for internal design reasons and is not recommended to change AHO to hardware unless instructed by TAC.  


– On the PA-3000 series platform, DFA and PSCAN are done in the software while AHO is done on the hardware and can be forced to be performed on software.
– The behavior of AHO, which is done by default in hardware (FPGA), reduces the load on the dataplane (software). However, in cases where suspected issues need to be isolated from the hardware (FPGA), the processing can be forced to the dataplane (software).

The following is the default state where AHO is being offloaded (hardware):  
> debug dataplane fpga state 

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 500
        Current outstanding request to offloading: 0
        bitmask in offload 0x10000(cur idx 1)
        DLP is available in offload
        DLP is in offload

dfa offload setup
        HFA offload only (no sw DFA)
        Minimum Threshold for using offload: 0 bytes
        Maximum Threshold for using offload: 0 bytes
        Max. outstanding request to offloading: 3500
        Current outstanding request to offloading: 0
        hfa graphs downloaded to HTE:


<SNIP>

To force AHO in software: 
> debug dataplane fpga set sw_aho yes
  
> debug dataplane fpga state

aho offload setup
        Use software only 
       
dfa offload setup
        HFA offload only (no sw DFA)
        Minimum Threshold for using offload: 0 bytes
        Maximum Threshold for using offload: 0 bytes
        Max. outstanding request to offloading: 3500
        Current outstanding request to offloading: 0

<SNIP>

Enforcing AHO to software may increase the dataplane CPU. Upon careful observation, this may be retained or reverted: 
> debug dataplane fpga set sw_aho no
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsRCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language