Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
内容检查能否执行ONLY在软件或Hardware在PA-3000系列防火墙? - Knowledge Base - Palo Alto Networks

内容检查能否执行ONLY在软件或Hardware在PA-3000系列防火墙?

30995
Created On 04/30/19 13:13 PM - Last Modified 03/02/23 03:37 AM


Environment


  • PAN-OS 高达 9.0
  • PA-3000 系列防火墙

Answer


PAN-OS 使用以下算法进行内容和应用程序检查:

AHO :模式/签名与识别威胁的算法相匹配DLP(数据丢失防护)处理。
DFA : 与识别应用程序的算法相匹配的模式/签名。
PSCAN : 与识别威胁的算法相匹配的模式/签名。 PSCAN 旨在取代AHO.

笔记 :
  • 以下文件适用于PA3000系列防火墙9.0及以下版本。
  • 从 9.1 开始AHO和DFA默认情况下,两者都是在软件上完成的。
  • 此更改是出于内部设计原因进行的,不建议更改AHO到hardware除非指示TAC.


– 在PA-3000系列平台,DFA和PSCAN在软件中完成,同时AHO是在hardware并且可以强制在软件上执行。
– 的行为AHO,默认情况下完成hardware(FPGA ), 减少数据平面(软件)上的负载。 但是,如果需要将可疑问题与hardware(FPGA ),可以将处理强制到数据平面(软件)。

以下是默认状态,其中AHO正在卸载(hardware ):
> debug dataplane fpga state 

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 500
        Current outstanding request to offloading: 0
        bitmask in offload 0x10000(cur idx 1)
        DLP is available in offload
        DLP is in offload

dfa offload setup
        HFA offload only (no sw DFA)
        Minimum Threshold for using offload: 0 bytes
        Maximum Threshold for using offload: 0 bytes
        Max. outstanding request to offloading: 3500
        Current outstanding request to offloading: 0
        hfa graphs downloaded to HTE:


<SNIP>

强迫AHO在软件中:
> debug dataplane fpga set sw_aho yes
  
> debug dataplane fpga state

aho offload setup
        Use software only 
       
dfa offload setup
        HFA offload only (no sw DFA)
        Minimum Threshold for using offload: 0 bytes
        Maximum Threshold for using offload: 0 bytes
        Max. outstanding request to offloading: 3500
        Current outstanding request to offloading: 0

<SNIP>

执行AHO软件可能会增加数据平面CPU. 经过仔细观察,这可能会被保留或恢复:
> debug dataplane fpga set sw_aho no
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 240,146
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsRCAW&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language