How To Enforce Content and Application Detection in PA-5000 Series from Hardware to Software?

How To Enforce Content and Application Detection in PA-5000 Series from Hardware to Software?

11021
Created On 04/30/19 13:20 PM - Last Modified 09/19/19 22:47 PM


Objective
The article explains how to enforce content and application detection in PA-5000 series from hardware to software.

Environment
PA-5000 series firewall

Procedure
By default, AHO and DFA, which are algorithms used for Threat and DLP (Data Loss Prevention) detection and Application detection respectively, are performed in hardware:
PA-5020> debug dataplane fpga state

DP dp0:

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0
<SNIP>

dfa offload setup
        Use offload
        Minimum Threshold for using offload: 48 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0
        appsig bitmask in offload 0x0
        token bitmask in offload 0x10000 (cur idx 1)
<SNIP>

DP dp1:

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0

<SNIP>

dfa offload setup
        Use offload
        Minimum Threshold for using offload: 48 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0

<SNIP>

The behavior of AHO and DFA done by default in hardware (FPGA) reduces the load on the dataplane (software). However, in cases where suspected issues need to be isolated from hardware (FPGA), the processing can be forced to dataplane (software) as follows:
PA-5020> debug dataplane fpga set ?
> sw_aho   Use only software for aho and dlp
> sw_dfa   Use only software for dfa

PA-5020> debug dataplane fpga set sw_aho yes

DP dp0:

DP dp1:


PA-5020> debug dataplane fpga set sw_dfa yes

DP dp0:

DP dp1:
 
PA-5020> debug dataplane fpga state

DP dp0:

aho offload setup
        Use software only

dfa offload setup
        Use software only

DP dp1:

aho offload setup
        Use software only

dfa offload setup
        Use software only
 
Enforcing AHO and DFA to software may increase the dataplane CPU. Upon careful observation, this may be retained or reverted:
PA-5020> debug dataplane fpga set sw_aho no
PA-5020> debug dataplane fpga set sw_dfa no


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsbCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language