Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To Enforce Content and Application Detection in PA-5000 Ser... - Knowledge Base - Palo Alto Networks

How To Enforce Content and Application Detection in PA-5000 Series from Hardware to Software?

19900
Created On 04/30/19 13:20 PM - Last Modified 09/19/19 22:47 PM


Objective


The article explains how to enforce content and application detection in PA-5000 series from hardware to software.

Environment


PA-5000 series firewall

Procedure


By default, AHO and DFA, which are algorithms used for Threat and DLP (Data Loss Prevention) detection and Application detection respectively, are performed in hardware: 
PA-5020> debug dataplane fpga state

DP dp0:

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0
<SNIP>

dfa offload setup
        Use offload
        Minimum Threshold for using offload: 48 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0
        appsig bitmask in offload 0x0
        token bitmask in offload 0x10000 (cur idx 1)
<SNIP>

DP dp1:

aho offload setup
        Use offload
        Minimum Threshold for using offload: 32 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0

<SNIP>

dfa offload setup
        Use offload
        Minimum Threshold for using offload: 48 bytes
        Maximum Threshold for using offload: 9900 bytes
        Max. outstanding request to offloading: 1024
        Current outstanding request to offloading: 0

<SNIP>

The behavior of AHO and DFA done by default in hardware (FPGA) reduces the load on the dataplane (software). However, in cases where suspected issues need to be isolated from hardware (FPGA), the processing can be forced to dataplane (software) as follows: 
PA-5020> debug dataplane fpga set ?
> sw_aho   Use only software for aho and dlp
> sw_dfa   Use only software for dfa

PA-5020> debug dataplane fpga set sw_aho yes

DP dp0:

DP dp1:


PA-5020> debug dataplane fpga set sw_dfa yes

DP dp0:

DP dp1:
  
PA-5020> debug dataplane fpga state

DP dp0:

aho offload setup
        Use software only

dfa offload setup
        Use software only

DP dp1:

aho offload setup
        Use software only

dfa offload setup
        Use software only
 
Enforcing AHO and DFA to software may increase the dataplane CPU. Upon careful observation, this may be retained or reverted: 
PA-5020> debug dataplane fpga set sw_aho no
PA-5020> debug dataplane fpga set sw_dfa no
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,918
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsbCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language