Can PAN forward the traffic through the same LAG interface members, before and after session offloading.

Can PAN forward the traffic through the same LAG interface members, before and after session offloading.

22251
Created On 07/14/22 08:55 AM - Last Modified 11/28/23 22:22 PM


Question


Can PAN forward the traffic through the same LAG interface members, before and after session offloading?

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • LACP

Answer


  1. Yes with the new changes implemented in PAN-OS 9.1.9, 10.1.5-h2, and 10.2.4,  it is possible to have a consistent forwarding algorithm throughout the session lifetime.
  2. The following command enables us to set to tuple instead of tag(default) for consistency with forwarding LAG members before and after offloading
admin@firewall> set session lag-flow-key-type ?
> tag     tag
> tuple   tuple
"tag" is the default behavior (tag based on the CPU, tuple based on the FE)
"tuple" is the "new" behavior, where both CPU and FE use the same selection algorithm

  1. Use the following command to display the algorithm

admin@firewall> show session lag-flow-key-type
dp0:  tuple based on fe100
dp1:  tuple based on fe100

Note: 

  • When the Firewall is connected via a LAG to another Stateful device (probably a non palo alto, device),  confirm if the stateful device mandates all the traffic for an existing session to be forwarded through the same interface. 
  • If yes, use the above command to set the LAG forwarding to be "tuple"

Additional Information


  • Session offloading means that traffic is offloaded to a hardware chip, for faster packet processing.
  • The default load-balancing algorithm is based on the session ID. The firewall takes the last 3 bits from the session ID and creates a hash value that allows the firewall to load-balance the traffic across the members of the LAG. The 3 bits are enough to cover the 8 maximum ports in the LAG group.
  • But the offload processor uses a different algorithm to select a forwarding interface. This discrepancy was causing an asymmetric forwarding for the same session before and after offloading.
  • PAN-134799 enable to change of the load balancing algorithm on firewalls with FE100 network processors in it,  starting from PAN-OS 9.0.13, 9.1.9, 10.0.5
  • PAN-190409 enables to change of the load balancing algorithm on firewalls with FE101 network processors in it, starting from PAN-OS 10.1.5-h2, 10.2.4
PA-3200 series : FE100/FE101
PA-5200 series : FE100/FE101
PA-5450 series: FE101
PA-7000 - NPC - 100G: FE101

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqXRCA0&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language