AAN / DPDK considerations when adding a new interface to a deployed Azure-hosted Firewall.

• Network latency / performance issues after activity performed on Azure.
• ‘Device current Packet IO mode: Packet MMAP’ in the output of ‘show system setting dpdk-pkt-io’.
• For one or more Dataplane interfaces, the value of the ‘Driver’ column is ‘OFF’ in the output of ‘debug show vm-series interfaces all’ (note: this command is available only on PAN-OS versions 10.0 or higher).

• AAN disabled on a dataplane interface:

• Platform: PA-VM on Azure
• PAN-OS/Plugin Version: 9.0. or above
• Deployment: Existing

• If you have added a new dataplane interface (including an HA interface) to the Firewall VM, chances are that Azure Accelerated Networking (AAN) may not have been enabled on it since it is disabled by default.
• Additionally, Azure maintenance activity such as a hotplug event can cause DPDK to be disabled (depending on the PAN-OS version).
• AAN facilitates single root I/O virtualization (SR-IOV) on a VM (Microsoft Docs, 2022).
• This SR-IOV works in conjunction with DPDK; consequently, AAN must be enabled on all of the Firewall's dataplane interfaces (including any HA interfaces) in order to enable DPDK.
• The DPDK driver on an Azure-hosted VM-Series Firewall requires a complementary driver on all of the VM's dataplane network interfaces (NICs) (Palo Alto Networks, Inc., 2022); this complementary driver on the NIC is enabled by enabling AAN on said NIC.
• AAN enables network traffic to arrive at the NIC and then be forwarded to the corresponding interface on the VM while bypassing the underlying host and the virtual switch (between the VM NIC and the VM interface itself) greatly improving networking performance.
• As a consequence, DPDK gets disabled; the Firewall instead uses Packet MMAP, leading to a decrease in network or overall performance.

Note: Unless the Firewall VM is currently turned off, enabling DPDK will require a reboot.

1. If the VM has been turned on post-attachment:
   1. Enable AAN on the interface:
      1. On the Azure portal, access the webpage for your Firewall VM
      2. On the left pane, under Settings, click on “Networking”
      3. Amongst the listed interfaces, identify which interface doesn’t have AAN.
      4. Click on link next to the “Network interface” field for said interface.
      5. For this interface, click on “Edit accelerated networking”
      6. Enable Accelerated Neworking
      7. At this point, while the Firewall will recognize that AAN has been turned on for all dataplane interfaces, both current and default packet IO mode will still be Packet MMAP; this is because a reboot is required in order to enable DPDK.

2. Reboot the Firewall or turn it on.
3. Check if DPDK has been enabled by running “show system setting dpdk-pkt-io”

2. During the creation of a new interface: 

• You can enable AAN either:
  • While creating the new interface on Azure, or
  • After creating the new interface on Azure and attaching it to the Firewall VM, but before turning the VM on.
• After enabling AAN, the Firewall should turn on normally with DPDK enabled.
• Refer to step 1a for enabling AAN on an interface.

• The Data Plane Development Kit (DPDK) consists of libraries to accelerate packet processing workloads (Linux Foundation, 2015).
• Firewalls deployed from Azure Marketplace by default have AAN enabled on all Dataplane interfaces but disabled on the Management interface, and DPDK enabled:

• The “debug show” command is only available on PAN-OS 10.0+.

References

Linux Foundation. (2015). Data Plane Development Kit ({DPDK}). DPDK. http://www.dpdk.org/

Microsoft Docs. (2022, 09 09). Accelerated Networking overview. Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview

Palo Alto Networks, Inc. (2021, 09 22). How to enable/disable Azure Accelerated Networking and Validate. Palo Alto Networks Knowledge Base. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM1aCAE

Palo Alto Networks, Inc. (2022, 08 25). Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template). Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-on-azure-solution-template

Palo Alto Networks, Inc. (2022, 12 29). PacketMMAP and DPDK Driver Support. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/about-the-vm-series-firewall/sr-iov-and-dpdk-driver-support