Etherip traffic supportability on FE100 Platforms

• High utilization of dataplane resources, particularly packet descriptors, on the firewall; Wireless network performance slowness; EtherIP traffic as the primary cause of performance degradation.

PA-Guest> show running resource-monitor ingress-backlogs
=
Tue Feb 18 14:15:27 2025


-- SLOT: s1, DP: dp0 --
USAGE - ATOMIC: 98.73046875% TOTAL: 100.0%


TOP SESSIONS:
SESS-ID         PCT     GRP-ID          COUNT           Special Notes 
66              98%     flow_fastpath   4039


SESSION DETAILS
SESS-ID         PROTO   SZONE   SRC             SPORT   DST             DPORT   IGR-IF          EGR-IF         TYPE     APP
66              97      Guest   10.57.4.21      20033   10.94.22.202    20033   ae1.202 ae2     FLOW    etherip

The cause is the FE does not recognize the protocol so it can't be offloaded. Note that there's only limited number of protocols recognized in the FE. However, FE can change their parser to include more protocols
When the FE receives a packet that it couldn't recognize, in this example etherip, it generates an exception to the DP. This kind of traffic is unable to be offloaded nor discarded in the FE level given that the traffic does not have a flow key defined and the FE doesn't even regard them as a flow. Hence, this kind of traffic has to be processed by the DP through exceptions.

 This resulted in the traffic being processed by the Data Plane (DP) instead, leading to resource depletion and slow network performance.

1. What is the number of EtherIP packets, the firewall can support before it hits an issue?
We do not have such information available.

2. Is this a Panos issue or a hardware issue
This is a limitation on this version of PANoS. PAN-242479 adds support for EtherIP

3. Is this limitation only for etherip protocols? If not, they want to know the list of protocols the firewall will have issues with.
TCP, UDP, ESP (platform dependent), and GRE are supported. EtherIP support is added in the mentioned PR.

5. Why firewall having trouble handling Ethernet traffic?
PA-52x0 series uses FE101 for hardware offload. If FE101 does not recognize the protocol, the session cannot be offloaded. In such cases, an exception is generated by FE101, and the traffic is processed by the DP. So essentially.

6. Can this issue be fixed using the Panos code? If no,t why?
PAN-242479 adds offload support for EtherIP

7. Why is a single session of etherip is consuming 98% of the utilization?
Incase of EtherIP, all the packets go through a single tunnel and are considered as a single session. Which means all the packets are processed in the incoming order by the DP cores. This will lead to the packet descriptors being used up by the single session.

8. What are the resolutions/suggestions for fixing this issue on the firewall?
upgraded version which fixed in PAN-242479 

Upgrade the PAN-OS version of the firewall to 11.1.5, 10.2.13, 10.2.14, 11.1.4-h6


**PREVENTIVE_MEASURES**
1. Review and update the organization's firewall security policy to explicitly address the handling of EtherIP traffic, potentially defining specific rules or configurations to optimize its processing for the PA-52x0 series. This proactive measure aims to prevent similar issues by optimizing the handling of EtherIP traffic within the organization's firewall security policy.
2. Implement monitoring and alerts to track the dataplane resource utilization on the firewall and identify any potential trends or deviations from normal operation. This involves setting up continuous monitoring to detect issues proactively and prevent potential problems before they impact performance.
3. Perform regular security audits and vulnerability scans to identify potential risks and implement appropriate mitigation strategies. This ensures an ongoing assessment of security vulnerabilities to minimize risks and protect the organization's systems.
4. Upgrade hardware if necessary, especially if traffic patterns continuously put stress on the hardware capabilities and the current hardware cannot handle all protocols. Upgrading hardware might be necessary if traffic patterns overload the current firewall's capabilities.
5. Implement QoS policies to ensure that vital traffic, such as user traffic, is prioritized over less impactful traffic, such as EtherIP traffic. This helps to maintain network performance even when there are high amounts of EtherIP traffic.