1/7/2016 Differences between packets in slow path, fast pat...

 ­ Live Community

Live Topics Learning Learning Articles

Differences between packets in slow path, fast path and offloaded

by nbilly on ​
01-05-2015 05:52 AM - edited on ​
12-02-2015 12:23 PM by EmmaF (3,622 Views)

Labels: Hardware, Learning, Management, Network

Details
A packet received by Palo Alto Networks firewall will be processed differently depending on state of the matching session. This document explains the difference between packet
processed in Slow Path, Fast Path and packet Offloaded.
This document will also refer to hardware components commonly used in most of the Palo Alto Networks appliances.
 
MAC Physical Chip
Handles physical layer connection (SFP, Ethernet ports) and perform ethernet framing.
 
Offload Processor
Performs flow lookup and may forward to Dataplane based on lookup results (no flow found or flow found but layer7 enabled).
 
Dataplane
Multi-core processor which handles L4-L7 security processing.
 
Slow Path

Note: The numbered squares in the diagrams for this document represent incoming packets (one square per packet) for the same session.
 
When the very first packet comes in, a session is not yet created.
This packet will be considered in slow path because a set of unique operations have to be done in the Dataplane:
1. Forwarding lookup using FIB to get egress interface/zone
2. NAT Policy lookup + second forwarding lookup if DNAT is applied
3. First security policy lookup (to match rules with service port configured with 'any' application)
4. Packet is discarded or new session is created/installed in Dataplane.

 
Fast Path

Once the egress port is known, the following packets of the same session will be considered in the Fast Path. As the session is created, packets will be directly forwarded to the egress
port after being processed in Dataplane.
As explained above, operations in the Slow Path do not need to be achieved anymore.
 
Offload

Once App-ID and Content Inspection are fully completed, the session and subsequent packets can be fully offloaded into the offload processor (FPGA chip). Ingress packets will never
reach the Dataplane anymore and the FPGA offload chip will fully manage packet forwarding. This operation will alleviate the load on the Dataplane's cores.
 
Note: It is important to understand that all packets will always be flowing through the FPGA chip, even if session is not offloaded. The decision algorithm for offloading a session is
beyond this article's scope.
 
Conditions for a session for not being offloaded in hardware
An active session can be offloaded in the hardware to alleviate the load on CPUs.
By default, all sessions are eligible for offload, but there are also some conditions that will prevent this.
 
A session where application is not recognized (APP-ID has not been completed) cannot be offloaded.

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb­id/learning_tkb/article­id/306 1/2
1/7/2016 Differences between packets in slow path, fast pat... ­ Live Community
 
A session where content inspection is not yet finished cannot be offloaded.
This condition includes:
Session that is being scanned for threat with asecurity profile applied
Session running an application that can be changed into another, which potentially tunnels other applications

 
There is also a type of traffic that will only be processed by CPU and will never be offloaded.
ARP (and all other non-IP traffic)
IPSec
Decrypted sessions
VPN sessions
non-TCP/UDP
Firewall bound session
Inter-vsys sessions
PBF session without next hop
NAT64

 
owner: nbilly

Everyone's Tags: dataplane doc-8621 fast_path offload slow_path View All (6)

4 of 4 people found this article helpful. Did you find this article helpful? Yes No

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb­id/learning_tkb/article­id/306 2/2