Palo Alto Firewall Architecture
Network architecture refers to the structured approach of network, security devices and services structured to serve the connectivity needs of client devices, also considering controlled traffic flow and availability of services. Network devices typically include switches, routers and firewalls.
Palo Alto Firewall Architecture : An Overview
Palo Alto Firewall Architecture is based upon an exclusive design of Single Pass Parallel Processing (SP3) Architecture. This setup enables high-throughput, low-latency network security integrated with remarkably features and technology. Palo Alto Networks fixes the performance problems that impact today’s security infrastructure with the SP3 architecture (, which is composed of two key components:
- Single Pass software
- Parallel Processing hardware
Single Pass Software
Palo Alto Networks Next-Generation Firewall is provided with a Single Pass Software. It processes the packet to perform features such as networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for detecting threats and malicious contents. Processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall significantly reduces the overhead of packet processing.
On the contrary, other firewall vendors leverage a different type of network architecture, which produces a higher overhead when processing packets traversing the firewall. Another notable feature introduced in other Firewall vendor’s Next-Generation Firewalls is Unified Threat Management (UTM) which processes the packet and then verifies the contents of packet. As a result, spike in CPU overhead affects latency and throughput of the Firewalls, a degradation in performance.
Single Pass software is designed to achieve two key parameters.
- Firstly, the single pass software performs operation per packet. When packet is processed in this mechanism the functions like policy lookup, application identification and decoding and signature matching for all threats and content are all performed just once.
- Secondly, the packet processed in Single Pass software is stream based, and uses uniform signature matching to detect and block threats. Single Pass does not use separate engines and signature sets and file proxies requiring for file download prior to scanning, the single pass software in our next generation firewalls scans packets once and stream based fashion to avoid latency and throughput.
This Single Pass software content processing enables high throughput and low latency with all security functions active. It also offers the additional feature of a single fully integrated policy, enabling easier management of enterprise network security.
Related – Palo Alto Administration & Management
Parallel Processing Hardware
Palo Alto Networks Parallel Processing hardware makes sure function specific processing is done in parallel at the hardware level, which in conjunction with the dedicated data plane and control plane, produces amazing performance results. By separation of the data plane and control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the platform.
Palo Alto Firewall Architecture : Control Plane & Data Plane
Control plane is liable for tasks such as management, configuration of Palo Alto firewall and it also takes care of logging and reporting features. Palo Alto Networks Next-Generation Firewall’s main feature is the set of dedicated processors which are responsible for specific functions (all of these work in parallel). The data plane in the high end models contains three types of processors (CPUs) connected by high speed of 1Gbps busses.
Types Of Processors:
The three type of processors are-
- Security Matching Processor: Dedicated processor that performs vulnerability and virus detection tasks.
- Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar other tasks.
- Network Processor: Dedicated processor responsible for network tasks such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.
First, Palo Alto Firewall Architecture design split up the 2 planes i.e. it has separate data plane and control plane. This separation means that heavy utilization of one plane will never impact the other. The second important element is the Parallel Processing hardware which includes discrete specialized processing groups that work in harmony to perform several key functions.
- Routing, flow lookup, traffic analysis statistics, NAT and similar other functions are performed on network specific hardware.
- User-ID, App-ID and policies all occur on a multi core security engine with hardware acceleration for encryption, decryption and compression, decompression.
- Content-ID content analysis uses dedicated and specialized content scanning engine.
- On the control plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging and reporting without interfering user data.
Conclusion
Network Architecture of Palo Alto consists of Single Pass software and Parallel Processing hardware, which is perfectly apposite combination in network security and empowers the Palo Alto Networks next-generation firewalls to restore visibility and control over enterprise networks.
Continue Reading:
SSL VPN Configuration in Palo Alto
You may also like
Simplifying Power over Ethernet PoE Installation
What is Cloudflare? Working, Uses, Pros & Cons
