You can configure up to 1-4 P-Nodes (minimum 2 is recommended for resiliency) instances to meet your throughput requirements. Node IDs 1-4 are allocated to them. Your peer router or switch distributes traffic across these instances using ECMP or link aggregation. P-Nodes offer full firewall functionality and can load balance sessions to S-Nodes based on session load and availability. In some scenarios, they can also forward traffic to other P-Nodes within the cluster.

The S-Nodes are optional components in your network architecture that provide elastic, scalable firewall capacity. You can deploy these instances as part of a cluster, where they interact exclusively with P-Nodes and other S-Nodes within the same cluster. In addition to performing security inspection, the P-Nodes are responsible for load balancing incoming sessions across the S-Nodes, distributing traffic based on load and other criteria. You have the flexibility to dynamically scale the number of S-Nodes in the cluster, with initial support for up to 6 instances in the first phase. Additionally, you can manually scale up individual AI Runtime Security firewall instances vertically to meet increasing demands. It's important to note that there is no fixed mapping between S-Nodes and specific P-Nodes. Any gateway instance can communicate with any firewall instance within the cluster. These S-Nodes run the same Pan-OS image as the P-Nodes but are bootstrapped with different parameters to define their specific role and functionality within the cluster. You'll find that each instance in the cluster is equipped with separate interfaces for management, cluster control, and cluster data, facilitating efficient communication and data exchange between cluster members. The S-Nodes along with other cluster components, utilize the VM-Flex license model for obtaining CPU core-based licenses and subscriptions, ensuring proper licensing for your deployment.

The following are the other components needed for an HSF setup: