Software Cut-through Based Offload on CN-Series Firewall
Where Can I Use This? | What Do I Need? |
- CN-Series as Kubernetes CNF deployment
|
- CN-Series 10.1.x or above Container Images
- For Panorama managed, CN-Series firewall, Panorama
running PAN-OS 11.0.4 or above version
|
Overview
With the software cut-through based Intelligent Traffic Offload (ITO) service, the
CN-Series firewall eliminates the tradeoff between network performance, security,
and cost. For each new flow on the network, the ITO service determines whether or
not the flow can benefit from security inspection. The ITO service routs the first
few packets of the flow to the firewall for inspection, which determines whether to
inspect or offload the rest of the packets in the flow. This determination is based
on policy or on the flow’s inability to inspect. By only inspecting flows that can
benefit from security inspection, the overall load on the firewall reduces and
performance increases without sacrificing the security posture.
For infrastructures that lack DPUs, the software cut-through based ITO is
able to function by taking advantage of the available NICs. See
Hypervisor Support Matrix to learn about
the NICs and Hypervisors supported.
The software cut-through based offload supports the GTP-U tunnel protocol.
Within a GTP-U With GTPU inner session software coordinated Universal Time-through,
after the GTPU inner session completes the Layer 7 inspection, the GTPU packet will
follow the existing software cut-through datapath, bypass the unnecessary
operations, take advantage of a FIB/MAC cache, and run to completion. The CN-Series
firewall supports the PAN-OS software cut-through feature for GTP-U Specific traffic
offload when deploying the CN-Series firewall as a Kubernetes CNF service.
GTP-U Specific Traffic Offload on CN-Series Firewall
GTP comprises a control plane (GTP-C), user plane (GTP-U), and charging
(GTP' derived from GTP-C) traffic transferred on UDP/IP. View the
PAN-OS releases by model that support GTP
and the
3GPP Technical Standards that GTPv1-C,
GTPv2-C, and GTP-U support. Enabling GTP security on Palo Alto Networks® firewalls
allows you to protect the mobile core network infrastructure from malformed GTP
packets, denial-of-service attacks, and out-of-state GTP messages, and also allows
you to protect mobile subscribers from spoofed IP packets and overbilling
attacks.
GTP-U is defined in 3GPP TS 29.281. It encapsulates and routes user plane
traffic across multiple signaling interfaces such as S1, S5, and S8. GTP-U messages
are either user planes or signaling messages. The registered port number for GTP-U
is 2152. For more information, see
GTP Protection Profile.
The software cut-through based offload on CN-Series also supports GTP-U
traffic offloads. You can now use Intelligent Traffic Offload subscription on
CN-Series as a Kubernetes CNF mode to unlock more performance and protect mobile
networks leveraging GTP Security. For every GTP-U packet that CN-Series as a
Kubernetes CNF mode will inspect, a full Layer 7 inspection will be completed on the
inner sessions. If the firewall determines that the inner sessions for this GTP-U
packet qualifies to be offloaded, then all subsequent GTP-U packets that belong to
this session will get offloaded.
Following are the important points to consider before configuring software
cut-through based offload on a CN-Series firewall:
-
By default, software cut-through based ITO configurations are
disabled.
-
You can enable this feature only using bootstrap/CLI.
-
You can use software cut-through based ITO for plain traffic and
GTP-U offload within software cut-through based ITO simultaneously.
-
For upgrades to the current version with ITO enabled, enable
session offload using CLI post upgrade.
In the CN-Series, only the CN-Series as a Kubernetes CNF mode of deployment
supports software cut-through based ITO.
Enable GTP-U Inner Session offloads on CN-Series Firewall
To enable GTP-U inner session offloads on the CN-Series firewall, the
following are the prerequisites for enabling GTP Security or 5G Security.
You must edit the pan-cn-mgmt-configmap.yaml file
with the following changes:
In the pan-cn-mgmt-configmap.yaml file, the
PAN_GTP_ENABLED, PAN_GTP_CUT_THRU, and PAN_SW_CUT_THRU
parameter value must be true to enable GTP-U inner session
offloads.
Here is an example of an updated
pan-cn-mgmt-configmap.yaml file:
# Start MGMT pod with GTP enabled. For complete functionality, need GTP
# enabled at Panorama as well.
PAN_GTP_ENABLED: "true"
# Start MGMT pod with GTP SW cut Through enable.
PAN_GTP_CUT_THRU: "true"
# Start MGMT pod with SW cut Through enable.
PAN_SW_CUT_THRU: "true"