>
    Strata Copilot
    Components of a HSF Cluster
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Hyperscale Security Fabric
    5. What is a HSF Cluster?
    6. Components of a HSF Cluster
    Download PDF
    Prisma AIRS

    Components of a HSF Cluster

    Table of Contents

    Components of a HSF Cluster

    The HSF cluster comprises an AI-Gateways node and an AI-DP-node. Each of these nodes constitutes an independent AI runtime VM instance.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS
    • Software NGFW Credits
    • HSF subscription license
    The HSF cluster comprises an AI-Gateways node and an AI-DP-node. Each of these nodes constitutes an independent AI runtime VM instance. Interconnectivity between the nodes is facilitated by cluster control and data links. Traffic ingress and egress from the cluster are exclusively routed through the external interfaces within the AI-Gateways nodes, which subsequently distribute traffic to other nodes for processing.

    AI-Gateway

    You can configure up to 1-4 AI-Gateways (minimum 2 is recommended for resiliency) instances to meet your throughput requirements. Node IDs 1-4 are allocated to them. Your peer router or switch distributes traffic across these instances using ECMP or link aggregation. AI-Gateway instances offer full firewall functionality and can load balance sessions to AI-DP firewall instances based on session load and availability. In some scenarios, they can also forward traffic to other AI-Gateway instances within the cluster.
    AI-Gateway instances are statically provisioned and do not support dynamic autoscaling. However, you can manually add or remove instances from the cluster and vertically scale them by adding more CPU and memory resources to existing instances. For optimal performance and consistency, ensure that all AI-Gateway instances have the same resource footprint.

    AI-DP

    The AI-DP nodes are optional components in your network architecture that provide elastic, scalable firewall capacity. You can deploy these instances as part of a cluster, where they interact exclusively with AI-Gateway instances and other AI-DP firewall instances within the same cluster. In addition to performing security inspection, the AI-Gateway instances are responsible for load balancing incoming sessions across the AI-DP firewall instances, distributing traffic based on load and other criteria. You have the flexibility to dynamically scale the number of AI-DP firewall instances in the cluster, with initial support for up to 6 instances in the first phase. Additionally, you can manually scale up individual VM-Series instances vertically to meet increasing demands. It's important to note that there is no fixed mapping between AI-DP firewalls and specific AI-Gateway instances. Any gateway instance can communicate with any firewall instance within the cluster. These AI-DP firewall instances run the same PanOS image as the AI-Gateway instances but are bootstrapped with different parameters to define their specific role and functionality within the cluster. You'll find that each instance in the cluster is equipped with separate interfaces for management, cluster control, and cluster data, facilitating efficient communication and data exchange between cluster members. The AI-DP firewall instances, along with other cluster components, utilize the VM-Flex license model for obtaining CPU core-based licenses and subscriptions, ensuring proper licensing for your deployment.

    © 2025 Palo Alto Networks, Inc. All rights reserved.