This release integrates introduces non-DPU-based intelligent traffic offload (ITO) support on VM-Series firewalls. With the ITO service, VM-Series NGFWs eliminate the tradeoff between network performance, security, and cost. For each new flow on the network, the Intelligent Traffic Offload Service determines whether or not the flow can benefit from security inspection. The first few packets of the flow are routed to the firewall for inspection by the Intelligent Traffic Offload service, which determines whether the rest of the packets in the flow should be inspected or offloaded. By only inspecting flows that can benefit from security inspection, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.

For infrastructures that lack DPUs, the non-DPU-based Intelligent Traffic Offload is able to function by taking advantage of the available NICs. See Hypervisor Support Matrix to learn about the NICs and Hypervisors supported.