Intelligent Traffic Offload Service for VM-Series on KVM
Learn how the Intelligent Traffic Offload Service for
VM-Series on KVM pairs with a SmartNIC to increase your VM-Series
With the new Intelligent Traffic Offload (ITO) service,
VM-Series virtual NGFWs eliminate the tradeoff between network performance,
security, and cost. The ITO service integrates with the industry’s
leading SmartNICs to improve virtual firewall performance by 5X
by offloading traffic that does not benefit from security inspection
from the firewall to the SmartNIC. For each new flow on the network,
the ITO Service determines whether or not the flow can benefit from
The first few packets of the flow are routed to the firewall
for inspection by the ITO service, which determines whether the
rest of the packets in the flow should be inspected or offloaded.
This determination is based on policy or on the flow’s inability to
be inspected (for example, encrypted traffic can’t be inspected).
By only inspecting flows that can benefit from security inspection,
the overall load on the firewall is greatly reduced and performance
increases without sacrificing the security posture.
The VM-Series firewall and the BlueField-2 SmartNIC must
be installed on an x86 physical host running Ubuntu 18.04, with
kernel version 4.15.0-20. The VM-Series firewall must be deployed
in virtual wire mode.
ITO benefits service provider networks where traffic is predominantly “elephant”
flows. Elephant flows are typically media flows that do not benefit
from advanced security inspection (YouTube streams, Zoom sessions,
NetFlix streams, gaming traffic, etcetera), or encrypted SSL or
IPsec flows without a corresponding decryption profile on the firewall.
The VM-Series firewall uses an open API interface based
on gRPC to
communicate with the BlueField-2 SmartNIC. The SmartNIC handles
offload processing and maintains the offload flow table. The current
scalability limitations are as follows:
Session table capacity: 500,000 sessions
Session table update rate: 7000 sessions/second
Offload hairpin rate: ~80 Gbps for 1500 byte packets
Active/Passive HA is supported for the VM-Series firewalls running
on physical hosts with identical configurations.