Session Distribution Policies
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Session Distribution Policies
Session distribution policies define how PA-5200 and
PA-7000 Series firewalls distribute security processing (App-ID,
Content-ID, URL filtering, SSL decryption, and IPSec) among dataplane
processors (DPs) on the firewall. Each policy is specifically designed
for a certain type of network environment and firewall configuration
to ensure that the firewall distributes sessions with maximum efficiency.
For example, the Hash session distribution policy is best fit for
environments that use large scale source NAT.
The number of DPs on a firewall varies based on the firewall
model:
Firewall Model | Dataplane Processor(s) |
|---|---|
PA-7000 Series | Depends on the number of installed
Network Processing Cards (NPCs). Each NPC has multiple dataplane
processors (DPs) and you can install multiple NPCs in the firewall. |
PA-5220 firewall | 1 The PA-5220 firewall
has only one DP so sessions distribution policies do not have an
effect. Leave the policy set to the default (round-robin). |
PA-5250 firewall | 2 |
PA-5260 and PA-5280
firewalls | 3 |
PA-5450 firewall | Depends on the number of installed Data
Processing Cards (DPCs). |
The following topics provide information about the available
session distribution policies, how to change an active policy, and
how to view session distribution statistics.