: Software Cut-Through Based Offload on Software Firewalls
Focus
Focus

Software Cut-Through Based Offload on Software Firewalls

Table of Contents

Software Cut-Through Based Offload on Software Firewalls

Implement Intelligent Traffic Offload using hardware (DPU-based) or software cut-through (non-DPU-based).
This release introduces software cut-through based offload support on VM-Series and CN-Series CNF Mode software firewalls. With the software cut-through based offload, CN-Series CNF Mode NGFWs eliminate the tradeoff between network performance, security, and cost. With software cut-through enabled, the first few packets complete the L7 packet inspection where the firewall determines if the session qualifies as an elephant flow. Consequently, the sessions then follow the software cut-through data path. It bypasses unnecessary operations, and leverages cache to complete the operation, thereby improving throughput handling and performance of the software firewall. By only inspecting flows that can benefit from security inspection, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.
For infrastructures that lack DPUs or are in public cloud, and have a traffic pattern that has offloadable elephant flows, the software cut-through based offload is able to function by taking advantage of the available NICs. See Hypervisor Support Matrix to learn about the supported NICs and Hypervisors.
The software cut-through based offload also supports GTP-U traffic offloads. With GTPU Inner Session software-cut-through, for every GTP-U packet that CN-Series Kubernetes CNF mode will inspect, a full Layer7 inspection will be completed on the inner sessions. If the firewall determines that the inner sessions for this GTP-U packet qualifies to be offloaded - all subsequent GTP-U packets belonging to this session will get offloaded. This improves software firewall throughput handling capability, especially in 5G security use-cases that involve tunnel content inspection for consumer traffic within GTP-U.
In CN-Series firewall, only the CN-Series K8s CNF Mode supports software cut-through based offloads.