Non-DPU-based Intelligent Traffic Offload on VM-Series Firewalls
Implement Intelligent Traffic Offload using hardware (DPU-based) or software
This release integrates introduces non-DPU-based intelligent traffic offload (ITO)
support on VM-Series firewalls. With the ITO service, VM-Series NGFWs eliminate the
tradeoff between network performance, security, and cost. For each new flow on the
network, the Intelligent Traffic Offload Service determines whether or not the flow can
benefit from security inspection. The first few packets of the flow are routed to the
firewall for inspection by the Intelligent Traffic Offload service, which determines
whether the rest of the packets in the flow should be inspected or offloaded. By only
inspecting flows that can benefit from security inspection, the overall load on the
firewall is greatly reduced and performance increases without sacrificing the security
For infrastructures that lack DPUs, the non-DPU-based Intelligent Traffic
Offload is able to function by taking advantage of the available NICs. See Hypervisor Support Matrix to learn about the
NICs and Hypervisors supported.
The non-DPU-based ITO supports GTPU offloads through software cut-through.
It requires an ITO subscription enabled license.