Session distribution policies define how PA-5200 Series and PA-7000 Series and PA-7500 Series firewalls distribute security
processing (App-ID, Content-ID, URL filtering, SSL decryption, and IPSec) among
dataplane processors (DPs) on the firewall. Each policy is specifically designed for a
certain type of network environment and firewall configuration to ensure that the
firewall distributes sessions with maximum efficiency. For example, the Hash session
distribution policy is best fit for environments that use large scale source NAT.
The number of DPs on a firewall varies based on the firewall
model:
Firewall Model
Dataplane Processor(s)
PA-7500 Series
Depends on the number of installed Data
Processing Cards (DPC). Each DPC has six dataplane processors.
When PA-7500 Series firewalls are nodes in an
NGFW cluster, the nodes must use the same type of session
distribution policy (fixed, hash, ingress-slot, random, round-robin,
session-load, or symmetric-hash).
PA-7000 Series
Depends on the number of installed
Network Processing Cards (NPCs). Each NPC has multiple dataplane
processors (DPs) and you can install multiple NPCs in the firewall.
PA-5220 firewall
1
The PA-5220 firewall
has only one DP so sessions distribution policies do not have an
effect. Leave the policy set to the default (round-robin).
PA-5250 firewall
2
PA-5260 and PA-5280
firewalls
3
PA-5450 firewall
Depends on the number of installed Data
Processing Cards (DPCs).
The following topics provide information about the available
session distribution policies, how to change an active policy, and
how to view session distribution statistics.