Session Distribution Policies
Session distribution policies define how PA-5200 and PA-7000 Series firewalls distribute security processing (App-ID, Content-ID, URL filtering, SSL decryption, and IPSec) among dataplane processors (DPs) on the firewall. Each policy is specifically designed for a certain type of network environment and firewall configuration to ensure that the firewall distributes sessions with maximum efficiency. For example, the Hash session distribution policy is best fit for environments that use large scale source NAT.
The number of DPs on a firewall varies based on the firewall model:
Depends on the number of installed Network Processing Cards (NPCs). Each NPC has multiple dataplane processors (DPs) and you can install multiple NPCs in the firewall.
The PA-5220 firewall has only one DP so sessions distribution policies do not have an effect. Leave the policy set to the default (round-robin).
PA-5260 and PA-5280 firewalls
The following topics provide information about the available session distribution policies, how to change an active policy, and how to view session distribution statistics.
Change the Session Distribution Policy and View Statistics
Change the Session Distribution Policy and View Statistics The following table describes how to view and change the active Session Distribution Policies and describes how ...
Session Distribution Policy Descriptions
Session Distribution Policy Descriptions The following table provides information about Session Distribution Policies to help you decide which policy best fits your environment and firewall ...
Session Owner In an HA active/active configuration, both firewalls are active simultaneously, which means packets can be distributed between them. Such distribution requires the firewalls ...
Configure Decryption Broker with One or More Layer 3 Securi...
Configure Decryption Broker with One or More Layer 3 Security Chain Perform the following steps to enable the firewall to act as a decryption broker ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
NAT Translated Packet Tab
NAT Translated Packet Tab Policy > NAT > Translated Packet Select the Translated Packet tab to determine, for Source Address Translation, the type of translation ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...
Configuration Capacity Improvements
For some firewall models, PAN-OS® 8.1 supports more address objects, address groups, service objects, service groups, zones, security rules, FQDN address objects, and DHCP relay ...