Session Distribution Policy Descriptions
The following table provides information about Session Distribution Policies to help you decide which policy best fits your environment and firewall configuration.
Session Distribution Policy
Allows you to specify the dataplane processor (DP) that the firewall will use for security processing.
Use this policy for debugging purposes.
The firewall distributes sessions based on a hash of the source address or destination address. Hash based distribution improves the efficiency of NAT address resource management and reduces latency for NAT session setup by avoiding potential IP address or port conflicts.
Use this policy in environments that use large scale source NAT with dynamic IP translation or Dynamic IP and Port translation or both. When using dynamic IP translation, select the source address option. When using dynamic IP and port translation, select the destination address option.
Ingress-slot (default on PA-7000 Series firewalls)
(PA-7000 Series firewalls only) New sessions are assigned to a DP on the same NPC on which the first packet of the session arrived. The selection of the DP is based on the session-load algorithm but, in this case, sessions are limited to the DPs on the ingress NPC.
Depending on the traffic and network topology, this policy generally decreases the odds that traffic will need to traverse the switch fabric.
Use this policy to reduce latency if both ingress and egress are on the same NPC. If the firewall has a mix of NPCs (PA-7000 20G and PA-7000 20GXM for example), this policy can isolate the increased capacity to the corresponding NPCs and help to isolate the impact of NPC failures.
The firewall randomly selects a DP for session processing.
Round-robin (default on PA-5200 Series firewalls)
The firewall selects the dataplane processor based on a round-robin algorithm between active dataplanes so that input, output, and security processing functions are shared among all dataplanes.
Use this policy in low to medium demand environments where a simple and predictable load balancing algorithm will suffice.
In high demand environments, we recommend that you use the session-load algorithm.
This policy is similar to the round-robin policy but uses a weight-based algorithm to determine how to distribute sessions to achieve balance among the DPs. Because of the variability in the lifetime of a session, the DPs may not always experience an equal load. For example, if the firewall has three DPs and DP0 is at 25% of capacity, DP1 is at 25%, and DP2 is at 50%, new session assignment will be weighted towards the DP with the lower capacities. This helps improve load balancing over time.
Use this policy in environments where sessions are distributed across multiple NPC slots, such as in an inter-slot aggregate interface group or environments with asymmetric forwarding. You can also use this policy or the ingress-slot policy if the firewall has a combination of NPCs with different session capacities (such as a combination of PA-7000 20G and PA-7000 20GXM NPCs).
(PA-5200 Series and PA-7000 Series firewalls running PAN-OS 8.0 or later) The firewall selects the DP by a hash of sorted source and destination IP addresses. This policy provides the same results for server-to-client (s2c) and client-to-server (c2s) traffic (assuming the firewall does not use NAT).
Use this policy in high-demand IPSec or GTP deployments.
With these protocols, each direction is treated as a unidirectional flow where the flow tuples cannot be derived from each other. This policy improves performance and reduces latency by ensuring that both directions are assigned to the same DP, which removes the need for inter-DP communication.
Session Distribution Policies
Session Distribution Policies Session distribution policies define how PA-5200 and PA-7000 Series firewalls distribute security processing (App-ID, Content-ID, URL filtering, SSL decryption, and IPSec) among ...
Change the Session Distribution Policy and View Statistics
Change the Session Distribution Policy and View Statistics The following table describes how to view and change the active Session Distribution Policies and describes how ...
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
NAT Translated Packet Tab
NAT Translated Packet Tab Policy > NAT > Translated Packet Select the Translated Packet tab to determine, for Source Address Translation, the type of translation ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
Configure Decryption Broker with One or More Layer 3 Securi...
Configure Decryption Broker with One or More Layer 3 Security Chain Perform the following steps to enable the firewall to act as a decryption broker ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
ECMP Load-Balancing Algorithms
ECMP Load-Balancing Algorithms Let’s suppose the Routing Information Base (RIB) of the firewall has multiple equal-cost paths to a single destination. The maximum number of ...