Session Distribution Policies
Session distribution policies define how PA-5200 and PA-7000 Series firewalls distribute security processing (App-ID, Content-ID, URL filtering, SSL decryption, and IPSec) among dataplane processors (DPs) on the firewall. Each policy is specifically designed for a certain type of network environment and firewall configuration to ensure that the firewall distributes sessions with maximum efficiency. For example, the Hash session distribution policy is best fit for environments that use large scale source NAT.
The number of DPs on a firewall varies based on the firewall model:
Depends on the number of installed Network Processing Cards (NPCs). Each NPC has multiple dataplane processors (DPs) and you can install multiple NPCs in the firewall.
The PA-5220 firewall has only one DP so sessions distribution policies do not have an effect. Leave the policy set to the default (round-robin).
PA-5260 and PA-5280 firewalls
The following topics provide information about the available session distribution policies, how to change an active policy, and how to view session distribution statistics.
Change the Session Distribution Policy and View Statistics
Change the Session Distribution Policy and View Statistics The following table describes how to view and change the active Session Distribution Policies and describes how ...
Session Distribution Policy Descriptions
Session Distribution Policy Descriptions The following table provides information about Session Distribution Policies to help you decide which policy best fits your environment and firewall ...
Advanced Session Distribution Algorithms for Destination NAT
When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming ...
NAT Translated Packet Tab
NAT Translated Packet Tab Policy > NAT > Translated Packet For Source Address Translation, select the Translated Packet tab to determine the type of translation ...
Configure Destination NAT Using Dynamic IP Addresses
Configure Destination NAT Using Dynamic IP Addresses You can use Destination NAT to translate the original destination address to a destination host or server that ...
Session Owner In an HA active/active configuration, both firewalls are active simultaneously, which means packets can be distributed between them. Such distribution requires the firewalls ...
Configure Decryption Broker with One or More Layer 3 Securi...
Configure Decryption Broker with One or More Layer 3 Security Chain Perform the following steps to enable the firewall to act as a decryption broker ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...