PacketMMAP and DPDK Driver Support

Single-root input/output virtualization (SR-IOV) relies on communication between virtual function (VF) drivers on the VM-Series firewall, and physical function (PF) drivers on the host (the hypervisor). The host uses PF drivers to talk to its physical NICs, and the VM-Series firewall uses VF drivers to talk to the PF drivers.
The following diagram is a simple visualization of that concept.


Why use SR-IOV? SR-IOV is a packet acceleration technology that allows a virtual machine to directly access packets from the NIC. In contrast, when using a virtual switch, the host processes the packets, send the packets through a virtual switch, and then the virtual machine receives its packets.
In the Compatibility Matrix, PacketMMAP Driver Versions lists both the host version and the native driver version on the VM-Series firewall. For example, i40e on the host, and on the firewall, i40e (for PCI-passthrough) and i40evf (for SR-IOV).
For SR-IOV, let's consider a NIC that uses the i40e PF driver. The host communicates with the NIC via the i40e driver. The VM-Series firewall can use its VF driver (i40evf) to directly communicate with the host's PF driver. This allows VM-Series firewall direct access, which improves packet processing speed. To ensure compatibility, install a host PF driver version that is later than the native PF driver version.


Why does VM-Series firewall have native PF drivers? As mentioned in Options for Attaching VM-Series on the Network, when using PCI-passthrough, the NIC is reserved for the VM-Series firewall, so the host (or other guests on the host) cannot access the NIC. In a PCI-passthrough configuration, the VM-Series firewall uses its native PF driver to communicate directly with the host NIC.
Refer to the PacketMMAP Driver Versions list to determine which PF driver version to install on the host. Install a PF version that is higher than VM-Series firewall native PF driver.
Refer to Enable SR-IOV on ESXi and Enable SR-IOV on KVM for PCI-Passthrough.


PAN-OS has two packet processing modes—DPDK (default) and MMAP—and each mode has a corresponding native driver on the VM-Series firewall. For example, if the firewall is in DPDK mode, the firewall uses the DPDK i40evf driver version to communicate with the host's i40e driver (when using SR-IOV). Alternatively, when the firewall is Packet MMAP, it will use a different i40evf driver version to communicate with the host's i40e driver.
You can enable DPDK on the host (the hypervisor), or on the guest (the VM-Series firewall). Enabling both yields the best results.
  • Compiling OVS with DPDK is part of enabling DPDK on the host.
    Refer to Configure OVS and DPDK on the Host.
  • VM-Series DPDK enables the native DPDK driver on the VM-Series firewall, so DPDK does not need to be enabled on the host, but it is recommended for best performance.

Recommended For You