Software Cut-through Based Offload
Use software cut-through offload for environments that do not support
DPU.
If your environment does not support DPU or require container based next-gen
firewall and the traffic type happens to have offloadable flows, you can take advantage
of software cut-through based offload. In order to configure software cut-through, your
firewall (PAN-OS) can be configured to implement software cut-through on the software to
do offloads.
Software cut-through is able to understand GTP-U traffic and therefore will
help in increasing handled throughput for 5G Security use-cases. With Software
Cut-through enabled, within the GTPU, the inner session completes the L7 packet
inspection then follows the existing software cut-through data path. It bypasses
unnecessary operations, and leverages cache to complete the operation, thereby improving
throughput handling and performance of the software firewall.
When using software cut-through please consider:
- Software cut-through is disabled by default on software firewalls. You can enable
this feature using bootstrap or CLI on VM-Series and CN-Series.
- On VM-Series - you can use software cut-through and ITO simultaneously.
- For upgrades to the current version with ITO enabled, enable software cut-through
session offload using CLI post upgrade.
- On Software firewalls - if you plan to use software cut-through - you need a minimum
of 6 cores.
- You can use software cut-through across software firewalls deployed in an on-prem
environment such as KVM or ESXi, or in a public cloud namely AWS, Azure, or GCP
Configure Software Cut-through based offload for a deployed VM using the CLI
Use the CLI to enable software cut-through on your VM-Series firewall without hardware
support. Software cut-through is disabled by default.
- Access the VM-Series firewall as an administrator.
- Use the CLI command set session sw-cut-thru yes to enable
software cut-through.
- To disable software cut-through, enter set session sw-cut-thru
no.
Configure Software Cut-through based offload using bootstrap
To configure software cut-through using bootstrap add the following in the
init-cfg.txt file:
plugin-op-commands=sw_cut_through:enable
To disable software cut-through using bootstrap:
plugin-op-commands=sw_cut_through disable
To display the status of software cut-through, use
show session info | match "Software Cut Through".
