https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/366146#M1058 <P><BR />SR-IOV and DPDK can be enabled simultaneously.</P><P>Slightly misleadingly, SR-IOV is assisted by the network card and DPDK is assisted by the CPU.<BR /><A href="https://en.wikipedia.org/wiki/Data_Plane_Development_Kit" target="_blank">https://en.wikipedia.org/wiki/Data_Plane_Development_Kit</A><BR /><A href="https://en.wikipedia.org/wiki/Single-root_input/output_virtualization" target="_blank">https://en.wikipedia.org/wiki/Single-root_input/output_virtualization</A></P><P><BR />Enabling SR-IOV bypasses the hypervisor that exists between the PAN-OS(VM-Series) and physical NICs.</P><P>Enabling DPDK bypasses the PAN-OS (linux kernel) that resides between the NIC bypassed by SR-IOV and the pan_task (a process that represents the data plane).</P><P>DPDK is effective for simple processes such as just moving data from east to west, raising the limit from around 20 Gbps to around 100 Gbps.</P><P>I think DPDK probably won't be effective until Threat Prevention's throughput exceeds 30 Gbps, which is not very useful at the moment.<BR />In other words, I don't think it's very useful at this time (the unconfigured defaults should be the most secure).</P><P>Where DPDK is useful is in eliminating most of the bottlenecks, even in configurations that connect via Open vSwitch (OVS).</P><P>Here are Intel's test results<BR /><A href="https://builders.intel.com/docs/networkbuilders/demonstrating-data-plane-performance-improvements-using-enhanced-platform-awareness.pdf" target="_blank">https://builders.intel.com/docs/networkbuilders/demonstrating-data-plane-performance-improvements-using-enhanced-platform-awareness.pdf</A></P><P>It should be possible to use OVS in AWS as well, but there should be little benefit to using it (although I did some research).</P><P>Therefore, I think it's enough to just enable SR-IOV, and I think it's safer to not change the default.</P> Mon, 30 Nov 2020 04:17:58 GMT nanasin 2020-11-30T04:17:58Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/365659#M1056 <P>Hello everybody,<BR />I see that we have SR-IOV and DPDK modes supported for Palo Alto in AWS and understand that DPDK is proffered mode which provides fast processing. <A href="http://www.192168101.com/" target="_self"><FONT color="#FFFFFF">192168101.com</FONT></A><BR />so are there any specific situation where SR-IOV mode is preferred over DPDK?<BR />are you know? <A href="https://19216811.dev/" target="_self"><FONT color="#FFFFFF">19216811.dev</FONT></A></P> Sun, 29 Nov 2020 03:50:46 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/365659#M1056 MarnieFellows 2020-11-29T03:50:46Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/366146#M1058 <P><BR />SR-IOV and DPDK can be enabled simultaneously.</P><P>Slightly misleadingly, SR-IOV is assisted by the network card and DPDK is assisted by the CPU.<BR /><A href="https://en.wikipedia.org/wiki/Data_Plane_Development_Kit" target="_blank">https://en.wikipedia.org/wiki/Data_Plane_Development_Kit</A><BR /><A href="https://en.wikipedia.org/wiki/Single-root_input/output_virtualization" target="_blank">https://en.wikipedia.org/wiki/Single-root_input/output_virtualization</A></P><P><BR />Enabling SR-IOV bypasses the hypervisor that exists between the PAN-OS(VM-Series) and physical NICs.</P><P>Enabling DPDK bypasses the PAN-OS (linux kernel) that resides between the NIC bypassed by SR-IOV and the pan_task (a process that represents the data plane).</P><P>DPDK is effective for simple processes such as just moving data from east to west, raising the limit from around 20 Gbps to around 100 Gbps.</P><P>I think DPDK probably won't be effective until Threat Prevention's throughput exceeds 30 Gbps, which is not very useful at the moment.<BR />In other words, I don't think it's very useful at this time (the unconfigured defaults should be the most secure).</P><P>Where DPDK is useful is in eliminating most of the bottlenecks, even in configurations that connect via Open vSwitch (OVS).</P><P>Here are Intel's test results<BR /><A href="https://builders.intel.com/docs/networkbuilders/demonstrating-data-plane-performance-improvements-using-enhanced-platform-awareness.pdf" target="_blank">https://builders.intel.com/docs/networkbuilders/demonstrating-data-plane-performance-improvements-using-enhanced-platform-awareness.pdf</A></P><P>It should be possible to use OVS in AWS as well, but there should be little benefit to using it (although I did some research).</P><P>Therefore, I think it's enough to just enable SR-IOV, and I think it's safer to not change the default.</P> Mon, 30 Nov 2020 04:17:58 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/366146#M1058 nanasin 2020-11-30T04:17:58Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/375177#M1088 <P>Supported SR-IOV for Palo Alto in WS. Hello everybody,I see that we have SR-IOV and DPDK modes supported for Palo Alto in AWS and understand that DPDK&nbsp;</P> Fri, 18 Dec 2020 10:10:29 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/supported-sr-iov-for-palo-alto-in-ws/m-p/375177#M1088 Sidneyy 2020-12-18T10:10:29Z