https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30375#M22221 <HTML><HEAD></HEAD><BODY><P>The PANFW has the internal logic to determine which traffic is subjected to offloading. The rule of thumb being that any traffic that does not require signature inspection ( for both application determination and threat checks ) is offloaded to the hardware processor. Like mentioned before, sessions for SSL traffic ( which is encrypted and the firewall cannot determine the signature ), application overridden traffic ( admin creates such custom application because he/she trusts such applications ), etc are offloaded. </P></BODY></HTML> Tue, 07 Jan 2014 14:28:48 GMT kprakash 2014-01-07T14:28:48Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30371#M22217 <HTML><HEAD></HEAD><BODY><P>Hello </P><P>the purpose is to minimze the cpu consomption but in wich way ?</P><P>how the offload work exactly?</P><P></P><P>thank's </P></BODY></HTML> Tue, 07 Jan 2014 13:59:35 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30371#M22217 Gregoux 2014-01-07T13:59:35Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30372#M22218 <P>The following article has the information about disabling the offload traffic:&nbsp;<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC</A></P> Tue, 06 Oct 2020 16:04:39 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30372#M22218 Retired Member 2020-10-06T16:04:39Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30373#M22219 <HTML><HEAD></HEAD><BODY><P>hi </P><P>Yes it's explain when the session is offloaded </P><P>but it didn't explain how the session is offloaded, i would like some detail on it.</P><P>thank's</P></BODY></HTML> Tue, 07 Jan 2014 14:19:07 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30373#M22219 Gregoux 2014-01-07T14:19:07Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30374#M22220 <HTML><HEAD></HEAD><BODY><P>By default, the PANFW offloads traffic for which it need not perform content and threat checks ( like SSL traffic because its encrypted, and custom applications because the user/admin trusts these applications ). Offloading means that traffic is offloaded to a hardware chip, for faster packet processing. If offloading is set to "no", then all the traffic ( including the custom application traffic and encrypted traffic ) are subjected to signature checks, and it can cause unnecessary usage of CPU cycles. </P></BODY></HTML> Tue, 07 Jan 2014 14:22:46 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30374#M22220 kprakash 2014-01-07T14:22:46Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30375#M22221 <HTML><HEAD></HEAD><BODY><P>The PANFW has the internal logic to determine which traffic is subjected to offloading. The rule of thumb being that any traffic that does not require signature inspection ( for both application determination and threat checks ) is offloaded to the hardware processor. Like mentioned before, sessions for SSL traffic ( which is encrypted and the firewall cannot determine the signature ), application overridden traffic ( admin creates such custom application because he/she trusts such applications ), etc are offloaded. </P></BODY></HTML> Tue, 07 Jan 2014 14:28:48 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30375#M22221 kprakash 2014-01-07T14:28:48Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30376#M22222 <HTML><HEAD></HEAD><BODY><P>Hello Gregoux,</P><P>Threat signature match processing prior to the protocol decoder and the matching engine is used for content/ threat signature pattern matching, If signatures are changed during any transaction, we will mark the FPGA as unavailable, load the new signatures into the FPGA, then unmake it. The user or administrator is not having control <SPAN class="GINGER_SOFTWARE_mark">on</SPAN> it, whether the traffic will be offloaded or not. It's depending on the traffic pattern only.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 08 Jan 2014 01:00:39 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/30376#M22222 HULK 2014-01-08T01:00:39Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/296764#M77997 <P><SPAN>Does anybody know if when I disable the session offload, it disables the offloading for new sessions or also for active sessions?&nbsp;&nbsp;</SPAN></P> Wed, 06 Nov 2019 17:42:36 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/296764#M77997 Douglas_Zan 2019-11-06T17:42:36Z https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/458488#M101910 <P>it will only disable offload for new sessions, existing session will not take effect unless clear the existing session</P> Thu, 13 Jan 2022 05:58:36 GMT https://live.paloaltonetworks.com/t5/general-topics/about-session-offload/m-p/458488#M101910 xipan 2022-01-13T05:58:36Z