06-28-2020 04:56 AM
All,
I have a set of PA-5060 devices that are having issue with 300-400MB of throughput since my environment applications have packet payloads under the hard set min limits (48k) and forcing much of this to go to software for processing. VERIFY your packet size distribution (payload) in your networks before you make that purchase. I have 100% dataplane with 300-400MB of traffic.
Symptom
High dataplane CPU caused due to abnormal increase in "too small" or "too large" packets for content inspection.
The below global counters seem to increase with a corresponding rise in DP CPU usage:
aho_sw_min_threshold
aho_sw_max_threshold
dfa_sw_min_threshold
dfa_sw_max_threshold
Environment
Palo Alto Networks firewall with App-ID and Content Inspection
Cause
On platforms that have the content matching FPGA, the AHO and DFA content inspection algorithms are offloaded by default. There is a Minimum and Maximum threshold set for packets to be sent by dataplane to the FPGA for inspections.
If the packet size falls outside of Minimum and Maximum thresholds, these packets are processed in the dataplane, which result in increased dataplane utilization.
ho offload setup
Use offload
Minimum Threshold for using offload: 32 bytes
Maximum Threshold for using offload: 9900 bytes
dfa offload setup
Use offload
Minimum Threshold for using offload: 48 bytes
Maximum Threshold for using offload: 9900 bytes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
