Please can someone explain me the concept of SP3 in simple terms as i dont find any good resource to understand this.
I understand that passing the traffic through different devices will impact throughput and add latency,but how does PA works to overcome that.
To understand it better an example of a competitor may be useful. So with a such a firewall you already see this difference to paloalto in the specifications. In their specsheets you firstly see a huge number for throuput with does not mean anything, because its just the theoretical throughput without any features enabled. (The following is an example an is probably not 100% accurate with the numbers) If you then add URL filtering, the throuput gets cut by at least 3. Add application control and the throughput is again cut by 2 ore more. Next you add IPS and the theoretical throuput will again decrease and lastly if you also enable malware scanning there is only a very little fraction of the initial theoretical throughput left.
In paloalto specs you have two numbers: general throughput with app-id and threat prevention throughput.
So back to the competitor: the processor there needs to track the traffic and has to decide to what additional processors the traffic needs to be forwarded. As you probably already see from their specs this does not look like it is done in one step. It's more like this if you have enabled all features: processor-->url engine-->processor-->application-->processor-->IPS-->processor-->AV-->processor
With paloalto there are also multiple steps the traffic has to go through but it is (as SP3 states) one straightforward approach (as you can see on the image in the document from my first post) and not this back and forth in other products. It even gets worse when other products have one general processor and then the manufacturer decided to implement also NGFW features like paloalto. The trafficflow is then still the same as described above but has to go back and forth between different processes. This way the throughput decreases even more with more features enabled.
Hope this helps a little.
The overall flow with EVERYTHING (user-ID, decryption, NAT, ...) is a little more complex but it remains the same that it is one path the packet has to take through a paloalto firewall.
In a paloalto this is only one engine: Content-ID/SP3.
May be we have to go one step back. After a pattern based application identification the firewall checks what security profiles are applied to the matching security rule and does the SP3 setup (preparation to tell the content-ID engine what to scan according to security profiles). Then the packet is processed by content-ID/SP3 and here we have the step that PA does in a single pass that other vendors do in a multi pass approach. But now, to be honest, I am not exactly sure about the word parrallel. Its either that there are more than one packed packet processed at the same time and may be also by multiple FPGAs or it is that the packet will be processed by multiple specific FPGAs (AV, IPS, URL, ...) at the same time/in parralel and every FPGA does it's specific job. In both ways the packet then will be forwarded/discarded according to the security profile action or sent pack to app-ID if the content inspection found an app change im the decision.
Single pass is a descriptor for the software component.
The parallel aspect describes the hardware. It's parallel because each firewall platform has dedicated networking and security processors. A simplified example: the PA-220 has 2 security processors, while a 7080 chassis has 64 security processors _per_linecard_ (up to 10 line cards total). A firewall session is assigned to one of those cores and processed. Multiple sessions are assigned to their respective cores and the firewall platform is capable of processing those sessions in parallel (each with a single pass).
Does that help?
You can get the whitepaper here if you want to read more about it: Palo Alto Networks Single-Pass Architecture: Integrated, Prevention-Oriented Security
In short, single pass means a single packet will only pass through the processing chain once, it will be inspected by several sub-processes ensuring coherence to App-ID (protocol decoding, decryption, signatures and heuristics),content-ID and URL filtering.
As @jvalentine mentions the firewall has specialized (multicore) hardware (security processing, signature matching and network processing) that can process multiple sessions in parallel.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!