Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Single Pass Parallel Processing SP3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Single Pass Parallel Processing SP3

L3 Networker

Hi All,

 

Please can someone explain me the concept of SP3 in simple terms as i dont find any good resource to understand this.

I understand that passing the traffic through different devices will impact throughput and add latency,but how does PA works to overcome that.

 

Thanks

11 REPLIES 11

L7 Applicator

This document should answer your question about SP3:

https://www.paloaltonetworks.com/resources/whitepapers/single-pass-parallel-processing-architecture

 

Regards,

Remo

Hi Remo,

 

I have gone through this document and still the terms are confusing.

 

When we say single pass is this means that the same software is used for all the functions of IPS,AV etc without having to use different modules for each function..?

 

Thanks

Hi @mahmoodm

 

To understand it better an example of a competitor may be useful. So with a such a firewall you already see this difference to paloalto in the specifications. In their specsheets you firstly see a huge number for throuput with does not mean anything, because its just the theoretical throughput without any features enabled. (The following is an example an is probably not 100% accurate with the numbers) If you then add URL filtering, the throuput gets cut by at least 3. Add application control and the throughput is again cut by 2 ore more. Next you add IPS and the theoretical throuput will again decrease and lastly if you also enable malware scanning there is only a very little fraction of the initial theoretical throughput left.

 

In paloalto specs you have two numbers: general throughput with app-id and threat prevention throughput.

 

So back to the competitor: the processor there needs to track the traffic and has to decide to what additional processors the traffic needs to be forwarded. As you probably already see from their specs this does not look like it is done in one step. It's more like this if you have enabled all features: processor-->url engine-->processor-->application-->processor-->IPS-->processor-->AV-->processor

 

With paloalto there are also multiple steps the traffic has to go through but it is (as SP3 states) one straightforward approach (as you can see on the image in the document from my first post) and not this back and forth in other products. It even gets worse when other products have one general processor and then the manufacturer decided to implement also NGFW features like paloalto. The trafficflow is then still the same as described above but has to go back and forth between different processes. This way the throughput decreases even more with more features enabled.

 

Hope this helps a little.

 

Regards,

Remo

Hi Remo,

 

Thanks for the response.

 

So is this mean that the packet is passed through all these engines in PA at the same time..? If i understand it correctly.

 

Or it passed step by step from each module.

Hi @mahmoodm

 

The overall flow with EVERYTHING (user-ID, decryption, NAT, ...) is a little more complex but it remains the same that it is one path the packet has to take through a paloalto firewall.

 

In a paloalto this is only one engine: Content-ID/SP3.

May be we have to go one step back. After a pattern based application identification the firewall checks what security profiles are applied to the matching security rule and does the SP3 setup (preparation to tell the content-ID engine what to scan according to security profiles). Then the packet is processed by content-ID/SP3 and here we have the step that PA does in a single pass that other vendors do in a multi pass approach. But now, to be honest, I am not exactly sure about the word parrallel. Its either that there are more than one packed packet processed at the same time and may be also by multiple FPGAs or it is that the packet will be processed by multiple specific FPGAs (AV, IPS, URL, ...) at the same time/in parralel and every FPGA does it's specific job. In both ways the packet then will be forwarded/discarded according to the security profile action or sent pack to app-ID if the content inspection found an app change im the decision.

 

Hi Remo,

Thanks a lot for taking time and responding and as u said the word PARALLEL is a confusion.

May be someone from the PA team can clarify on this whether the packet is acted upon by all the features at the sametime i.e all the featueres working in parallel.

 

Thanks

@reaper

Could you may be explain the word "Parallel" in the context of SP3?

Single pass is a descriptor for the software component.  

 

The parallel aspect describes the hardware.  It's parallel because each firewall platform has dedicated networking and security processors.  A simplified example:  the PA-220 has 2 security processors, while a 7080 chassis has 64 security processors _per_linecard_ (up to 10 line cards total).  A firewall session is assigned to one of those cores and processed.  Multiple sessions are assigned to their respective cores and the firewall platform is capable of processing those sessions in parallel (each with a single pass).  

 

Does that help?

You can get the whitepaper here if you want to read more about it: Palo Alto Networks Single-Pass Architecture: Integrated, Prevention-Oriented Security

 

In short, single pass means a single packet will only pass through the processing chain once, it will be inspected by several sub-processes ensuring coherence to App-ID (protocol decoding, decryption, signatures and heuristics),content-ID and URL filtering.

As @jvalentine mentions the firewall has specialized (multicore) hardware (security processing, signature matching and network processing) that can process multiple sessions in parallel.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

Thanks for the response.

 

That means each HW processor which is responsible for its own function acts on the packet,one question is that does a copy of packet goes in these engines for to be process i mean how they process the same packet.

 

Apologies for my little understanding.

@mahmoodm,

I'm sorry if this has already been brought up, but a quick glance tells me it doens't look like it. To get a better understanding of how the packet flow looks like in PAN-OS in general there is a really good writeup here that goes through every single process of packet flow in depth. This would likely be a big help to further understand how Palo Alto does things. 

  • 12564 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!