- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
SR-IOV and DPDK can be enabled simultaneously.
Slightly misleadingly, SR-IOV is assisted by the network card and DPDK is assisted by the CPU.
Enabling SR-IOV bypasses the hypervisor that exists between the PAN-OS(VM-Series) and physical NICs.
Enabling DPDK bypasses the PAN-OS (linux kernel) that resides between the NIC bypassed by SR-IOV and the pan_task (a process that represents the data plane).
DPDK is effective for simple processes such as just moving data from east to west, raising the limit from around 20 Gbps to around 100 Gbps.
I think DPDK probably won't be effective until Threat Prevention's throughput exceeds 30 Gbps, which is not very useful at the moment.
In other words, I don't think it's very useful at this time (the unconfigured defaults should be the most secure).
Where DPDK is useful is in eliminating most of the bottlenecks, even in configurations that connect via Open vSwitch (OVS).
Here are Intel's test results
It should be possible to use OVS in AWS as well, but there should be little benefit to using it (although I did some research).
Therefore, I think it's enough to just enable SR-IOV, and I think it's safer to not change the default.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!