Palo Alto Networks is marketing a family of next-generation virtual firewalls designed specifically for use with Nvidia’s BlueField DPUs.
Announced at the end of 2019, Nvidia’s BlueField-2 DPU – resulting from the acquisition of Mellanox – is designed to support server processors by ensuring the processing of workloads network and security. Palo Alto Networks says this allows its VM-Series firewalls, which run on standard servers, to achieve speeds “near 100 Gbps” for most use cases, an improvement on a factor of 5 compared to running the same firewall on a single CPU. Remember that the Bluefield-2 are based on an ARM Cortex-A72 architecture (eight units) and have acceleration circuits optimized for security tasks. This offer directly responds to the challenges faced by companies and network operators when they implement cloud-like data centers, said Muninder Singh Sambi, SVP of Product at Palo Alto Networks, in a press release.
The use of DPUs and SmartNICs to speed up firewalls, however, is nothing new from players like Intel, Nvidia or Pliops. DPUs and SmartNICs have been used in security appliances for years, what is changing is that DPUs are also being used on virtual environments rather than just an appliance. With its Monterey project, VMware is already well engaged in this area by supporting DPUs from Intel and Nvidia. Using Bluefiled-2s, Palo Alto Networks VM-Series can utilize DPU-equipped data center servers to accommodate varying traffic patterns.
With its VM-Series firewalls, Palo Alto Networks offers scalable, API-driven technology with leading SmartNIC and DPU vendors such as Nvidia. (Credit Palo Alto Networks)
Better analyze flows
The platform works by offloading the packet filtering and forwarding processes to the data processing unit, from where it analyzes, classifies and directs traffic flows based on various policy criteria. This frees up CPU resources for security functions, while allowing users to weed out traffic that won’t benefit from inspection, using a feature Palo Alto Networks calls Intelligent Traffic Offloading ( ITO).
“Up to 80% of network traffic, including media and encrypted data in a data center, does not need to be – or cannot be – inspected by a firewall,” Ash wrote. Bhalgat, senior director of cloud at Nvidia, in a blog post. If, for example, the firewall detects encrypted or streaming media traffic, the platform instructs the DPU to forward all subsequent packets to their destination, freeing up CPU cycles for higher priority traffic “In such environments, intelligent traffic offloading will ensure that firewall resources are optimally utilized to inspect only those flows that benefit from continuous security inspection,” Bhalgat added.