Software Cut-through Based Offload on CN-Series Firewall
Focus
Focus
CN-Series

Software Cut-through Based Offload on CN-Series Firewall

Table of Contents

Software Cut-through Based Offload on CN-Series Firewall

Where Can I Use This?What Do I Need?
  • CN-Series as Kubernetes CNF deployment
  • CN-Series 10.1.x or above Container Images
  • For Panorama managed, CN-Series firewall, Panorama running PAN-OS 11.0.4 or above version

Overview

With the software cut-through based Intelligent Traffic Offload (ITO) service, the CN-Series firewall eliminates the tradeoff between network performance, security, and cost. For each new flow on the network, the ITO service determines whether or not the flow can benefit from security inspection. The ITO service routs the first few packets of the flow to the firewall for inspection, which determines whether to inspect or offload the rest of the packets in the flow. This determination is based on policy or on the flow’s inability to inspect. By only inspecting flows that can benefit from security inspection, the overall load on the firewall reduces and performance increases without sacrificing the security posture.
For infrastructures that lack DPUs, the software cut-through based ITO is able to function by taking advantage of the available NICs. See Hypervisor Support Matrix to learn about the NICs and Hypervisors supported.
The software cut-through based offload supports the GTP-U tunnel protocol. Within a GTP-U With GTPU inner session software coordinated Universal Time-through, after the GTPU inner session completes the Layer 7 inspection, the GTPU packet will follow the existing software cut-through datapath, bypass the unnecessary operations, take advantage of a FIB/MAC cache, and run to completion. The CN-Series firewall supports the PAN-OS software cut-through feature for GTP-U Specific traffic offload when deploying the CN-Series firewall as a Kubernetes CNF service.

GTP-U Specific Traffic Offload on CN-Series Firewall

GTP comprises a control plane (GTP-C), user plane (GTP-U), and charging (GTP' derived from GTP-C) traffic transferred on UDP/IP. View the PAN-OS releases by model that support GTP and the 3GPP Technical Standards that GTPv1-C, GTPv2-C, and GTP-U support. Enabling GTP security on Palo Alto Networks® firewalls allows you to protect the mobile core network infrastructure from malformed GTP packets, denial-of-service attacks, and out-of-state GTP messages, and also allows you to protect mobile subscribers from spoofed IP packets and overbilling attacks.
GTP-U is defined in 3GPP TS 29.281. It encapsulates and routes user plane traffic across multiple signaling interfaces such as S1, S5, and S8. GTP-U messages are either user planes or signaling messages. The registered port number for GTP-U is 2152. For more information, see GTP Protection Profile.
The software cut-through based offload on CN-Series also supports GTP-U traffic offloads. You can now use Intelligent Traffic Offload subscription on CN-Series as a Kubernetes CNF mode to unlock more performance and protect mobile networks leveraging GTP Security. For every GTP-U packet that CN-Series as a Kubernetes CNF mode will inspect, a full Layer 7 inspection will be completed on the inner sessions. If the firewall determines that the inner sessions for this GTP-U packet qualifies to be offloaded, then all subsequent GTP-U packets that belong to this session will get offloaded.
Following are the important points to consider before configuring software cut-through based offload on a CN-Series firewall:
  • By default, software cut-through based ITO configurations are disabled.
  • You can enable this feature only using bootstrap/CLI.
  • You can use software cut-through based ITO for plain traffic and GTP-U offload within software cut-through based ITO simultaneously.
  • For upgrades to the current version with ITO enabled, enable session offload using CLI post upgrade.
In the CN-Series, only the CN-Series as a Kubernetes CNF mode of deployment supports software cut-through based ITO.

Enable GTP-U Inner Session offloads on CN-Series Firewall

To enable GTP-U inner session offloads on the CN-Series firewall, the following are the prerequisites for enabling GTP Security or 5G Security.
You must edit the pan-cn-mgmt-configmap.yaml file with the following changes:
In the pan-cn-mgmt-configmap.yaml file, the PAN_GTP_ENABLED, PAN_GTP_CUT_THRU, and PAN_SW_CUT_THRU parameter value must be true to enable GTP-U inner session offloads.
Here is an example of an updated pan-cn-mgmt-configmap.yaml file:
# Start MGMT pod with GTP enabled. For complete functionality, need GTP # enabled at Panorama as well. PAN_GTP_ENABLED: "true" # Start MGMT pod with GTP SW cut Through enable. PAN_GTP_CUT_THRU: "true" # Start MGMT pod with SW cut Through enable. PAN_SW_CUT_THRU: "true"