: Intelligent Traffic Offload Service for VM‑Series on KVM
Focus
Focus

Intelligent Traffic Offload Service for VM‑Series on KVM

Table of Contents

Intelligent Traffic Offload Service for VM‑Series on KVM

Learn how the Intelligent Traffic Offload Service for VM-Series on KVM pairs with a the BlueField-2 DPU to increase your VM-Series firewall performance.
With the new Intelligent Traffic Offload (ITO) service, VM-Series virtual NGFWs eliminate the tradeoff between network performance, security, and cost. The ITO service integrates with the industry’s leading SmartNICs to improve virtual firewall performance by 5X by offloading traffic that does not benefit from security inspection from the firewall to the BlueField-2 DPU.
For each new flow on the network, the ITO Service determines whether or not the flow can benefit from security inspection. The first few packets of the flow are routed to the firewall for inspection by the ITO service, which determines whether the rest of the packets in the flow should be inspected or offloaded. This determination is based on policy or on the flow’s inability to be inspected (for example, encrypted traffic can’t be inspected). By only inspecting flows that can benefit from security inspection, the overall load on the firewall is greatly reduced and performance increases without sacrificing the security posture.
The VM-Series firewall and the BlueField-2 DPU must be installed on an x86 physical host running Ubuntu 18.04, with kernel version 4.15.0-20. The VM-Series firewall must be deployed in virtual wire mode.
ITO benefits service provider networks where traffic is predominantly “elephant” flows. Elephant flows are typically media flows that do not benefit from advanced security inspection (YouTube streams, Zoom sessions, NetFlix streams, gaming traffic, etcetera), or encrypted SSL or IPsec flows without a corresponding decryption profile on the firewall.
The VM-Series firewall uses an open API interface based on gRPC to communicate with the BlueField-2 DPU, which handles offload processing and maintains the offload flow table.
The current BlueField-2 DPU scalability limitations are as follows:
  • Session table capacity: 500,000 sessions
  • Session table update rate: 7000 sessions/second
  • Offload hairpin rate: ~90 Gbps for 1500 byte packets
Active/Passive HA is supported for the VM-Series firewalls running on physical hosts with identical configurations.