UPDATED 11:00 EST / JULY 12 2021

INFRA

Nvidia reveals how its BlueField DPUs boost Palo Alto Networks’ virtual firewall performance

Nvidia Corp. and Palo Alto Networks Inc. detailed today how they created what they say is a massively accelerated virtual next-generation firewall that doesn’t impact network performance.

Announced in May, Palo Alto’s VM-Series NGFW helps to accelerate packet filtering and forwarding by offloading traffic from server processors to dedicated Nvidia BlueField-2 data processing units. It further speeds thing up by sending network traffic that doesn’t need to be inspected directly to its intended destination.

Nvidia’s BlueField-2 DPUs are specialized chips that come with optimizations that enable them to handle certain types of infrastructure administration tasks more efficiently, including network traffic inspection. By offloading this work to the DPU, a server’s central processing units can focus solely on the compute tasks they have been given, thereby improving overall performance. Nvidia claims that a single BlueField-2 DPU can handle data center infrastructure administration tasks that would otherwise have to be performed by as many as 125 CPU cores.

In the case of Palo Alto’s VM-Series NGFW, the Nvidia DPUs act as an intelligent network filter that parses, classifies and steers traffic flows with zero CPU overhead, Nvidia explained in a blog post. As a result, the VM-Series NGFWs can support 100 gigabytes per second throughput in standard use cases, amounting to a five-times performance boost for a VM-Series firewall that runs on CPUs alone, the companies said.

Palo Alto’s firewall also benefits from an Intelligent Traffic Offload service that’s enabled by the Nvidia DPUs. As Nvidia explains, in certain environments the majority of network traffic, such as streaming traffic for video, gaming and video calls, does not need to be inspected by the firewall. And then there is encrypted traffic, which simply cannot be inspected. By forcing all of this traffic that can’t or shouldn’t be inspected through the firewall, it slows things down.

Nvidia said as much as 80% of a typical network’s traffic won’t benefit from firewall inspection. Intelligent Traffic Offload (pictured below) addresses this problem by examining each session to determine if it will benefit from security inspection.

If it determines that it won’t benefit, the BlueField-2 DPU will forward all subsequent packets in that session directly to their destination without sending them to the firewall. This helps to reduce the overall load on both the firewall and the host CPU, leading to a significant performance without adding any security risk, the company explained.

Palo Alto Senior Vice President of Products Muninder Singh Sambi said the company’s VM-Series NGFW is aimed at enterprises and telecommunications providers who are building “cloudlike data centers” that need both agility and automation. “The industry-leading Nvidia BlueField DPU is ideal for cybersecurity solutions operating in cloudlike environments,” he said.

Images: Nvidia

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU