What makes Palo Alto Networks Next-Generation Firewall (NGFW) so different from its competitors is its Platform, Process and Architecture. Palo Alto Networks delivers all the next generation firewall features using the single platform, parallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features.
Palo Alto Networks Next-Generation Firewallâ€™s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:
- Single Pass Software
- Parallel Processing Hardware
Figure 1.Â Â Palo Alto Networks Firewall Single Pass Parallel Processing Architecture
Single Pass Software
Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:
Figure 2: Palo Alto Networks Firewall – Single-Pass Architecture Traffic Flow
This processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall enormously reduces the processing overhead, other vendor firewalls using a different type of architecture produce a significantly higher overhead when processing packets traversing the firewall. Itâ€™s been observed that the Unified Threat Management (UTM), which processes the traffic using multi-pass architecture, results in process overhead, latency introduction and throughput degradation.
The diagram below illustrates the multi-pass architecture process used by other vendorsâ€™ firewalls, clearly showing differences to the Palo Alto Networks Firewall architecture and how the processing overhead is produced:
Figure 3: Traffic Flow for multi-pass architecture resulting in additional overhead processing
Palo Alto Networks Next-Generation Firewall Single Pass Software scans the contents based on the same stream and it uses uniform signature matching patterns to detect and block threats. By adopting this methodology Palo Alto Networks Next-Generation Firewall is negating the use of separate scan engines and signature sets, which results in low latency and high throughput.
Parallel Processing Hardware
Palo Alto Networks Parallel Processing hardware ensures function-specific processing is done in parallel at the hardware level which, in combination with the dedicated Data plane and Control plane, produces stunning performance results. By separating the Data plane and Control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the Platform. At the same time, this means there is no dependency on either plane as each has its own CPU and RAM as illustrated in the diagram below:
Figure 4: Palo Alto Networks Firewall Hardware Architecture â€“ Separation of Data Plane and Control Plane
The Control Plane is responsible for tasks such as management, configuration of Palo Alto Networks Next-Generation Firewall and it takes care of logging and reporting functions.
Palo Alto Networks Next-Generation Firewall offers processors dedicated to specific functions that work in parallel. The Data Plane in the high-end models contains three types of processors (CPUs) connected by high-speed 1Gbps busses.
The three type of processors are:
- Security Matching Processor: Dedicated processor that performs vulnerability and virus detection.
- Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar tasks.
- Network Processor: Dedicated processor responsible for network functions such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.