Single Pass Parallel Processing (SP3) Architecture
Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel Processing (SP3) Architecture – which enables high-throughput, low-latency network security, even while incorporating unprecedented features and technology.
Palo Alto Networks solves the performance problems that plague today’s security infrastructure with the SP3 architecture, which combines two complementary components:
- Single Pass software
- Parallel Processing hardware
The results is the perfect mix of raw throughput, transaction processing and network security that today’s high performance networks require.
Single Pass Software
Palo Alto Networks Single Pass software is designed to accomplish two key functions within the Palo Alto Networks next-generation firewall. First, the single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once. This significantly reduces the amount of processing overhead required to perform multiple functions in one security device. Second, the content scanning step in Palo Alto Networks’ Single Pass software is stream-based, and uses uniform signature matching to detect and block threats. Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in our next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.
This Single Pass traffic processing enables very high throughput and low latency – with all security functions active. It also offers the additional benefit of a single, fully integrated policy, enabling simple, easier management of enterprise network security.
Parallel Processing Hardware
The other critical piece of Palo Alto Networks SP3 Architecture is hardware. Palo Alto Networks next-generation firewalls use Parallel Processing hardware to ensure that the Single Pass software runs fast. First, Palo Alto Networks engineers designed separate data and control planes. This separation means that heavy utilization of one won’t negatively impact the other – for example, an administrator could be running a very processor-intensive report, and yet the ability to process packets would be completely unhindered, due to the separation of data and control planes.
The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups that work in harmony to perform several critical functions.
- Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware
- User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.
- Content-ID content analysis uses dedicated, specialized content scanning engine
- On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.