How to offload large flows

You can use the prefilter policy to configure static flow offload. If your hardware model supports it, flow offload moves eligible fast path connections to NIC processing, avoiding performance intensive inspection.

Some hardware models will dynamically identify off-loadable connections automatically, but you can proactively identify connections as being offload eligible by matching them to a prefilter fastpath rule. This static configuration helps you improve performance quickly for large connections that you know you can trust.

In the following example, it is assumed that two servers are behind sufficient protection so that you can trust the connections between them. Perhaps one server is using the other for backups. Thus, you can write a fastpath rule for any traffic going from the main server, 10.100.1.20/24, to the backup server, 10.100.2.2/24. The example assumes the servers are accessible through regular, physical routed interfaces.

Procedure

Step 1

Choose Policies > Security policies > Prefilter and create or edit a custom prefilter policy.

Step 2

Click Add Prefilter Rule.

You can also right-click a rule and select Insert New Prefilter Rule.

Step 3

Enter a Name for the rule. For example, Offload_Server_A.

Step 4

In Action, select Fastpath.

Step 5

In Insert, select the rule above or below which the rule should be inserted.

You can also move the rule after you create it.

Step 6

Click the Networks tab and specify the source and destination servers.

  • In the edit box below Source Networks, type 10.100.1.20 and click Add.

  • In the edit box below Destination Networks, type 10.100.2.2 and click Add.

Step 7

(Optional.) Configure the other traffic matching characteristics for the flow.

Click the following tabs to fill in the criteria. Only the Networks tab needs to be configured for this example, so configure these settings only if they make sense for your situation.

  • Interface objects—The security zones or interface objects that define the source or destination interfaces, or both. This specification is not needed for this example.

  • VLANs—Because this example uses routed physical interfaces instead of switch interfaces, this setting is not relevant. Even in those circumstances, you do not need to limit the rule based on VLAN.

  • Ports—If you want to limit the offload to specific TCP/UDP ports, you can specify them. This limits the scope of the rule to these ports only.

Step 8

(Optional.) Click Logging and decide whether you want to see syslog events for matching traffic.

Step 9

Click Add to add the rule.

Take the time to move the rule to the right location in the policy if it is not already there.

Step 10

Click Save to save the policy.

The next time you deploy the configuration, the rule will be applied to the target devices.