How Palo Alto Networks Is Boosting Cyber Defenses With NVIDIA’s BlueField DPU

NVIDIA and Palo Alto Networks are boosting Cyber Defenses with NVIDIA’s BlueField data processing unit.

A ransomware attack on Colonial Pipeline, a major US gasoline corporation that spans more than 5,500 miles, was forced to shut down all its fuel distribution networks. It was considered to be one of the largest attacks of the year, finally forcing Colonial Pipeline to cough up to $5 Million in Ransom to Hackers.

Experts believe that cybercrimes are only going to get sinister with every passing year. As per a Cybersecurity Ventures estimate, cybercrime may cost the world $10.5 trillion annually by 2025.

Palo Alto Networks has developed the first virtual next-generation firewall (NGFW) that leverages NVIDIA’s BlueField data processing unit (DPU) to stay ahead of emerging threats.

Subscribe to our Newsletter

Join our editors every weekday evening as they steer you through the most significant news of the day, introduce you to fresh perspectives, and provide unexpected moments of joy
Your newsletter subscriptions are subject to AIM Privacy Policy and Terms and Conditions.


The first-of-its-kind DPU-accelerated NGFW is a milestone in boosting software firewall performance and maximising data centre security and efficiency.

DPU offloads traffic from the host processor and puts it on specialised hardware separate from the server CPU. Without sacrificing network performance, the solution delivers intrusion prevention and sophisticated protection capabilities of Palo Alto Networks’ virtual NGFWs to every server

The recently announced Palo Alto Networks VM-Series NGFW implements zero-trust network security concepts. By utilising a data processing unit (DPU), an intelligent network filter performs parsing, classifying, and steering traffic flows while incurring negligible CPU overhead, enabling the NGFW to handle up to 100Gb/s throughout most typical use cases. This results in a five-times performance improvement, along with a 150 per cent CAPEX reduction compared to legacy hardware.

The VM-Series, the first Bluefield-enabled NGFW to market, can perform application-aware segmentation, prevent malware, and block data exfiltration with the Bluefield DPU. In addition, the VM-Series is automated and can be deployed in any virtual or cloud environment without interruption.

(Source : NVIDIA blog)

In some client situations, most traffic either does not need inspection (e.g. video, gaming and video conferencing streaming) or cannot be examined, such as encrypted traffic that the customer cannot assign a suitable decryption policy on the firewall. In such circumstances, Smart Traffic Offload ensures optimal use of firewall resources to check only those flows which benefit from ongoing security inspection.

Intelligent traffic offload service

In Intelligent Traffic Offload (ITO), users can use the NVIDIA Bluefield-2 DPU in the VM-Series firewall security subscription, which offers greater throughput for the VM-Series firewall.

To inspect each packet of a flow for inspection or offload, the ITO initiates the inspection of the first couple of packets at the firewall to find out if the rest of the packets in the flow should be inspected or offloaded. This decision is based on the policy behind it. As a result, VM-Series firewall performance rises without sacrificing security while reducing the overall burden on the firewall.

Up to 80 per cent of the network traffic in a data centre — including the data’s media and encrypted content — doesn’t need to be inspected by a firewall. To this end, NVIDIA and Palo Alto Networks have developed a combined solution that comprises the Intelligent Traffic Offload (ITO) service, which analyses network traffic to see if each connection can benefit from security inspection.

Suppose the firewall finds that security inspection is unnecessary for the session. In that case, ITO instructs the Bluefield-2 DPU to route any subsequent packets in that session directly to their destination, bypassing the firewall.

Security inspection and offloading only focus on flows that benefit from it, reducing the total strain on the firewall and the host CPU. In turn, performance improves without a significant effect on security. As a result, the ITO empowers enterprises, telcos, and cloud providers to keep end-users secure while speeding up their digital transformation with an NGFW running on every host, regardless of the security perimeter.

(Source : NVIDIA Blog)

With the help of the gRPC open source remote procedure call framework and NVIDIA ASAP2, a hardware acceleration framework, Palo Alto Networks began developing the NGFW on the Bluefield DPU. This provided a unified platform for constructing software-defined networking, storage, security, and management applications that ran on Bluefield DPUs using the NVIDIA DOC SDK, which includes a gRPC interface to Bluefield and ASAP2. Therefore, increasing performance and security demands of modern data centres.

Ritika Sagar
Ritika Sagar is currently pursuing PDG in Journalism from St. Xavier's, Mumbai. She is a journalist in the making who spends her time playing video games and analyzing the developments in the tech world.

Download our Mobile App

MachineHack | AI Hackathons, Coding & Learning

Host Hackathons & Recruit Great Data Talent!

AIMResearch Pioneering advanced AI market research

With a decade of experience under our belt, we are transforming how businesses use AI & data-driven insights to succeed.

The Gold Standard for Recognizing Excellence in Data Science and Tech Workplaces

With Best Firm Certification, you can effortlessly delve into the minds of your employees, unveil invaluable perspectives, and gain distinguished acclaim for fostering an exceptional company culture.

AIM Leaders Council

World’s Biggest Community Exclusively For Senior Executives In Data Science And Analytics.

3 Ways to Join our Community

Telegram group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our Daily newsletter

Get our daily awesome stories & videos in your inbox