Nvidia DPUs Get Data Center Win With Palo Alto Networks’ Backing

With the new DPU-accelerated VM-Series NGFW from Palo Alto Networks, the new solution automatically determines which portions of network traffic the firewall needs to inspect, which can significantly reduce the amount of work required by CPUs and improve throughput performance.


Nvidia is hoping to expand its fledgling BlueField data processing unit business with new integration support from Palo Alto Networks, which it said will significantly speed up virtual firewall performance.

The Santa Clara, Calif.-based company announced on Monday that Palo Alto Networks has designed its new virtual next-generation firewall to take advantage of Nvidia’s BlueField DPUs, which will allow the firewall to inspect network traffic five times faster than firewall solutions that only use CPUs.

[Related: How Nvidia Is Helping Partners ‘Democratize AI’ For Enterprises]

Sponsored post

Muninder Singh Sambi, senior vice president of products at Palo Alto Networks, said the DPU acceleration of the firewall product, known as the VM-Series NGFW, will give enterprises and telecom companies the “agility and automation of the cloud without compromising performance.”

“The industry-leading Nvidia BlueField DPU is ideal for cybersecurity solutions operating in cloud-like environments,” he said in a statement provided by Nvidia.

Akin to SmartNICs, Nvidia’s BlueField DPUs are a new kind of processor that can replace network interface cards in servers to offload networking, storage and security workloads from the CPU, which can enable new capabilities while freeing up CPU cores to do other kinds of work.

While Nvidia has already made inroads with GPUs in in servers, the company wants to own an even bigger slice of the hardware and software that powers emerging workloads, and that includes BlueField DPUs, whose technology stemmed from Nvidia’s 2020 Mellanox acquisition. The company now has a dedicated roadmap for BlueField DPUs, which are set to improve with new AI and CPU-offload capabilities over the next few years.

Nvidia recently announced that new certified servers with BlueField-2 DPUs are coming from ASUS, Dell Technologies, Supermicro and other OEMs later this year. But to sell DPU-accelerated servers, Nvidia needs support from software vendors to help justify the purchase of a component that is more expensive than standard network interface cards, which is where Palo Alto Networks comes in.

With the new VM-Series NGFW from Palo Alto Networks, Nvidia said the new solution automatically determines which portions of network traffic the firewall needs to inspect since up to 80 percent of network traffic “doesn’t need to be — or can’t be — inspected by a firewall.” Since these determinations are made using a service called Intelligent Traffic Overload that is powered by the DPU, the amount of traffic packets sent to CPU-driven firewall processes can be significantly reduced.

As a result, the firewall’s Intelligent Traffic Overload service can significantly speed up the firewall’s throughput performance to 100Gb/s with Nvidia’s BlueField-2 DPUs, a five-fold increase from the 16Gb/s throughput that is achievable using only CPUs, according to Nvidia. The company added that the use of Nvidia DPUs can also reduce capital expenditures by 150 percent compared to legacy hardware.

An executive at a Palo Alto Networks partner said the new DPU-accelerated solution could be a “game-changer” for cloud-like environments, but he questioned how many organizations using cloud infrastructure could currently take advantage of the virtual firewall’s 100Gb/s throughput.

“Even in a VM-Series environment, most customers aren’t going an anywhere near the 16Gb/s limit now,” said the channel executive, who asked to not be identified to speak frankly.

The executive said the new joint solution from Nvidia and Palo Alto Networks will likely be adopted by large enterprises that are already deep into virtualization. But most enterprises, he added, will be reticent or slow to introduce new types of hardware to their environments.

“Most customers won’t want to run security equipment on their own hardware,” he said. “They’re not going to go out of their way to use a virtualization infrastructure to support a physical environment.”

What could have a larger impact, at least for the executive’s customer base, is if Palo Alto Networks were to adopt Nvidia’s DPUs for its hardware firewall appliances, the executive said. He said it would be a much bigger deal for him if Palo Alto Networks used Nvidia’s DPUs to accelerate performance for SSL decryption and the GlobalProtect VPN, two areas that suffer from performance issues.

“I think it would be a huge plus for customers,” he said.

However, the executive said, even Palo Alto Networks has been slow to adopt new kinds of components for its own appliances, so it could take time for the company to bring the benefits of DPUs or similar components to its wider customer base.

“Any hardware change is typically a two-, three-year R&D cycle in a release. That would be pretty interesting from a compute perspective, but they haven’t even tried adopting [cryptographic acceleration] cards,” he said.