There are two main planes that make up a firewall, the data plane and the management plane, which are physical or logical boards that perform specific functions. All platforms have a management plane. The management plane is where all administrative tasks happen. The data plane is responsible for processing flows and performs all the security features associated with the next-generation firewall. These functions have dedicated hardware resources, which makes them independent of each other in Palo Alto firewalls.
Management Planes and Data Planes
Palo Alto Networks maintains the management plane and data-plane separation to protect system resources. Every Palo Alto Networks firewall assigns a minimum of these functions to the management plane:
- Configuration management
- Logging
- Reporting functions
- User-ID agent process
- Route updates
The management network and console connector terminate directly on this plane. On the PA-7000 Series firewalls, dedicated log collection and processing is implemented on a separate card.
The following functions are assigned to the data plane:
- Signature match processor
- All Content-ID and App-ID services
- Security processors
- Session management
- Encryption and decryption
- Compression and decompression
- Policy enforcement
- Network processor
- Route
- ARP
- MAC lookup
- QoS
- NAT
- Flow control
The data plane connects directly to the traffic interfaces. As more computing capability is added to more
powerful firewall models, the management planes and data planes gain other functionality as required,
sometimes implemented on dedicated cards. Several core functions gain field-programmable gate arrays
(FPGAs) or custom application-specific integrated circuits (ASICs) for flexible high-performance processing. Additional management plane functions might include the following: First packet processing & Switch fabric management.
Note: If you have any issue in management plane, It will not impact data plane traffic flow. Sometimes there can be issue where you are unable to access management server remotely or locally GUI is inaccessible but data plane are still flowing smoothly without any cause and no issue reported. In such you have to restart management server only and this will not impact data flow.
