SonicOS 8 Active-Active DPI High Availability
Description
WHAT IS DPI?: Deep Packet Inspection (DPI) is the process by which a firewall examines the actual content of network traffic, not just the source, destination, and port, to identify threats, enforce application policies, and detect malicious behavior. Services such as Intrusion Prevention (IPS), Gateway Anti-Virus (GAV), Application Control, and SSL/TLS Inspection all depend on DPI. It is one of the most CPU-intensive functions a firewall performs.
Overview
Active-Active DPI HA puts the secondary firewall’s otherwise idle CPU to work. In a standard Active/Standby HA pair, the standby unit contributes nothing to traffic processing during normal operation; all the computationally intensive work of Deep Packet Inspection falls entirely on the active unit, no matter how much spare capacity exists on the standby.
Active-Active DPI changes this by offloading DPI workloads from the active unit to the secondary unit over a dedicated Active/Active DPI Interface, allowing both units to contribute to security processing simultaneously. The result is reduced DPI-related CPU pressure on the active unit and better sustained inspection throughput, particularly under heavy or DPI-intensive traffic conditions.
KEY POINT: Active-Active DPI HA is a CPU offload and resource utilization feature. All traffic still enters and exits through the active unit. The secondary does not forward traffic independently; it processes offloaded DPI packets and returns results to the active unit, which applies all enforcement decisions.
How It Works
The Limitation in Active/Standby HA
In a standard Active/Standby deployment, the active unit is responsible for everything: firewall policy enforcement, NAT, routing, session management, and all DPI services. The standby unit does nothing during normal operation beyond monitoring the active unit’s health, its CPU, memory, and processing capacity sit entirely unused until a failover occurs.
The practical impact becomes visible under DPI intensive traffic conditions:
- As SSL inspection workloads grow, driven by the industry-wide shift to encrypted traffic, the active unit’s CPU becomes the sole bottleneck for all content inspection.
- Enabling multiple DPI services concurrently (GAV, IPS, App Control) multiplies the per-packet processing demand on the active unit alone.
- During traffic spikes, the active unit may reach CPU saturation while the standby sits idle with spare capacity.
IN SUMMARY:In Active/Standby HA, you pay for two firewalls but receive DPI processing from only one. The standby contributes zero inspection capacity during normal operation.
How Active-Active DPI Works
With Active-Active DPI enabled, a dedicated physical link between the two units, the Active/Active DPI Interface, is used to offload DPI work from the active unit to the secondary. The processing flow is:
- The active unit receives network traffic and handles all firewall, NAT, and session-layer processing as normal.
- Selected packet flows are forwarded from the active unit to the secondary over the Active/Active DPI Interface for DPI processing. The traffic forwarded to the secondary is decrypted because TLS decryption is performed on the active unit before offloading.
- The secondary unit performs DPI inspection, IPS signature matching, anti-virus scanning, application identification, on the decrypted payload and returns its findings to the active unit.
- The active unit applies the DPI enforcement decision (allow, block, reset) and forwards or drops the traffic accordingly. All enforcement actions originate from the active unit.
- Packet offloading is distributed across the Active/Active DPI Interface ports on a round robin, packet by packet basis, not per session.
ACTIVE/ACTIVE DPI INTERFACE: Active-Active DPI requires a dedicated physical interface connection between the two units specifically for DPI offload traffic. This is separate from the standard HA heartbeat and state synchronization link. Redundant Active/Active DPI Interface ports can be used for load sharing of offloaded DPI traffic.
Performance Impact
By freeing the primary unit’s CPU from the full burden of DPI processing, Active-Active DPI HA allows the primary unit to handle higher traffic volumes without DPI becoming the bottleneck.
By offloading DPI workloads to the secondary unit, the primary unit operates with reduced CPU pressure during inspection-heavy traffic conditions. The degree of benefit depends on the traffic pattern — specifically, the proportion of traffic subject to DPI inspection and the complexity of the inspection policies applied.
Important: Performance gains vary by deployment. Environments with a higher proportion of DPI inspected traffic will see greater benefit, while those with lower DPI coverage will see less. Results should be validated in the specific deployment environment rather than assumed from general benchmarks.
Configuring Active-Active DPI HA
Active-Active DPI HA is configured across two pages under Device | High Availability.
Step 1: Device | High Availability | Settings
Under General Settings, set Mode to Active / Active DPI. This enables the Active-Active DPI offload capability for the HA pair. Configure the required interface assignments:
- HA Control Interface: The interface used for HA heartbeat and state synchronization between the two units.
- HA Data Interface: The interface used for general HA data synchronization between the two units.
- Active/Active DPI Interface: The dedicated physical interface over which DPI offload packets are forwarded from the active unit to the secondary for inspection. This interface must be physically cabled between the two units and is separate from the HA Control and HA Data interfaces. Selecting this interface is the key step that enables DPI offload traffic flow.
Step 2: Device | High Availability | Advanced
Two settings control how aggressively the active unit offloads DPI work to the secondary:
- Active/Active DPI Traffic Offload % (default: 60): The percentage of DPI-eligible traffic forwarded to the secondary unit for processing. Increasing this value offloads more inspection work to the secondary; decreasing it retains more on the active unit.
- Active/Active DPI CPU Threshold % (default: 60): The active unit CPU utilization threshold above which DPI offloading is triggered. When the active unit’s CPU exceeds this value, eligible DPI traffic is redirected to the secondary, protecting the active unit’s processing headroom during traffic spikes.
The defaults of 60% for both settings are appropriate for most environments and require no adjustment for standard deployments. After saving, use Device | High Availability | Monitoring to verify that the secondary unit is active and DPI offload traffic is flowing across the Active/Active DPI Interface.
Real World Benefits
Better DPI performance Without a Hardware Upgrade
For customers already running an HA pair, Active-Active DPI HA recovers inspection capacity that was previously locked in the idle standby unit. Only DPI traffic is offloaded to the secondary unit, non-DPI traffic continues to be processed by the active unit alone. The degree of improvement depends on the traffic pattern and the proportion of traffic subject to DPI inspection. Organizations with high DPI workloads may see meaningful capacity gains without any additional hardware investment.
Both Units Earn Their Keep
The standby firewall is a significant capital investment. In standard Active/Standby mode, that investment provides only standby capacity. With Active-Active DPI HA enabled, the secondary unit actively participates in security processing every day, not just during failover events.
Reduced Active Unit CPU Pressure
Environments with demanding DPI policies, full SSL inspection, IPS, GAV, and Application Control all enabled simultaneously, place a significant CPU load on the active unit. Distributing DPI work to the secondary reduces the risk of CPU saturation during traffic spikes.
Secondary Is DPI Ready at Failover
Because the secondary unit has been actively processing offloaded DPI packets during normal operation, it does not start cold if a failover occurs. The secondary is already running DPI services and is familiar with the inspection workload at the point of takeover.
Real World Use Cases
|
Use Case |
Scenario |
Outcome |
|
High SSL Inspection Environments |
A financial services firm has full SSL/TLS inspection enabled for all outbound traffic. As encrypted traffic volumes grow, the active unit’s CPU approaches saturation during peak hours. |
The active unit continues to handle TLS decryption. Active-Active DPI offloads the deep inspection of decrypted payloads, signature matching, AV scanning, application identification, to the secondary unit, reducing CPU pressure on the active unit. |
|
All DPI Services Enabled Concurrently |
A healthcare network runs IPS, GAV, App Control, and SSL inspection simultaneously. The active unit struggles under the combined DPI load during clinical shift changes. |
DPI workload is distributed across both units via the Active/Active DPI Interface, reducing per-unit CPU pressure and avoiding DPI induced latency during high-load periods. |
|
HA Pair Utilization Optimization |
An enterprise IT team notices that the secondary firewall in their HA pair shows near-zero CPU utilization at all times, representing significant wasted hardware investment. |
Active-Active DPI HA puts the secondary’s idle CPU to work on DPI offload tasks, delivering measurable security processing value from hardware that was previously dormant. |
|
Growing DPI Workloads Without Hardware Refresh |
A mid market company’s traffic volumes have grown significantly. They need more DPI capacity but want to defer a hardware upgrade cycle. |
Active-Active DPI extracts additional DPI capacity from the existing HA pair, deferring the need for a hardware refresh by better utilising the secondary unit’s available resources. |
|
MSP Managed Firewall Efficiency |
An MSSP manages hundreds of customer HA firewall pairs. Enabling more DPI services per customer increases active unit load, constraining how many services can be offered per appliance. |
Active-Active DPI HA distributes DPI load across both units, allowing the MSSP to enable more comprehensive DPI service tiers without hitting active unit CPU ceilings. |
Benefits Over Active/Standby HA
|
Active/Standby HA (Previous) |
Active-Active DPI HA |
|
Standby unit CPU is 100% idle during normal operation. No contribution to DPI processing. |
Secondary unit’s CPU is actively used for DPI offload, contributing to inspection throughput every day. |
|
All DPI processing, IPS, GAV, App Control, and content inspection of decrypted traffic, runs exclusively on the active unit. |
DPI workload is shared across both units via the Active/Active DPI Interface, reducing active unit CPU pressure. |
|
Active unit becomes a DPI bottleneck under heavy inspection load. Standby capacity cannot be accessed. |
DPI offloading allows the active unit to handle higher traffic volumes before reaching CPU saturation. |
|
Customers pay for two firewall units but receive DPI performance from only one. |
Both units contribute to DPI processing simultaneously, better return on HA hardware investment. |
|
Standby unit has no DPI activity and is cold to inspection workloads at the time of failover. |
Secondary unit is actively running DPI services during normal operation, not starting from a dormant state at failover. |
|
Enabling additional DPI services multiplies CPU load solely on the active unit. |
Additional DPI service load is distributed, making it more viable to enable comprehensive inspection policies. |
Known Issues
Active/Active DPI HA Mode Does Not Sync When Secondary Firewall Is Unregistered
Issue: When Active/Active DPI HA is enabled on the primary firewall and the secondary firewall is in an unregistered state (no license applied), the HA mode setting will not synchronise to the secondary unit. An error is returned on both the HA Settings and HA Advanced pages.
Workaround 1 (Recommended): Register both the primary and secondary firewalls separately before enabling Active/Active DPI HA. Ensuring both units are fully registered prior to enabling the feature prevents the sync failure from occurring.
Workaround 2: If the issue has already occurred, manually register the secondary firewall. Once registration is complete, the Active/Active DPI HA setting will synchronise successfully.
Further Reading
All SonicOS 8 documentation is available on the SonicWall Technical Documentation portal at:
https://www.sonicwall.com/support/technical-documentation/docs/sonicos8-high_availability/Content/Topics/Configuring_High_Availability/active-active-dpi-settings.htm
Summary
Active-Active DPI HA solves a fundamental inefficiency in traditional Active/Standby deployments: the complete idling of the standby unit’s CPU during normal operation. By introducing a dedicated Active/Active DPI Interface for DPI packet offload, both units contribute to security inspection simultaneously, the active unit handles traffic forwarding and policy enforcement while the secondary processes offloaded DPI workloads and returns results.
In practical terms, this results in lower DPI-related CPU load on the active unit, improved ability to sustain inspection throughput under heavy or DPI-intensive traffic, and more efficient utilization of the secondary unit’s hardware. For environments running comprehensive DPI services, particularly full SSL inspection, Active-Active DPI HA offers meaningful capacity gains without requiring a hardware upgrade.
