Sophos Firewall offloads trusted traffic to FastPath after inspecting the initial packets in a connection.
FastPath eliminates the need to apply complete firewall processing to every packet in a connection. Offloading (bypassing the processing for every packet) minimizes processing cycles and delivers packets at wire speed.
With stateful tracking of individual connections, FastPath processes the packets, saving CPU cycles and memory bandwidth. FastPath only acts as directed by the kernel.
See Life of a packet.
Offloading on appliances
FastPath is software-based, enabling us to maintain a common architecture for Sophos Firewall devices and the software and virtual deployments. FastPath updates and features are part of SFOS releases.
XGS Series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor. Xstream Flow Processor is a Network Processing Unit (NPU) specifically designed for FastPath operations.
After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to FastPath, which runs on the Xstream Flow Processor. The NPU accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection and deep packet inspection.
XG Series appliances deliver FastPath offloading with firewall acceleration on 18.0, 18.5, and 19.0 and later versions. Additionally, they offload trusted traffic to the host x86 CPU.
Virtual and software deployments
Virtual and software deployments of Sophos Firewall use the same x86 CPU for offloaded traffic.
Hypervisor support: FastPath supports the VMware ESXi hypervisor. For other hypervisors, such as KVM, turn off FastPath using the CLI commands for firewall acceleration.
NIC drivers: FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and vmxnet3. It doesn't load on other drivers. Sophos Firewall (including the DPI engine) still functions fully for the unsupported drivers, but without the FastPath performance enhancements.
MTU: Currently, FastPath supports up to 3500 MTU on e1000 and e1000e NICs.
FastPath network flow
The architecture contains SlowPath, comprising the firewall stack (kernel), the user space modules (includes the Deep Packet Inspection (DPI) engine), and the offload module. The offload module makes the decision to offload flows after inspecting the initial packets in a connection.
The architecture also contains FastPath to which flows are offloaded.
Sophos Firewall offloads trusted traffic to FastPath after inspecting the initial packets in a connection. Firewall acceleration is turned on by default.
After a handshake is complete or one packet from each direction passes through Sophos Firewall, SlowPath fully classifies the flow and programs a connection cache in FastPath. It offloads kernel processing for subsequent packets in the same connection to FastPath.
DPI engine: The DPI engine inspects traffic from layer 4 and higher through streaming processing. It applies SSL/TLS decryption and inspection, IPS policies, application identification and control, web policies (including proxy-less web filtering), and antivirus scanning in a single engine. Antivirus scanning includes Zero-day protection and file reputation analysis.
Offloading decisions are taken at each stage of security processing.
FastPath offloading: SlowPath delivers packets to the DPI engine through the Data Acquisition (DAQ) layer for security decisions if security policies apply. For offloaded packets, FastPath delivers the packets directly to the DPI engine through the DAQ layer, eliminating the need to retain copies in the kernel memory.
If the DPI engine offloads this traffic, it instructs FastPath to cut off the flow from SlowPath and the DPI engine. The ability to offload some or all processing minimizes the load on the CPU.
Turning firewall acceleration on or off: When you turn off firewall acceleration on the CLI console, or when FastPath doesn’t load, Sophos Firewall continues to function fully, but without the performance enhancements of FastPath.
To turn firewall acceleration on or off and see the status, see the CLI commands for firewall acceleration.
Support for offloading
Currently, the firewall has the following restrictions on offloading:
Modules: Doesn't support offloading for VPN, QoS, DoS, RED, LAG, and PPPoE traffic.
Bridge deployments: Supports offloading only for some types of bridge deployments.
- Active-active: Doesn't support firewall acceleration.
- Active-passive: Supports firewall acceleration on the primary node.
tcpdump: Optionally, offloading can remain on when tcpdump is run. You can configure FastPath traffic to be sent to tcpdump for 18.5 MR2 and later.
Sophos Firewall retains SlowPath processing as a fallback path for functions that can’t be processed in FastPath or if FastPath can't function. SlowPath continues to process certain protocols, such as IP in IP.
Offloading based on rules and policies
You can configure rules and policies that enable FastPath to handle traffic fully, bypassing the firewall stack and the DPI engine. This can help you optimize FastPath offloading to accelerate cloud application traffic or the DPI engine based on traffic characteristics. Examples are as follows:
- A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to FastPath after a handshake is complete or the initial packet passes through Sophos Firewall on either side of the connection.
- A firewall rule with an application control policy. Traffic is offloaded to FastPath after about eight packets.
- A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS policy rules with this action is offloaded to FastPath.
- A firewall rule with the following policies:
- An IPS policy containing intelligent offload signatures from SophosLabs.
- Web filtering without malware and content scanning or DPI engine settings. For firewall rules with malware and content scanning and DPI engine settings, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
- No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
- SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections, traffic is offloaded to FastPath after 15 packets.