Skip to content


Xstream architecture enables Sophos Firewall to offload trusted traffic to FastPath after inspecting the initial packets in a connection.

The architecture contains the Deep Packet Inspection (DPI) engine, SSL/TLS inspection, and the FastPath network flow.

The DPI engine applies SSL/TLS decryption and inspection, IPS policies, application identification and control, web policies (including proxyless web filtering), and antivirus scanning in a single engine. Antivirus scanning includes Sandstorm protection and file reputation analysis.

SSL/TLS inspection decrypts and inspects SSL/TLS connections that use modern cipher suites across all ports and protocols. For details, go to Rules and policies > SSL/TLS inspection rules.

FastPath network flow offloads (bypasses processing of) trusted traffic. Offloading eliminates the need to apply full firewall processing to every packet in a connection, minimizing the use of processing cycles.


Currently, Sophos Firewall doesn't offload VPN, QoS, DoS, and RED traffic to FastPath. It doesn't support FastPath in high availability (HA) active-active mode.

FastPath offload is similar in HA active-passive and standalone modes.

You can optimize FastPath offloading through rules and policies to accelerate cloud application traffic or DPI engine based on traffic characteristics.

FastPath network flow

The data plane is the core hardware and software component. It works in the FastPath, kernel (firewall stack), and user space domains, offloading trusted packets throughout a connection's lifetime. The DPI engine is in the user space.

FastPath provides an efficient, zero-copy path into the DPI engine, eliminating the need to retain copies in the kernel memory. The data plane caches the classification decisions of the kernel and user space and applies them to all the traffic in a connection, lightening the load on the hardware. This approach enables the CPU to offload some or all processing of a packet to FastPath.

The firewall stack still requires the CPU to handle the connection rate.


Sophos Firewall retains firewall stack (slowpath) processing as a fallback path for functions that can’t be processed in FastPath or if FastPath can't function. The firewall stack continues to process certain protocols, such as IP in IP.

FastPath is software-based and is available as Virtual FastPath (VFP), enabling us to maintain a common architecture for Sophos Firewall devices and the software and virtual deployments. The FastPath API offloads traffic to FastPath. VFP updates and features are part of SFOS releases.

XG Series appliances and virtual and software deployments of Sophos Firewall use the same x86 CPU for offloaded traffic.


Virtual FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and vmxnet3. VFP won’t load on other drivers, but Sophos Firewall (including the DPI engine) still functions fully, but without the FastPath performance enhancements.

Currently, Virtual FastPath supports up to 3500 MTU on e1000 and e1000e NICs.


For virtual deployments, Virtual FastPath supports the VMware ESXi hypervisor. For other hypervisors, such as KVM, turn off FastPath using the CLI command for firewall acceleration.

Firewall acceleration

When you turn off firewall acceleration on the CLI console or when FastPath doesn’t load, Sophos Firewall continues to function fully, but without the performance enhancements of FastPath.

To turn firewall acceleration on or off through FastPath and to see the status, use the following CLI commands:

Option CLI command
Show firewall acceleration console> system firewall-acceleration show
Turn on firewall acceleration console> system firewall-acceleration enable
Turn off firewall acceleration console> system firewall-acceleration disable


FastPath doesn’t support tcpdump. It’s turned off when you run a tcpdump command.


Traffic for a connection flows in the stateful firewall mode initially. The firewall stack processes the first packet and does the following:

  • Applies the action in the firewall rule.
  • Makes layer 2 and layer 3 decisions that include routing, switching, forwarding, and RED traffic-related decisions.
  • Makes decisions related to ingress decapsulation and egress encapsulation, including decisions for IPsec VPNs.
  • Applies DoS (Denial of Service) policies.
  • Applies QoS (traffic shaping) policies.

After one packet from each direction passes through Sophos Firewall, the firewall stack fully classifies the flow and programs a connection cache in FastPath. It offloads kernel processing for subsequent packets in the same connection to FastPath. These packets don’t require further processing to verify their identity and destination. With stateful tracking of individual connections, FastPath processes the packets fully, saving CPU cycles and memory bandwidth. FastPath only acts as directed by the kernel.

DPI engine

The firewall stack delivers the initial packet to the DPI engine through the Data Acquisition (DAQ) layer for security decisions. FastPath delivers subsequent packets directly to the DPI engine through the DAQ layer. DAQ is a high-speed mechanism to move packets into and out of the DPI engine. The direct delivery eliminates the need to retain copies in the kernel memory.

The DPI engine inspects traffic from layer 4 and higher through streaming processing. Offloading decisions are taken at each stage of security processing.

SSL/TLS engine: For unencrypted traffic, when SSL/TLS inspection rules are turned on, the SSL/TLS module directs the DAQ layer to skip SSL/TLS processing for the flow. For encrypted traffic, when SSL/TLS inspection rules have been set up, the DPI engine continues to modify traffic throughout the connection lifetime. This ensures that the connection isn't dropped because the SSL/TLS connection has been modified for inspection.

Intrusion prevention and Application control: With application control turned on, the initial packets are delivered to IPS for application identification. IPS classifies the application after a few packets and gives a policy verdict for application control, which may give new forwarding behavior and QoS parameters. The DAQ layer communicates these decisions to the kernel and the hardware. From this point onward, the connection may be completely offloaded to FastPath.

IPS may pass a verdict to stop security processing based on factors, such as a safe signature or verdict from SophosLabs, a matching IPS policy with bypass action, or based on earlier guidelines.

Antivirus and Web filtering: If the IPS verdict is that the traffic is safe, antivirus scanning doesn't take place. If web filtering applies, web traffic scanning continues until the end of the flow, depending on the HTTP responses.

From this point onward, FastPath offloads traffic from the kernel and handles layer 2 and layer 3 processing. The ability to offload some or all processing minimizes the load on the CPU.

How to enable FastPath with rules and policies

Here are examples of rules and policies that enable FastPath to handle traffic fully, bypassing the firewall stack and the DPI engine:

  • A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to FastPath after the initial packet passes through Sophos Firewall on either side of the connection.
  • A firewall rule with application control policy. Traffic is offloaded to FastPath after about eight packets.
  • A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS policy rules with this action is offloaded to FastPath.
  • A firewall rule with the following policies:
    • An IPS policy containing intelligent offload signatures from SophosLabs.
    • Web filtering without malware and content scanning or DPI engine settings. For firewall rules with malware and content scanning and DPI engine settings, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections, traffic is offloaded to FastPath after 15 packets.
Back to top