Xstream architecture enables the offloading and streaming of packet processing for high levels of protection and performance.

The architecture contains the DPI (Deep Packet Inspection) engine, SSL/TLS inspection, and the FastPath network flow.

The DPI engine applies SSL/TLS decryption and inspection, IPS policies, application identification and control, web policies (including proxyless web filtering), and antivirus scanning in a single engine. Antivirus scanning includes Sandstorm protection and file reputation analysis.

SSL/TLS inspection decrypts and inspects SSL/TLS connections that use modern cipher suites across all ports and protocols. For details, go to Rules and policies > SSL/TLS inspection rules.

FastPath network flow offloads (bypasses processing of) trusted traffic. Offloading eliminates the need to apply full firewall processing to every packet in a connection, minimizing the use of processing cycles.
Note Currently, Sophos Firewall doesn't offload VPN, QoS, DoS, and RED traffic to FastPath. It doesn't support FastPath in high availability (HA) active-active mode.

FastPath offload is similar in HA active-passive and standalone modes.

You can optimize FastPath offloading through rules and policies to accelerate cloud application traffic or through the DPI engine based on traffic characteristics.

FastPath network flow

The data plane is the core hardware and software component. It works in the FastPath, kernel (firewall stack), and user space domains, offloading trusted packets throughout a connection's lifetime. The DPI engine is in the user space.

FastPath provides an efficient, zero-copy path into the DPI engine, eliminating the need to retain copies in the kernel memory. The data plane caches the classification decisions of the kernel and user space, and applies them to all the traffic in a connection, lightening the load on the hardware. This enables FastPath to offload some or all processing of a packet from the CPU.

The firewall stack still requires the CPU to handle the connection rate.

Note Sophos Firewall retains firewall stack (slowpath) processing as a fallback path for functionalities that can’t be processed in FastPath or if FastPath can't function. The firewall stack continues to process certain protocols, such as IP in IP.

FastPath is software-based and is also available as Virtual FastPath (VFP), enabling us to maintain a common architecture for Sophos Firewall devices and the software and virtual platforms of Sophos Firewall. The firewall stack can offload to FastPath through VFP or the FastPath API. VFP updates and features are part of SFOS releases.

Note Virtual FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and vmxnet3. VFP won’t load on other drivers, but Sophos Firewall (including the DPI engine) still functions fully, but without the FastPath performance enhancements.

Currently, Virtual FastPath supports up to 3500 MTU on e1000 and e1000e NICs.

Note For virtual deployments, Virtual FastPath supports the VMware ESXi hypervisor. For other hypervisors, such as KVM, turn off FastPath using the CLI command for firewall acceleration.

Firewall acceleration

When you turn off firewall acceleration on the CLI console or when FastPath doesn’t load, Sophos Firewall continues to function fully, but without the performance enhancements of FastPath.

To turn firewall acceleration on or off through FastPath and to see the status, use the following CLI commands:


CLI command

Show firewall acceleration

console> system firewall-acceleration show

Turn on firewall acceleration

console> system firewall-acceleration enable

Turn off firewall acceleration

console> system firewall-acceleration disable

Note FastPath doesn’t support tcpdump. It’s turned off when you run a tcpdump command.


Traffic for a connection flows in the stateful firewall mode initially. The firewall stack processes the first packet and does the following:
  • Applies the firewall rule action.
  • Makes layer 2 and layer 3 decisions that include routing, switching, forwarding, and RED traffic-related decisions.
  • Makes decisions related to ingress decapsulation and egress encapsulation, including decisions for IPsec VPNs.
  • Applies DoS (Denial of Service) policies.
  • Applies QoS (traffic shaping) policies.

After one packet from each direction passes through Sophos Firewall, the firewall stack fully classifies the flow, and programs a connection cache in FastPath. It offloads kernel processing for subsequent packets in the same connection to FastPath. These packets don’t require further processing to verify their identity and destination. With stateful tracking of individual connections, FastPath processes the packets fully, saving CPU cycles and memory bandwidth. FastPath acts only as directed by the kernel.

DPI engine

For security decisions, the firewall stack delivers the initial packet to the DPI engine through the Data Acquisition (DAQ) layer. FastPath delivers subsequent packets directly to the DPI engine through the DAQ layer, which is a high-speed mechanism to move packets into and out of the DPI engine. The direct delivery eliminates the need to retain copies in the kernel memory.

The DPI engine inspects traffic from layer 4 and higher through streaming processing. Offloading decisions are taken at each stage of security processing.

SSL/TLS engine: For unencrypted traffic, when SSL/TLS inspection rules are turned on, the SSL/TLS module directs the DAQ layer to skip SSL/TLS processing for the flow. For encrypted traffic, when SSL/TLS inspection rules have been set up, the DPI engine continues to modify traffic throughout the connection lifetime. This ensures that the connection isn't dropped because the SSL/TLS connection has been modified for inspection.

Intrusion prevention and Application control: With application control turned on, the initial packets are delivered to IPS for application identification. IPS classifies the application after a few packets and gives a policy verdict for application control, which may give new forwarding behavior and QoS parameters. The DAQ layer communicates these decisions to the kernel and the hardware. From this point onward, the connection may be completely offloaded to FastPath.

IPS may pass a verdict to stop security processing based on factors, such as a safe signature or verdict from SophosLabs, a matching IPS policy with bypass action, or based on earlier guidelines.

Antivirus and Web filtering: If the IPS verdict is that the traffic is safe, antivirus scanning doesn't take place. If web filtering applies, web traffic scanning continues until the end of the flow, depending on the HTTP responses.

From this point onward, FastPath offloads traffic from the kernel and handles layer 2 and layer 3 processing. The ability to offload some or all processing minimizes load on the CPU.

How to enable FastPath with rules and policies

Here are examples of rules and policies that enable FastPath to handle traffic fully, bypassing the firewall stack and the DPI engine:

  • A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to FastPath after the initial packet passes through Sophos Firewall on either side of the connection.
  • A firewall rule with application control policy. Traffic is offloaded to FastPath after about eight packets.
  • A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS policy rules with this action is offloaded to FastPath.
  • A firewall rule with the following policies:
    • An IPS policy containing intelligent offload signatures from SophosLabs.
    • Web filtering without malware and content scanning or DPI engine settings. For firewall rules with malware and content scanning and DPI engine settings, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections, traffic is offloaded to FastPath after 15 packets.