Skip to content

Architecture

Sophos Firewall offloads trusted traffic to FastPath after inspecting the initial packets in a connection.

FastPath eliminates the need to apply complete firewall processing to every packet in a connection. Offloading (bypassing the processing for every packet) minimizes processing cycles and delivers packets at wire speed.

With stateful tracking of individual connections, FastPath processes the packets, saving CPU cycles and memory bandwidth. FastPath only acts as directed by the kernel.

See Life of a packet.

Offloading on appliances

FastPath is software-based, enabling us to maintain a common architecture for Sophos Firewall devices and the software and virtual deployments. FastPath updates and features are part of SFOS releases.

XGS Series

XGS Series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor. Xstream Flow Processor is a Network Processing Unit (NPU) specifically designed for FastPath operations.

XGS Series appliances offload trusted traffic to the Xstream Flow Processor as follows:

  • Firewall acceleration (18.5, 19.0, and later versions)
  • IPsec acceleration (only 19.0 and later versions)

After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to FastPath, which runs on the Xstream Flow Processor. The NPU accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection, deep packet inspection, and IPsec encryption and decryption.

XG Series

XG Series appliances deliver FastPath offloading with firewall acceleration on 18.0, 18.5, and 19.0 and later versions. Additionally, they offload trusted traffic to the host x86 CPU.

Virtual and software deployments

Virtual and software deployments of Sophos Firewall use the same x86 CPU for offloaded traffic.

Hypervisor support: FastPath supports the VMware ESXi hypervisor. For other hypervisors, such as KVM, turn off FastPath using the CLI commands for firewall acceleration.

NIC drivers: FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and vmxnet3. It doesn't load on other drivers. Sophos Firewall (including the DPI engine) still functions fully for the unsupported drivers, but without the FastPath performance enhancements.

MTU: Currently, FastPath supports up to 3500 MTU on e1000 and e1000e NICs.

FastPath network flow

The architecture contains SlowPath, comprising the firewall stack (kernel), the user space modules (includes the Deep Packet Inspection (DPI) engine), and the offload module. The offload module makes the decision to offload flows after inspecting the initial packets in a connection.

The architecture also contains FastPath to which flows are offloaded.

Sophos Firewall offers FastPath offloading with firewall and IPsec acceleration. These are available based on the appliance series and the SFOS version. Firewall and IPsec acceleration are turned on by default.

Firewall acceleration

After a handshake is complete or one packet from each direction passes through Sophos Firewall, SlowPath fully classifies the flow and programs a connection cache in FastPath. It offloads kernel processing for subsequent packets in the same connection to FastPath.

DPI engine: The DPI engine inspects traffic from layer 4 and higher through streaming processing. It applies SSL/TLS decryption and inspection, IPS policies, application identification and control, web policies (including proxy-less web filtering), and antivirus scanning in a single engine. Antivirus scanning includes Zero-day protection and file reputation analysis.

Offloading decisions are taken at each stage of security processing.

FastPath offloading: SlowPath delivers packets to the DPI engine through the Data Acquisition (DAQ) layer for security decisions if security policies apply. For offloaded packets, FastPath delivers the packets directly to the DPI engine through the DAQ layer, eliminating the need to retain copies in the kernel memory.

If the DPI engine offloads this traffic, it instructs FastPath to cut off the flow from SlowPath and the DPI engine. The ability to offload some or all processing minimizes the load on the CPU.

Turning firewall acceleration on or off: When you turn off firewall acceleration on the CLI console, or when FastPath doesn’t load, Sophos Firewall continues to function fully, but without the performance enhancements of FastPath.

To turn firewall acceleration on or off and see the status, see the CLI commands for firewall acceleration.

IPsec acceleration

The firewall offloads CPU-intensive processes, such as ESP encapsulation, encryption, decapsulation, and decryption for policy-based and route-based IPsec VPNs.

It offloads these processes to the NPU, freeing up the x86 host CPU. The NPU's hardware crypto capabilities make this possible. Additionally, IPsec acceleration improves the throughput for IPsec VPN tunnels.

The firewall offloads IPsec encryption and decryption to FastPath based on the phase 2 Security Associations (SA). It offloads SAs for all the encryption and authentication combinations available on Sophos Firewall except the following:

  • 3DES
  • BlowFish
  • MD5

Tip

We recommend using the cipher AES-GCM 128 for best performance.

IPsec VPN traffic can qualify for one of the following offloading processes:

Full offload: For offloaded SAs, FastPath encapsulates, encrypts, decapsulates, and decrypts the corresponding packets. If the inner traffic qualifies, SlowPath processing is offloaded to FastPath, delivering full offload.

FastPath and SlowPath: For offloaded SAs, FastPath decrypts or encrypts the packets. If the inner traffic doesn’t qualify for FastPath offloading, SlowPath processes the traffic, including encapsulation and decapsulation. FastPath finalizes the encapsulation after encrypting the packet.

Full SlowPath: For SAs that aren't offloaded, SlowPath performs the entire processing. The firewall can't offload SAs in these cases:

  • SAs are using unsupported cipher suites.
  • SAs are on virtual interfaces, such as VLANs.
  • Source and destination IP addresses don't match those expected for the SA.
  • When you turn off IPsec acceleration.

Turning IPsec acceleration on or off restarts all IPsec tunnels and requires downtime. To turn it on or off and see the status, see the CLI commands for IPsec acceleration.

Support for offloading

Currently, the firewall has the following restrictions on offloading:

Modules: Doesn't support offloading for SSL VPN, QoS, DoS, RED, LAG, and PPPoE traffic.

Bridge deployments: Supports offloading only for some types of bridge deployments.

High availability:

  • Active-active: Doesn't support firewall acceleration. Supports IPsec acceleration on the primary node.
  • Active-passive: Supports firewall and IPsec acceleration on the primary node.

VLAN and wireless interfaces: Doesn’t support IPsec acceleration over VLAN and wireless interfaces.

tcpdump: Optionally, offloading can remain on when tcpdump is run. You can configure FastPath traffic to be sent to tcpdump.

Note

Sophos Firewall retains SlowPath processing as a fallback path for functions that can’t be processed in FastPath or if FastPath can't function. SlowPath continues to process certain protocols, such as IP in IP.

Offloading based on rules and policies

You can configure rules and policies that enable FastPath to handle traffic fully, bypassing the firewall stack and the DPI engine. This can help you optimize FastPath offloading to accelerate cloud application traffic or the DPI engine based on traffic characteristics. Examples are as follows:

  • A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to FastPath after a handshake is complete or the initial packet passes through Sophos Firewall on either side of the connection.
  • A firewall rule with an application control policy. Traffic is offloaded to FastPath after about eight packets.
  • A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS policy rules with this action is offloaded to FastPath.
  • A firewall rule with the following policies:
    • An IPS policy containing intelligent offload signatures from SophosLabs.
    • Web filtering without malware and content scanning or DPI engine settings. For firewall rules with malware and content scanning and DPI engine settings, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
  • SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections, traffic is offloaded to FastPath after 15 packets.
Back to top