Architecture for offloading fast-path
Sophos Firewall offers firewall, PKI, and IPsec acceleration on SFOS versions and appliances that support the offloads.
Offloading accelerates the traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as malware detection and antivirus scanning.
Modules and offloading decisions
The architecture contains SlowPath, comprising the firewall stack (kernel), the user space modules (including the Deep Packet Inspection (DPI) engine), and the offload module, which makes the decision to offload trusted flows. The architecture also contains FastPath, to which trusted flows and certain tasks can be offloaded.
Firewall acceleration offloads trusted traffic to FastPath after inspecting the initial packets in a connection. FastPath eliminates the need to apply complete firewall processing to every packet in a connection. With stateful tracking of individual connections, FastPath processes the packets, saving CPU cycles and memory bandwidth. It only acts as directed by the kernel.
The SSL/TLS inspection engine makes the offload decisions for PKI processing. The XFRM stack makes the offload decisions for IPsec encryption and decryption.
See Life of a packet.
Note
Sophos Firewall retains SlowPath processing as a fallback path for functions that can't be processed in FastPath or if FastPath can't function.
SlowPath continues to process protocols that aren't offloaded, such as IP in IP.
Offloading on appliances
FastPath is software-based, allowing us to maintain a common architecture between Sophos Firewall appliances and the software and virtual deployments. Updates to offloading and other feature enhancements are part of SFOS releases.
Hardware appliances
XGS Series
XGS Series appliances offload processing for firewall, PKI, and IPsec acceleration for the qualifying processes. After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to FastPath, using the hardware FastPath or Virtual FastPath as follows:
Hardware FastPath: Most XGS Series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor. Xstream Flow Processor is a Network Processing Unit (NPU) specifically designed for offloaded operations.
The following crypto operations are offloaded to the crypto hardware in the NPU for qualifying flows:
- Re-signing X.509 server certificates for inspected TLS flows.
- IPsec VPN encryption and decryption.
Virtual FastPath (VFP): The Gen.2 XGS Series appliances, XGS 88(w), 108(w), 118(w), and 128(w), offload processing to VFP, which runs in the x86 kernel.
Crypto operations are offloaded to the VFP for the following qualifying flows: IPsec VPN encryption and decryption.
Summary
| Type of offloading | Available on |
|---|---|
| PKI acceleration
(for TLS traffic inspected by the DPI engine) |
1US (XGS 3100, 3300)
1UL (XGS 4300, 4500) 2U (XGS 5500, 6500, 7500, 8500) |
| IPsec acceleration | All XGS Series |
| Firewall acceleration | All XGS Series |
Virtual and software deployments
Virtual and software deployments of Sophos Firewall only offer firewall acceleration, using the same x86 CPU for offloaded traffic. They don't offer PKI and IPsec acceleration.
Hypervisor support: Virtual FastPath (VFP) supports the VMware ESXi hypervisor. For other hypervisors and cloud-based deployments, VFP is automatically turned off. Sophos Firewall still functions fully, including the DPI engine, but without the FastPath performance enhancements. For more information, see CLI commands for firewall acceleration.
NIC drivers: VFP supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and vmxnet3. It doesn't load on other drivers. Sophos Firewall still functions fully, including the DPI engine, for the unsupported drivers but without the FastPath performance enhancements.
MTU: VFP supports up to 3500 MTU on e1000 and e1000e NICs and up to 9000 MTU for the rest.
Offloaded network flow
Firewall, PKI, and IPsec acceleration are turned on by default. These are available based on the appliance series and the SFOS version.
Note
Turning firewall and PKI acceleration on or off restarts the IPS service (DPI engine) every time.
After a TCP handshake is complete or one packet from each direction passes through Sophos Firewall, SlowPath fully classifies the flow and programs a connection cache in FastPath. It offloads kernel processing for subsequent packets in the same connection to FastPath.
DPI engine: The DPI engine inspects traffic from layer 4 and higher through stream processing. It applies SSL/TLS decryption and inspection, IPS policies, application identification and control, web policies (including proxy-less web filtering), and antivirus scanning in a single engine. Antivirus scanning includes Zero-day protection and file reputation analysis.
Offloading decisions are taken at each stage of security processing.
FastPath offloading: SlowPath delivers packets to the DPI engine through the kernel. Packets are sent through the Data Acquisition (DAQ) layer for security decisions if security policies apply. FastPath delivers the offloaded packets directly to the DPI engine through the DAQ layer, eliminating the need to retain copies in kernel memory.
If the DPI engine determines that the traffic can be offloaded, it instructs FastPath to cut off the flow from SlowPath and the DPI engine. The ability to offload some or all processing minimizes the load on the CPU.
Turning firewall acceleration on or off: When you turn off firewall acceleration on the CLI console, or when FastPath doesn’t load, Sophos Firewall continues to function fully but without the performance enhancements of FastPath.
To turn firewall acceleration on or off and see the status, see CLI commands for firewall acceleration.
Restrictions
The following restrictions apply to firewall acceleration:
- Doesn't support offloading for SSL VPN, QoS, DoS, RED, LAG, and PPPoE traffic.
- Supports offloading only for some types of bridge deployments.
- Doesn't support firewall acceleration for Active-active HA. Supports firewall acceleration for Active-passive HA on the primary node.
- Optionally, offloading can remain on when tcpdump is run. You can configure FastPath traffic to be sent to tcpdump.
Offloading based on rules and policies
You can configure rules and policies that enable the NPU to handle traffic fully, bypassing the firewall stack and the DPI engine. This can help you optimize offloading to accelerate cloud application traffic or the DPI engine based on traffic characteristics.
Examples are as follows:
- A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to FastPath after a handshake is complete or the initial packet passes through Sophos Firewall on either side of the connection.
- A firewall rule with an application control policy. Traffic is offloaded to FastPath after about eight packets.
- A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS policy rules with this action is offloaded to FastPath.
- A firewall rule with the following policies:
- An IPS policy containing intelligent offload signatures from SophosLabs.
- Web filtering without malware and content scanning or DPI engine settings. For firewall rules with malware and content scanning and DPI engine settings, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
- No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic to the DPI engine directly, bypassing the firewall stack.
- SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections, traffic is offloaded to FastPath after 15 packets.