Life of a packet – Sophos Firewall


Sophos Firewall appliances are next-generation firewalls securing the network, endpoint devices, and data in transit using advanced networking, application, and user controls.

Sophos Firewall appliances offload trusted traffic to FastPath after inspecting the initial packets in a connection. FastPath processes layer 2 and higher traffic, delivering packets at wire speed. Generally, most firewall processing applies in full on each packet, using more processing cycles than necessary. Offloading enables Sophos Firewall to minimize processing cycles.

XG Series appliances running SFOS 18.0 and later versions come with Virtual FastPath that runs on the host x86 CPU when traffic is offloaded with firewall acceleration.

XGS Series appliances are based on Xstream architecture, which is a dual-processor architecture. This combines a multi-core x86 CPU with a dedicated Xstream Flow Processor, which is a Network Processing Unit (NPU). It runs as a dedicated co-processor when traffic is offloaded, freeing the host CPU for resource-intensive processes. XGS Series appliances are available from 18.5 and later versions. These appliances offer firewall acceleration on 18.5 versions.

IPsec acceleration is available on XGS Series appliances on 19.0 and later versions.

This article describes the processing and offloading mechanisms on XGS Series appliances.

Summary of FastPath offloading for SFOS versions

  • 19.0 and later: Firewall and IPsec acceleration on XGS Series appliances. Only firewall acceleration on XG Series appliances.
  • 18.5: Firewall acceleration on XGS and XG Series appliances. XGS Series appliances deliver higher efficiencies with their dual-processor architecture.
  • 18.0: Firewall acceleration on XG Series appliances.

Benefits of offloading

SFOS delivers high-speed processing using the following offloading mechanism:

  • SlowPath offloads some or all processing to FastPath, minimizing CPU load and packet latency and maximizing packet throughput.
  • The NPU uses the zero-copy mechanism to send packets directly to the deep packet inspection engine saving host CPU cycles for SlowPath processing.
  • Additionally, Xstream architecture enables XGS Series firewalls to offload IPsec encryption and decryption, freeing up resources on the host CPU.

The policies and settings you configure determine SlowPath processing and the DPI engine's security policy enforcement.

You can use the advanced protection settings and security policies, including SSL/TLS inspection, IPS, web filtering, application control, and full antivirus scanning for traffic that requires the complete protection Sophos Firewall offers.

Xstream architecture

XGS Series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for hardware acceleration. The Xstream Flow Processor is a Network Processing Unit (NPU), which accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection and deep packet inspection.

These appliances deliver firewall and IPsec acceleration in 19.0 and later versions. After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to FastPath, which runs on the dedicated Xstream Flow Processor specifically designed for FastPath operations. Additionally, these appliances perform IPsec acceleration, offloading encryption and decryption to FastPath. This enables the XGS Series appliances to deliver higher processing efficiencies.

The XG Series appliances offload trusted traffic to FastPath on the same x86 CPU and deliver only firewall acceleration.


The data plane uses both hardware and software components, delivering high levels of processing efficiency. It contains the following domains and processes:

x86 CPU

  • SlowPath
    • Firewall stack (kernel)
    • User space modules: DPI engine, proxy applications, and WAF, malware scanning, anti-spam, SSL VPN engine
    • Offload module: Determines the flows to offload intelligently.


  • FastPath
    • Firewall acceleration
    • IPsec acceleration

Types of acceleration

SFOS performs firewall and IPsec acceleration by offloading trusted traffic to FastPath. Both types of acceleration are turned on by default.

Firewall acceleration

If the firewall rule’s security policies don’t apply to a flow, SlowPath can make the decision to offload the flow to FastPath. If security policies apply, requiring DPI engine processing, SlowPath instructs FastPath to deliver subsequent packets to the DPI engine through direct packet delivery. After the DPI engine processes the packets, if it decides to offload the flow based on application processing or a safe verdict from Sophos Labs, it instructs FastPath to cut-off the flow from SlowPath, and then full firewall acceleration takes place.

IPsec acceleration

The firewall offloads CPU-intensive processes, such as ESP encapsulation, encryption, decapsulation, and decryption, to the NPU, freeing up the x86 host CPU. This is made possible by the NPU's hardware crypto capabilities. Additionally, IPsec acceleration improves the throughput for IPsec VPN tunnels.

Criteria for offloading SAs

The firewall offloads IPsec encryption and decryption to FastPath based on the phase 2 Security Association (SA). It offloads SAs for all the encryption and authentication combinations available on Sophos Firewall except the following:

  • 3DES
  • BlowFish
  • MD5

We recommend using the AES-GCM 128 cipher for best performance.

HA behavior

IPsec acceleration takes place only on the primary node in both active-passive and active-active HA. When the primary node goes down, and the auxiliary takes over, the SAs are renegotiated. Existing keys are removed, and the new primary node makes the decision for offloading the SAs.

Active-passive HA: Additionally, if the inner traffic qualifies for FastPath offloading, firewall acceleration takes place only on the primary node.

Active-active HA: Firewall acceleration isn't available in active-active HA and processing takes place on the SlowPath.

Support for offloading

Currently, the firewall places the following restrictions on offloading:

  • Doesn't support offloading for SSL VPN, proxies, WAF, QoS, DoS, wireless, RED, LAG, and PPPoE traffic.
  • Doesn't offload IP fragmented traffic.
  • Supports offloading only for some types of bridge deployments.
  • Doesn't support firewall acceleration for active-active HA. It supports IPsec acceleration for active-active HA on the primary node.
  • Supports firewall and IPsec acceleration in active-passive HA on the primary node.
  • Doesn't support IPsec acceleration, that is, it doesn't offload SAs for IPsec tunnels over VLAN and wireless interfaces.
  • Optionally, offloading can remain on when tcpdump is run. FastPath traffic can be configured to be sent to tcpdump for SFOS 18.5 MR2 and later.

Firewall acceleration

A summary of how SlowPath processes the first packet in the ingress and egress stages is as follows:

Ingress stage: SlowPath performs stateful inspection on the initial packet of a connection. It does the following during the ingress stage:

SlowPath decisions:

  • Applies DoS (Denial of Service) policies.
  • Applies the firewall rule action.
  • Applies DNAT rules.
  • Makes layer 2 and layer 3 decisions that include routing, switching, forwarding, and RED traffic-related decisions.
  • Makes decisions related to ingress decapsulation and decryption, including decisions for IPsec VPNs (if IPsec acceleration is turned off).

Transfer to the DPI engine: After SlowPath processes the first ingress packet, it transfers the packet to the DPI engine if security policies apply to the traffic. The DPI engine enforces the security policy decisions and transfers the packet back to SlowPath.

Egress stage: SlowPath does the following during the egress stage:

  • Applies source NAT (SNAT) rules.
  • Applies QoS (traffic shaping) policies.
  • Makes decisions related to egress encryption and encapsulation for IPsec VPNs (if IPsec acceleration is turned off).

The packet is then forwarded to its destination.

Firewall acceleration (SlowPath processing offloaded to FastPath)

After SlowPath fully classifies the flow and decides that the flow is eligible for offload, it programs a connection cache in FastPath. Subsequent packets in the connection are offloaded to FastPath.

After the offload, SlowPath continues to manage the connection, which requires a small amount of x86 CPU involvement. If traffic can't be offloaded for any reason, SlowPath continues to process the packets in the connection.

The full details of how firewall acceleration takes place in the ingress and egress stages are as follows:

Ingress stage

After reassembling packets received on the SFOS interface, SlowPath drops malformed packets, including those with TCP/IP protocol anomalies, such as malformed headers and those that don't meet specifications, such as TCP time-outs, maximum segment size, and retransmissions.

SlowPath then implements the following processing in the ingress stage:

RED traffic

SlowPath allows incoming packets from existing RED tunnels. These are connections from Sophos Firewall to a Remote Ethernet Device (RED) or site-to-site connections between two Sophos Firewall devices using a layer 2 RED tunnel.

RED devices connect remote offices through encrypted tunnels over the WAN zone. Sophos Firewall in the head office and the RED device in the remote office contain a RED core engine, which processes the RED traffic. Static routes determine RED traffic routing from the branch office to the head office.

The RED core engine in Sophos Firewall decrypts traffic from the remote office to the head office and transfers it to SlowPath to implement firewall and NAT rules.

For outgoing traffic from the head office to the remote office, SlowPath implements firewall and NAT rules and then transfers the traffic to the RED core engine for encryption. After encrypting the traffic, the RED core engine forwards traffic to the remote office. RED traffic isn't offloaded to FastPath.

DoS & spoof protection

SlowPath applies DoS (Denial of Service) and spoof protection policies on all traffic, including traffic that bypasses stateful firewall inspection through connection bypass ACLs created on the command-line interface. Traffic crossing the SYN, UDP, TCP, and ICMP flood thresholds specified in DoS settings is dropped.

Traffic bypasses DoS protection checks for exceptions specified in DoS bypass rules. Traffic related to DoS checks isn't offloaded to FastPath.

Advanced protection

SlowPath checks IP addresses based on the advanced threat protection (ATP) database. If Sophos Firewall is configured as the DNS server, SlowPath also checks the domain names with the ATP database. If it finds the IP addresses or domain names in the database, it takes the action specified in the ATP module.


SlowPath looks up the following rules and parameters matching the traffic criteria:

  • Destination NAT rule: For incoming traffic, SlowPath looks up the destination NAT rule matching the packet's original source, destination, and service, and the inbound and outbound interfaces. It tags the packet with the DNAT rule ID. Address translation is done later in the processing. The translated destination's zone is identified as the destination zone for firewall rule lookup and processing. For example, if the translated destination IP address of the web server belongs to the DMZ, SlowPath tags the packet with DMZ as the destination zone.
  • SD-WAN route: SD-WAN routes are matched with users and applications in addition to the 5-tuple criteria. SlowPath obtains the source and destination IP addresses, service, inbound interface, and the user ID for the first connection. The destination IP address is the translated destination IP address in the DNAT lookup.
    The packet is tagged with the matching SD-WAN route for processing later in the flow. The SD-WAN route determines the destination interface based on the specified gateway.
    After the application module in the DPI engine identifies the application, SlowPath matches an SD-WAN route for subsequent connections to the same application.
    Route lookup also identifies system-destined traffic.
  • Security Heartbeat: If Synchronized Security is turned on, the Security Heartbeat engine shares the endpoint's Heartbeat status (health status) along with the source IP address.
  • Users: SlowPath looks up the user ID associated with the source IP address of the packet. It also determines the groups to which the user belongs.

Firewall rule lookup and processing

SlowPath matches firewall rules based on the following traffic criteria:

Type Lookup criteria
Network criteria
  • Source port and IP address
  • Source zones
  • Destination port and IP address
  • Destination zones
  • Services
User identity
  • Users (based on the source IP address)
  • Groups
  • Unknown users
Heartbeat status
  • Red
  • Green
  • Yellow
  • Missing

If none of the firewall rules match the criteria, the default "Drop all" rule (ID 0) applies, and the packets are dropped. Traffic is blocked if the matching firewall rule has its action set to drop or reject.

For traffic with the firewall rule action set to accept, the connection is tagged with the firewall rule ID and the security policies specified in the rule, such as web filter, application filter, IPS, and QoS policies. SlowPath also flags logging and antivirus scanning if they're specified in the firewall rule.

If the user identity remains unknown, the connection is dropped, and the captive portal is shown to the user. After the user signs in through the captive portal, the user identity becomes available, and SlowPath processes the initial packet.

Routing processing

The default routing precedence in Sophos Firewall is static route, SD-WAN route, VPN route.

  • Static routes: If the default precedence is retained, SlowPath first applies static routes. These refer to directly connected networks, dynamic routing protocols, unicast routes, and SSL VPN connections.
  • SD-WAN routes: If a static route doesn't match the traffic, SlowPath implements the SD-WAN route identified earlier in the process and routes traffic through the gateway specified in the route. Based on the specified settings, it performs failover between the primary and backup gateways with fallback to the default WAN link manager load balancing.
    If an application object is specified in the SD-WAN route, an SD-WAN route without application criteria is matched for the first connection. For subsequent connections, an application-based SD-WAN route is applied.
  • VPN routes: If traffic doesn't match the above two routes, SlowPath matches VPN routes. These apply to IPsec traffic to be decapsulated and decrypted.
  • Default route (WAN link load balance): If traffic doesn't match any of these routes, SlowPath applies the default route, which is WAN link load balancing among the gateways listed in the WAN link manager.


IPsec connections are used for site-to-site (policy-based and route-based) and remote access tunnels.

If IPsec acceleration is turned off or SAs aren’t offloaded to FastPath, the incoming IPsec (ESP) packet is sent to SlowPath for decapsulation and decryption. SlowPath then transfers the packet to the XFRM stack, which is on SlowPath. The XFRM stack decapsulates and decrypts the packet based on the Security Parameter Index (SPI). It then transfers the decrypted traffic back to SlowPath. The packet then goes through SlowPath processes from DoS and spoof protection to routing.

If SlowPath decides to offload (firewall acceleration) the inner (decrypted) packets, it instructs the NPU. Subsequent packets arriving in this tunnel are then retained on FastPath and are cut-off from SlowPath.

Egress stage

After the DPI engine enforces security policies, egress traffic is handed over to SlowPath. SlowPath then processes traffic exiting Sophos Firewall. The processing flow in the egress stage is as follows:

  • Source NAT
  • Psec VPN
  • QoS (Quality of service)

Source NAT

SlowPath applies the matching SNAT rule to outgoing traffic. It applies SNAT to IPsec VPN packets if NAT settings are specified in the configured IPsec connection. If translation isn't specified, the default SNAT rule applies, masquerading the source IP address.


Suppose IPsec acceleration is turned off or the SAs aren’t offloaded to FastPath. After routing, SlowPath transfers packets egressing towards the VPN zone through IPsec0 (IPsec virtual interface) and virtual tunnel interfaces to the XFRM stack.

The XFRM stack uses the packet's source and destination IP addresses and ports, the protocol, and listening interface to match the IPsec connection and profile. It encrypts and encapsulates the traffic based on the IPsec profile's criteria. It then transfers the packet to SlowPath for egress processing.


SlowPath implements traffic shaping based on the policy specified in the firewall rule and sends the packets to layer 2 for transmission outside the network. The packets then exit Sophos Firewall through the egress interface. QoS traffic isn't offloaded to FastPath.

After a complete handshake or the first packet of every connection flows through SlowPath, a classification decision is made. Traffic that doesn't require DPI engine processing and meets all other criteria for FastPath eligibility is offloaded to FastPath.

User space modules

The user space contains the following modules:

  • Proxy applications and WAF
  • Malware scanning
  • Anti-spam
  • DPI engine

Proxy applications and WAF

This component contains the web proxy, FTP, email, and WAF engines.

Web proxy

The web proxy operates in the user space, but not in the DPI engine. If web proxy filtering (instead of the DPI engine) is specified in the firewall rule, traffic is handed over to the web proxy engine. The engine decrypts HTTPS traffic on the standard port 443, identifies the category, and enforces the specified web policy.

Web content scanning takes place in the antivirus engine in real-time or batch mode based on the scanning settings configured in the web module. Even when web proxy is selected, web content filtering over non-standard ports takes place in the DPI engine.

However, if web proxy isn't selected in the firewall rule, the DPI engine implements web filtering, including HTTPS decryption based on SSL/TLS inspection rules. It also enforces web policy settings and content scanning.

FTP protection

Protection for file transfers takes place here. You set the FTP scanning settings in the firewall rule.

Email protection

SlowPath forwards SMTP/S, POP/S, and IMAP/S traffic to the email engine. The engine processes emails in both MTA (Mail Transfer Agent) and transparent proxy modes. Depending on the mode in which Sophos Firewall is deployed, it applies SMTP and POP-IMAP policies for spam and malware.

The engine encrypts outgoing traffic based on the SPX encryption template and decrypts incoming traffic based on the email settings. The email engine sends packets to the antivirus engine for malware processing and to the anti-spam engine for spam check

WAF (Web server protection)

The reverse proxy processes incoming connections to web applications hosted within the network.

SlowPath identifies the WAF rule based on the port and destination IP address, which is a WAN interface or public IP address, and transfers the packets to the WAF engine. The WAF engine communicates with the database and applies the settings and modifications specified in the WAF rule, such as an HTML rewrite. It then sends a response to the client (browser).

If form-based authentication is configured, the WAF engine shows a sign-in page, performing reverse proxy authentication. After the user is authenticated, the WAF engine performs the modifications specified.

If the domain name isn't configured in WAF, the engine shows an error page. An error page is also shown when the WAF engine blocks requests based on malware scan or common threat filter (CTF) results. WAF traffic isn't offloaded to FastPath.

Malware scanning

This component contains antivirus scanning and zero-day protection.


Antivirus scanning takes place for web, FTP, email, and WAF traffic. Sophos Firewall performs streaming antivirus scanning. If the DPI engine passes a verdict that the traffic is safe, antivirus scanning doesn't take place for traffic flowing through the DPI engine.

Zero-day protection

Files are sent for detonation to a data center in the cloud over a secure connection based on your settings. You can exclude specific file types in email attachments and web downloads from analysis by zero-day protection.


Packets are sent to the anti-spam module for spam scanning based on the settings in the SMTP policies.


Sophos Firewall listens on the default port 8443 over TCP and UDP protocols for SSL VPN packets. The local service ACL must allow SSL VPN access for the packet's source and destination zones. Sophos Firewall implements SSL/TLS-based VPN using OpenVPN, which runs in the user space.

For incoming SSL VPN traffic, OpenVPN decrypts the packet and sends it to SlowPath using the TUN interface. Decrypted packets then go through the regular SlowPath processing.

For outgoing SSL VPN traffic, SlowPath routes packets to the Tun0 interface based on the routing entry added for the destination when the SSL VPN tunnel came up. Packets are transferred through the Tun0 interface to OpenVPN in the user space. The OpenVPN stack encrypts the packets and transfers them to SlowPath for encapsulation and QoS

DPI engine

After the ingress stage, the DPI engine enforces security policies based on the tagging performed during the firewall rule lookup. The engine is in the user space and enforces the following security rules and policies:

  • SSL/TLS inspection
  • Application identification and control
  • Intrusion prevention
  • Web filtering with the DPI engine

The DPI engine inspects traffic from layer 4 to 7 using stream processing. Offloading decisions are taken at each stage of security processing based on the verdicts passed by the security modules.

SlowPath transfers the first packet to the DPI engine to enforce security policies and categorize the traffic. For subsequent packets, which are offloaded to FastPath, FastPath transfers the packets to the DPI engine through direct packet delivery.

Packet transfer takes place through the DAQ (Data Acquisition) layer. After applying security policies, the DPI engine transfers the traffic back through the DAQ layer to SlowPath or FastPath, depending on the system that sent the packets.

The DAQ layer provides a direct path for the hardware to write packet buffers into the DPI engine address space, ensuring zero-copy buffers. It also provides I/O multiplexing and routing of shared packet buffers among the DPI engine components so that packets are moved in and out of the DPI engine rapidly.

Application identification and control

The initial packets of a connection are delivered to the DPI engine for application identification. The engine classifies the application after approximately eight packets and gives a policy verdict for application control.

The verdict may also include new forwarding behavior, which is implemented on subsequent connections that contain the identified application. The verdict may also include new QoS parameters, which are implemented on the current connection. The DAQ layer communicates these decisions to SlowPath.

Intrusion prevention

IPS may pass a verdict to stop security processing based on factors, such as a safe signature or verdict from SophosLabs, earlier verdicts, or a matching IPS policy with a bypass session rule attached to it. For files that need antivirus scanning, packets are shared with the antivirus module.

SSL/TLS inspection

SSL/TLS inspection must be turned on to enforce inspection and decryption. For unencrypted traffic, the SSL/TLS module informs the DAQ layer that SSL/TLS processing isn't required for the flow.

For encrypted traffic, the DPI engine modifies the traffic to perform man-in-the-middle inspection. The engine continues to modify traffic throughout the connection lifetime to ensure the connection isn't dropped because of the modification. After decryption, the other modules in the DPI engine perform security processing.

Web filtering with DPI engine

The DPI engine applies the web policy and allows or blocks web traffic based on the scanning results and the web category, URL group, file type, and user activity specified in the web policy. When the DPI engine is selected in the firewall rule, the engine performs web content filtering over standard and non-standard ports. When web filtering applies to the traffic, web traffic scanning continues until the end of the flow, depending on the HTTP responses that are returned. The packets are transferred to the antivirus module for scanning.

The traffic is then offloaded to FastPath. Traffic may not be fully offloaded because of SSL/TLS inspection and web filtering. Fully offloaded traffic attains cut-off from SlowPath.

Firewall acceleration turned on. IPsec acceleration turned off.

IPsec acceleration

Ingress stage

SlowPath offloads SAs for the encryption and authentication combinations available on the firewall with some exceptions to FastPath. So, the decryption keys and other SA parameters for offloaded SAs are sent to the Xstream processor (the NPU) before any packets arrive in the VPN tunnel.

Packets first arrive at the Xstream processor on the FastPath. For ESP packets, the NPU looks up the SPI (Security Parameter Index) and verifies the following:

  • The packet has an offloaded SA.
  • The packet's source and destination IP addresses match those expected for the SA.
  • The packet has a valid ESP sequence field. Replayed packets are considered invalid.

If the packet meets these conditions, FastPath decrypts the packet and examines the inner packet. It marks the first packet in a new connection to send it to the XFRM stack, then delivers this inner packet to SlowPath. The XFRM stack sends the packet to SlowPath for further processing from DoS and spoof protection to routing. If SlowPath decides to offload (firewall acceleration) the inner flow, it instructs the NPU. Subsequent packets arriving in this tunnel are then retained on FastPath for offloaded processing.

If the packet doesn't meet the above three conditions, SlowPath transfers valid IPsec VPN traffic to the XFRM stack. After the XFRM stack decrypts the packet based on the SPI, it sends the inner packet to SlowPath for further processing.

Egress stage

After SNAT processing, SlowPath makes the decision to offload encryption and encapsulation to FastPath if the SAs qualify for offloading. QoS processing takes place and then the traffic is offloaded to FastPath. After encryption and encapsulation on the NPU, the packets exit the firewall through the egress interface.

Highlighted the components of IPsec acceleration

Highlighted the components of IPsec acceleration

Firewall and IPsec acceleration

IPsec VPN traffic can qualify for one of the following offload processes based on whether firewall and IPsec acceleration are turned on or off and whether the traffic qualifies for offloading:

Full offload: For offloaded SAs, FastPath encapsulates, encrypts, decapsulates, and decrypts the corresponding IPsec VPN packets. Additionally, if the inner traffic qualifies, SlowPath processing is offloaded to FastPath, delivering full offload.

FastPath and SlowPath: For offloaded SAs, FastPath decrypts or encrypts the IPsec VPN packets. If the inner traffic doesn't qualify for FastPath offloading, SlowPath performs the processing, including encapsulation and decapsulation. FastPath finalizes the encapsulation after encrypting the packet.

Full SlowPath: For SAs that aren't offloaded, SlowPath performs the entire packet processing.

Firewall and IPsec acceleration

IPsec acceleration: On IPsec acceleration: Off
Firewall acceleration: On

IPsec traffic:

Offloaded SAs: FastPath performs decryption and encryption of packets.

Additionally, firewall acceleration takes place if the inner traffic qualifies for FastPath offloading.

SAs not offloaded: SlowPath performs decryption, firewall stack processing, and encryption.

Non-IPsec traffic:

Firewall acceleration takes place if the inner traffic qualifies for FastPath offloading.

IPsec traffic: SlowPath performs decryption, firewall stack processing, and encryption.

Non-IPsec traffic: Firewall acceleration takes place for connections offloaded to FastPath.

Firewall acceleration: Off

IPsec traffic:

Offloaded SAs: FastPath decrypts incoming ESP packets. Decrypted packets are sent to SlowPath for firewall stack processing.

SlowPath encapsulates outgoing packets. FastPath encrypts the ESP packets.

Non-IPsec traffic:

SlowPath processes the traffic.
SlowPath processes all traffic.

Firewall and IPsec acceleration turned on

Firewall and IPsec acceleration turned on

How FastPath works

On the XGS Series appliances running SFOS 19.0 and later versions, traffic can be offloaded to FastPath for firewall and IPsec acceleration.

Firewall acceleration

The first packet of every connection flows through SlowPath. After the complete handshake occurs or the first packet from each direction passes through SlowPath, SlowPath fully classifies the flow.

The data plane then offloads some or all processing of subsequent packets from the CPU to FastPath on the Xstream Flow Processor throughout the connection's lifetime. These packets don't require further processing to verify their identity and destination.

For security processing, packets are handed over to the DPI engine by the CPU using the Netmap SlowPath component in the DAQ layer. The Xstream Flow Processor, that is, the NPU, hands over offloaded packets from FastPath to the DPI engine through the DPDK (Data Plane Development Kit) in the DAQ layer. FastPath provides an efficient, zero-copy path into the DPI engine. The ability to deliver packets directly to the DPI engine's buffers eliminates the need to retain copies in the kernel memory.

The DPI engine processes approximately eight packets before it determines the traffic to be safe. After it passes a verdict that the traffic is safe, the data plane offloads some or all security processing of subsequent packets to FastPath, completing the offload process for the connection.
Some or all processing of packets in the connection is offloaded to FastPath on the NPU from the x86 general-purpose CPUs. Offloading lightens the load on the x86 hardware. FastPath supports programmable network processors that can carry out the data plane operations at line rate.

The data plane uses the hardware to cache the classification decisions, such as encapsulation, decapsulation, routing and switching decisions, and security policy verdicts. The data plane programs a connection cache, containing the classification decisions, with FastPath.

FastPath acts only based on these classification decisions. It implements the classification decisions taken by SlowPath and the DPI engine to subsequent packets in the connection.

IPsec acceleration

For IPsec VPN tunnels, the XFRM stack on SlowPath makes the decision to offload SAs. For SAs that qualify for offloading, encryption and decryption are offloaded to FastPath in the NPU, freeing up CPU space. The decrypted traffic can also qualify for FastPath offloading.

FastPath statefully tracks individual connections, processing the packets fully without consuming PCIe bandwidth, x86 CPU cycles, and memory bandwidth. The offload lightens the load on the hardware and accelerates security processing.

To implement FastPath processing, see Offloading based on rules and policies.

Major overhaul of the content to reflect changes in Sophos Firewall v19.0
[edited by: R@DocSupport at 2:13 PM (GMT -7) on 23 May 2022]

Top Replies

  • Hey  

    Thank you for your kind words, the team has been working hard to get this published.

    For your question/comment regarding the DPI engine and data flow - could you please raise this as a separate…