Hi Sophos-Team,
I searched for the topic, but I haven't found a thread for it. Therefore I'd like to start a discussion/knowledge collection about the new fastpath feature.
My XG shows the following console output:
console> system firewall-acceleration show
Firewall Acceleration is Enabled. Fastpath Load Failed.
Is this related to the new fast path feature?
What could be the reason for the failure?
Is the fast path feature available to SW appliances / virtual machines / home users etc.?
Thanks and Best Regards
Dom
Hi Dom Nik,
Thanks for your feedback. Please find the answer inline.
Is this related to the new fast-path feature?
Yes, This issue already identified and tracked using Jira id NC-51957 which is fixed in upcoming next v18 release.
Your XG firewall ethernet driver is not supported fast-path feature.Please share ethtool -i <your interface name> output.
Is the fast path feature available to SW appliances / virtual machines/home users etc.?
It depends on the ethernet interface driver.
Hi Apurv,
I'm using the virtio-net drivers:
SFVH_SO01_SFOS 18.0.0 EAP3-Refresh1# ethtool -i Port1driver: virtio_net_nmversion: 1.0.0firmware-version: expansion-rom-version: bus-info: 0000:00:12.0supports-statistics: nosupports-test: nosupports-eeprom-access: nosupports-register-dump: nosupports-priv-flags: no
Please let me know if there is a better solution for KVM. :-)
Dear
We are using VM with ESX6.7 and it is working.
Sophos Firmware Version SFOS 18.0.0 EAP3-Refresh1console> system firewall-acceleration showFirewall Acceleration is Enabled.console>
Can you try to change driver to e1000 in your network configuration?
Currently fastpath supports the following NIC drivers: i40e, e1000, e1000e, igb, ixgbe, vmxnet3. If fastpath is enabled when system has no supported NICs, fastpath load will fail but system will still be fully functional without the performance enhancements provided by fastpath
We are investigating the support for virtio_net in NC-51957 (Edit: and NC-54940)
Stuart
Hi together,
I checked it with the following results:
Using e1000 on kvm:
Fast Path error is gone, but the CPU load is almost twice compared to virtio, while softirq is consuming 40% more per cpu core with a 200mbit/s test. (tso and gso are both disabled in XG by default.)
Using vmxnet3 on kvm:
Fast Path error is gone, but CPU load is 30-50% higher than virtio, while softirq is consuming 10-20% more per cpu core with a 200mbit/s test. (tso and gso are both disabled in XG by default.)
Therefore I think that fastpath wouldn't bring a benefit while the other adapter types in kvm will lower the performance signifcantly.
Best Regards
We are currently investigating the issue with the virtio driver and tracking this in NC-54940
I am getting this also from my software firewall, but this time not virtual. here is the output from the ethtool
SFVH_SO01_SFOS 18.0.0 EAP3-Refresh1# ethtool -i Port2driver: r8168version: 8.046.00-NAPIfirmware-version:expansion-rom-version:bus-info: 0000:03:00.0supports-statistics: yessupports-test: nosupports-eeprom-access: nosupports-register-dump: yessupports-priv-flags: no
is this going to be supported?
XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Hi Argo,
the Realtek series on NIC are not high performance devices, they rely on off loading to the CPU so creating a fastpath driver for them would not seem logical or practical.
All the realtech devices are not used in commercial devices only home and low end PCs etc.
Ian
good to know, anyone know of a good NUC or mini pc that has high perf NICs for FastPath?
try this one
https://www.aliexpress.com/item/4000492465406.html?spm=a2g0o.detail.1000023.6.3d0c44c0v4uiBr
The Intel NUCs are usually based around the unsupported i219 series NICs, so check the specifications carefully.
There a number of threads in the normal XG forum about mini pcs, please search.