Questions about the FastPath Feature

Hi Sophos-Team,

I searched for the topic, but I haven't found a thread for it. Therefore I'd like to start a discussion/knowledge collection about the new fastpath feature.

My XG shows the following console output:

console> system firewall-acceleration show 

Firewall Acceleration is Enabled. Fastpath Load Failed.

Is this related to the new fast path feature?

What could be the reason for the failure?

Is the fast path feature available to SW appliances / virtual machines / home users etc.?

Thanks and Best Regards

Dom

Parents
  • Hi Dom Nik,

          Thanks for your feedback. Please find the answer inline.

    Is this related to the new fast-path feature?

    Yes, This issue already identified and tracked using Jira id NC-51957 which is fixed in upcoming next v18 release.

    What could be the reason for the failure?

    Your XG firewall ethernet driver is not supported fast-path feature.Please share ethtool -i <your interface name> output.

    Is the fast path feature available to SW appliances / virtual machines/home users etc.?

    It depends on the ethernet interface driver.

  • Hi Apurv,

    I'm using the virtio-net drivers:

    SFVH_SO01_SFOS 18.0.0 EAP3-Refresh1# ethtool -i Port1
    driver: virtio_net_nm
    version: 1.0.0
    firmware-version:
    expansion-rom-version:
    bus-info: 0000:00:12.0
    supports-statistics: no
    supports-test: no
    supports-eeprom-access: no
    supports-register-dump: no
    supports-priv-flags: no

    Please let me know if there is a better solution for KVM. :-)

    Thanks and Best Regards

    Dom

  • Dear

    We are using VM with ESX6.7 and it is working.

    Sophos Firmware Version SFOS 18.0.0 EAP3-Refresh1

    console> system firewall-acceleration show
    Firewall Acceleration is Enabled.
    console>

  • Can you try to change driver to e1000 in your network configuration?

    Currently fastpath supports the following NIC drivers: i40e, e1000, e1000e, igb, ixgbe, vmxnet3.  If fastpath is enabled when system has no supported NICs, fastpath load will fail but system will still be fully functional without the performance enhancements provided by fastpath

     

    We are investigating the support for virtio_net in NC-51957 (Edit: and NC-54940)

    Stuart

Reply
  • Can you try to change driver to e1000 in your network configuration?

    Currently fastpath supports the following NIC drivers: i40e, e1000, e1000e, igb, ixgbe, vmxnet3.  If fastpath is enabled when system has no supported NICs, fastpath load will fail but system will still be fully functional without the performance enhancements provided by fastpath

     

    We are investigating the support for virtio_net in NC-51957 (Edit: and NC-54940)

    Stuart

Children
  • Hi together,

    I checked it with the following results:

    Using e1000 on kvm:

    Fast Path error is gone, but the CPU load is almost twice compared to virtio, while softirq is consuming 40% more per cpu core with a 200mbit/s test. (tso and gso are both disabled in XG by default.)

    Using vmxnet3 on kvm:

    Fast Path error is gone, but CPU load is 30-50% higher than virtio, while softirq is consuming 10-20% more per cpu core with a 200mbit/s test. (tso and gso are both disabled in XG by default.)

     

    Therefore I think that fastpath wouldn't bring a benefit while the other adapter types in kvm will lower the performance signifcantly.

    Best Regards

    Dom

  • We are currently investigating the issue with the virtio driver and tracking this in NC-54940