Sophos Firewall: Checking FastPath Offloading

Sophos Firewall uses FastTrack to offload known not-dangerous traffic to a faster path, in the new XGS hardware models, this traffic is pushed to the new Xstream Flow Processor:

“In the XG series we used a virtual FastPath that was processed by the CPU. The XGS series includes an Xstream Flow Processor that sits between the physical ports and the CPU, with a PCIe (PCI Express) interconnect between them. The Xstream Flow Processor handles the traffic that is offloaded to the FastPath reducing the load on the CPU for other tasks that cannot be offloaded. “

VFP vs NFP.png

If you want to check if traffic is being offloaded to the FastPath on an XGS series device, you would start by checking if firewall acceleration is enabled on the console with the command:

console> system firewall-acceleration show

You can also use the system firewall-acceleration command to enable and disable the FastPath.

Checking Offload 1.png

To check a specific connection, you can use conntrack on the advanced shell.

Checking Offload 2.png

Note:

You can also review the counters that show how many packets are being offloaded to the FastPath. On the advanced shell use the command:

# usfp_table_print.sh worker_sys_cnt

Checking Offload 3.png

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close