Sophos Firewall v19.5: Xstream TLS FastPath architecture enhancements

Credit to Author: Chris McCormack| Date: Mon, 17 Oct 2022 14:20:56 +0000

With Sophos Firewall v19.5 firmware now available for early access, we are coving one of the top new features every week leading up to launch.

In last week’s article, we covered the new SD-WAN load balancing feature that rounds out the full suite of Xstream SD-WAN capabilities in Sophos Firewall.

This week, we’ll have a look at the latest enhancements to the Xstream Architecture in Sophos Firewall, Xstream TLS FastPath.

Xstream Architecture

Sophos Firewall first introduced the Xstream Architecture in v18, but it really came to life with the introduction of the XGS Series appliances with dedicated Xstream Flow Processors for hardware acceleration.

The illustration below outlines the internal architecture of the XGS Series appliances and how the Xstream Flow Processors provide FastPath acceleration for VPN, SD-WAN, and now TLS traffic flows.

Programmable processors = free performance upgrades

One of the key benefits of the Xstream Architecture and the Xstream Flow Processors is that they are programmable. This means that new features and capabilities can be added over time.

For example, when the XGS Series launched, they initially supported FastPath acceleration of SD-WAN application traffic for up to double the performance over previous gen appliances. With v19, we added IPsec VPN acceleration, which provided up to a 5x increase in VPN traffic capacity.

Now with v19.5, we’re adding TLS traffic inspection to the FastPath to enable a significant performance boost in both TLS encrypted traffic and overall performance by adding additional headroom for traffic that needs deep packet inspection.

Our design ensures your investment in Sophos Firewall and the XGS Series is protected and future-proof as you get free performance upgrades with every release.

TLS FastPath acceleration in v19.5

Sophos Firewall already has the best TLS inspection technology in the business, including…

  • TLS 1.3 without downgrading
  • Support for the latest cipher suites
  • Powerful policy tools
  • Instant visibility and troubleshooting right from the dashboard.

Now, SFOS v19.5 adds TLS encrypted traffic FastPath acceleration for select XGS Series appliances, which automatically puts CPU-intensive asymmetric encryption operations for inspected TLS traffic flows on the FastPath through the Xstream Flow Processor.

This takes full advantage of the hardware’s asymmetric crypto capabilities within the Xstream Flow Processor and has the benefit of improving overall throughput and freeing up CPU resources for other tasks like deep-packet inspection.

This new capability will initially be supported on the high-end XGS 4xxx and above only, which covers the vast majority of partners and customers utilizing TLS inspection today. Eventually, support will also be extended to other models in the series.

If you want a quick refresher on the exciting Xstream technology packed into every XGS Series appliance, be sure to check out this video:

Check out all the new features in v19.5

Sophos Firewall OS v19.5 includes a ton of great new capabilities. Check out the full list of what’s new in this What’s New PDF download.

Early access

Start taking advantage of all the great new features in SFOS v19.5 today and help us make this release the best it can be by participating in the early access program. Visit the SFOS v19.5 EAP registration page to get started.

Sophos Firewall OS v19.5 EAP1 is a fully supported upgrade from any v18.5 firmware as well as v19, including the very recent v19 MR1 build 365 release.

Once you’re up and running, please provide feedback through your Sophos Firewall’s feedback mechanism (top right of every screen on your Firewall). Also visit our EAP community forums to share your experiences with others.

http://feeds.feedburner.com/sophos/dgdY