Sophos Firewall OS v19 includes several new innovations. In this blog series leading up to the general release of v19 in April, we will explore some of these great new features in more detail. If you missed the first article in this series, we covered many of the new Xstream SD-WAN capabilities.
In this article, we will cover another important Xstream SD-WAN feature that leverages the new Xstream Flow processors in all XGS Series appliances.
As you may recall, Sophos Firewall OS v18 introduced the Xstream architecture, which enables FastPath acceleration of trusted traffic flows. The new XGS Series hardware appliances added dedicated Xstream Flow processors for hardware acceleration of trusted traffic flows. One of the great benefits of the programmable flow processor is that additional features and capabilities can be added over time to further improve performance.
Xstream FastPath acceleration for IPsec VPN tunnel traffic
SFOS v19 adds IPsec VPN hardware FastPath acceleration for XGS Series appliances, which automatically puts IPsec tunnel flows on the FastPath through the Xstream Flow processor.
This moves CPU-intensive processing required for IPsec tunnels to the Xstream Flow processor, such as ESP – encapsulation/encryption and decapsulation/decryption. This new feature takes full advantage of the hardware crypto capabilities within the Xstream Flow processor.
Up to a 5X improvement in performance for your SD-WAN network
Offloading trusted IPsec VPN tunnel traffic from the CPU to the Xstream Flow processor provides two important performance benefits:
- It delivers a tremendous increase in IPsec performance, with preliminary testing revealing up to a 5X improvement in overall VPN traffic capacity depending on the XGS Series model
- It has the added benefit of freeing up significant CPU resources for other tasks like deep-packet inspection of traffic that needs it – ensuring you have added performance for TLS inspection and threat protection
Since the majority of SD-WAN and SD-Branch VPN connections utilize IPsec tunnels, this offers a tremendous benefit to any organization that has multiple interconnected devices. Your VPN traffic is essentially getting a free ride and your firewall capacity is improved dramatically, enabling added growth, increased traffic flows, and better protection for traffic requiring deep packet inspection – all without having to think about upgrading your firewall.
Accelerating both site-to-site and remote access IPsec VPN traffic
Xstream FastPath acceleration for IPsec traffic works for both site-to-site and remote access VPN traffic; however, IPsec connections with weak cipher or auth algorithms (DES, 3DES, Two Fish, MD5) will not be off-loaded.
Up to 5x improvement in SSL VPN performance
In addition to tremendous gains in IPsec VPN performance, SSL VPN also gets a performance boost thanks to multi-instance support with an up to 5x improvement in throughput.
Watch for final performance data at launch. There are some exciting gains to be had with VPN on SFOS v19, which comes at a perfect time with SD-WAN and VPN traffic being critical components of any distributed network.
Optimize your SD-WAN network quickly and easily
Together, all the new Xstream SD-WAN capabilities in SFOS v19 enable you to achieve your SD-WAN goals quickly and easily. You can easily optimize the performance of your SD-WAN network with the new link profiles, orchestrate your overlay network in Sophos Central, and get added performance for your distributed network as well as valuable headroom for threat protection – all with a simple firmware upgrade to v19.
Sophos Firewall v19
If you’re interested in learning more about the other great new features in Sophos Firewall v19, check out this previous article that provides a great overview or download the What’s New PDF.
Sophos Firewall v19 will be a free upgrade for all licensed customers and is in Early Access now for anyone who wants to evaluate the product and help us make it the best it can be for launch. SFOS v19 is expected to be released in April. Click here to participate in the early access program.