{"id":1676,"date":"2020-08-05T11:18:43","date_gmt":"2020-08-05T11:18:43","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=1676"},"modified":"2020-08-26T08:44:20","modified_gmt":"2020-08-26T08:44:20","slug":"making-the-most-of-xg-firewall-v18-part-3","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2020\/08\/products\/making-the-most-of-xg-firewall-v18-part-3\/","title":{"rendered":"Making the Most of XG Firewall v18 \u2013 Part 3"},"content":{"rendered":"

FastPath Application Acceleration and SD-WAN Routing<\/h2>\n

With ever increasing network congestion, having the tools to optimize important business applications is becoming increasingly important.<\/p>\n

In this third in a series of articles on making the most of the great new features in XG Firewall v18, we\u2019re going to focus on the tools available to optimize important business application traffic using the new Xstream Network Flow FastPath and the new SD-WAN Policy Based Routing options.<\/p>\n

Xstream FastPath Application Acceleration<\/h2>\n

In our last two articles, we covered the Xstream architecture and the new DPI engine<\/a> as well as the new TLS Inspection<\/a> in XG Firewall v18.\u00a0 The Network Flow FastPath is another key component of the new Xstream architecture and provides application acceleration for trusted traffic.<\/p>\n

\"\"<\/p>\n

The Network Flow FastPath can direct trusted traffic that doesn\u2019t require security scanning into the fast lane through the system.\u00a0 This not only minimizes latency and accelerates that application traffic through the firewall, it also has the added benefit of not engaging the DPI engine and TLS inspection resources for traffic that doesn\u2019t require inspection. \u00a0This frees up those resources for traffic that actually needs it – creating added performance headroom in the process.<\/p>\n

How it works<\/h2>\n

Initially, all traffic flows are processed by the Firewall stack and passed to the DPI engine for further identification.\u00a0 Once an application traffic flow is determined to be \u201ctrusted\u201d, the Network Flow FastPath is directed to handle the packet flow directly and shuttle the packets through on the FastPath, bypassing the DPI engine.<\/p>\n

Traffic can be accelerated onto the Network Flow FastPath in two ways:<\/p>\n

    \n
  1. Automatically: If the application matches a Server Name Indication (SNI) from SophosLabs for traffic that is considered trustworthy and tamper proof such as video and audio streaming services (Netflix, Spotify, Pandora, etc.), secure updates fetched directly from within the application (from Microsoft, Apple, Adobe, Sophos, etc.) or VoIP and other streaming protocols (such as SIP, FIX, RDP, etc.)<\/li>\n
  2. Policy: If there is a firewall rule associated with that specific application traffic that accelerates it onto the FastPath by not flagging it for security scanning.<\/li>\n<\/ol>\n

    You might be wondering, when would it make sense to accelerate application traffic on the FastPath, or in other words, what can be trusted?\u00a0 Traffic such as streaming media that is not active code-based is a perfect example of traffic that can be trusted.\u00a0 Due to the streaming structure of the traffic and how it\u2019s reassembled for playback, it\u2019s not possible to inject malware into this kind of traffic flow making it an ideal candidate for FastPath acceleration.\u00a0 This type of traffic includes all popular streaming services such as Netflix and Spotify, but also VoIP and collaboration applications such as Zoom, GotoMeeting, Skype for Business, Microsoft Teams Calls, and others.\u00a0 And of course, these communication and collaboration applications are among the most important in any business, which makes them ideal for FastPath acceleration.<\/p>\n

    Applications that enable users to download updates or files, are NOT good candidates for FastPath acceleration as files can obviously contain active code and be malicious.\u00a0\u00a0 In general, in the interest of security, never create a FastPath rule for general web browsing or file sharing sites or applications.<\/p>\n

    Firewall Rules in XG Firewall v18<\/h2>\n

    Firewall rules in XG Firewall v18 are very similar in their construction to previous releases, making migrations easy.\u00a0 This video provides a great in-depth look at firewall and NAT rule configuration in XG Firewall v18:<\/p>\n

    We will cover NAT rules in a future article in this series but today, let\u2019s review how to create a firewall rule to accelerate trusted traffic on the FastPath.\u00a0 It couldn\u2019t be more straightforward and intuitive: simply identify the destination application networks (FQDNs) or services\u2026<\/p>\n

    \"\"<\/p>\n

     <\/p>\n

    And select \u201cNone\u201d for Security Features and do not select any of the check boxes to ensure that traffic will be accelerated on the FastPath and not redirected through the DPI engine for unnecessary security scanning.<\/p>\n

    \"\"<\/p>\n

     <\/p>\n

    Then check that FastPath acceleration is enabled under Advanced threat > Advanced threat protection as shown below (it should be set by default). \u00a0It\u2019s that easy!<\/p>\n

    \"\"<\/p>\n

     <\/p>\n

    Application SD-WAN Policy Based Routing<\/h2>\n

    Another new and improved capability in XG Firewall v18 is SD-WAN Policy Based Routing (PBR).\u00a0 Just as you want important business application\u2019s path through the firewall optimized and accelerated on the FastPath, you may also want to ensure an application\u2019s path to the cloud or a branch office is similarly optimized.\u00a0 That\u2019s where SD-WAN PBR comes in.<\/p>\n

    XG Firewall v18 adds user, group, and application-based traffic selection criteria to XG Firewall\u2019s SD-WAN routing configuration. This allows you to route important business application traffic out a preferred ISP WAN link or a branch office VPN connection while less important traffic utilizes a different route.<\/p>\n

    This video provides a great overview of how to take advantage of the new SD-WAN PBR capabilities in XG Firewall v18 for application optimization, and SD-WAN routing.<\/p>\n

     <\/p>\n

     <\/p>\n

    Synchronized SD-WAN<\/h2>\n

    XG Firewall v18 has evolved SD-WAN further with the introduction of Synchronized SD-WAN, a new Sophos Synchronized Security feature that offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can\u2019t match.<\/p>\n

    Here\u2019s a summary of the resources available to help make the most of the new features in XG Firewall v18, including application FastPath acceleration and SD-WAN Policy Routing:<\/p>\n