Skip to content

Fast Path Overview

Fast Path network traffic takes an alternative path through the network and security stack, allowing it to bypass packet scanning including IPS, DPI, Application Detection, HTTPS inspection and content scanning when required. For allowed traffic, it is recommended for use with trusted networks and critical services such as voice systems that do not require the full inspection processes. When used in a block action policy, Fath Path policies discard packets earlier in the firewall process, making it highly efficient and dropping excess network traffic.

Fath Path policies are applied based on a source zone and will always apply before Access Policies within a zone's policy stack.

Fast Path Policies

Fast Path policies are configured and applied by source zone. To create a Fast Path policy:

  1. Go to Security Centre > Fast Path.
  2. Click "Add Policy".
  3. Add a name for the Fast Path policy.
  4. Configure the required criteria for your Fast Path policy:
    • Network Source Criteria: Specify a network source for the policy.
    • GeoIP: Specify a GeoIP configuration. Note, this is only relevant for Internet source zone or custom zone configurations.
    • Network Destination: Add an destination IP, IP Range, Port or Protocol.
    • Resolved Domains: Add a resolved domain.
  5. Assign a policy action for the fast path rule including an Allow, Block (drop) or Block (reject).
  6. If you require visibility of traffic within reporting, enable log event.
  7. Assign a DSCP packet mark for traffic requiring priority through the CyberEdge network stack. In most cases, EF (Expedited Forwarding) is the most optimal solution. Default: Unchanged.
  8. Click "Save" and apply changes.

Note

  • For destination criteria, Fath Path policies always match on IP addresses. The resolved domains criteria allows an administrator to specify a trusted domain, such as example.com, which will be automatically resolved to its IP address(es).
  • GeoIP criteria is relevant for Internet source zone or custom zone policies only.
  • Fast Path blocks discard matching packets earlier in the firewall process. They are recommended for blocking high volumes of network traffic that do not require detailed packet analysis. The benefits of logging all Fath Path blocks should be considered.
  • DSCP value of EF is recommended for voice solutions.

Resolved Domains

As Fast Path rules are IP based, the Resolved Domains criteria is used to automatically resolve the hostname of a destination to its corresponding IP address. To obtain and maintain destination IP lists, a Resolved Domain service is used. The process for obtaining IP's using this method is as follows;

  • A domain is added to the Resolved Domains list (eg. mysite.example.com or site.mysite.example.com)
  • The Resolved Domain service will perform DNS checks and dynamically add the corresponding destination IP's to the Fath Path rule
  • The TTL expiry from the DNS response is stored per domain. Based on the TTL expiry of each domain entry, the service will automatically check DNS for a change to its IP. If a change is found, the Fast Path rule will be dynamically updated to use the new IP address. Any IP address that no longer resolves to a configured host will be automatically removed

Warning

Fast Path policies bypass most security processes that should be used in most all circumstances. When using an Allow Policy Action within Fast Path, it is important that any configured Fast Path destinations are trusted networks only