Is Statless (FwdFast) faster than a normal IP policy?

Last modified on 27 Jan, 2021. Revision 5
Is Statless (also known as FwdFast) faster than a normal IP policy?
Up to date for
13.00.08
Supported since
8.xx
Status OK

Question:

Is Stateless (also known as FwdFast) faster than a normal IP policy? What is it’s intended use?

Answer:

No, Stateless (or FwdFast) is not, as the name may suggest, faster than Allow.

The new name (Stateless) better reflects what such a rule actually does, which is to bypass the Firewall State Engine. This means that a Stateless rule requires a full route look up for each and every packet that triggers this IP Policy.

What a stateless rule do is to immediately forward the packet, bypassing the statefull inspection engine. This is indeed faster for the individual packet. However, since there is no state information regarding the connection, the IP Policy rule and the Routing table have to be consulted for** each and every packet**; this consumes more CPU time than state table look ups for established connections that is normally created for all other IP policy rule types.

The intended use-case for a Stateless rule is mainly go allow traffic between two points that is doing something “odd”. It could be a program or TCP stack that sends packets with incorrect packet order, headers or simply network equipment that cause only part of the conversation between two hosts to be seen by the Firewall. Then a Stateless rule would be needed to allow it. An example would be if the packet flow works in such a way that for the TCP handshake the Firewall would only see the SYN but not the ACK or SYN+ACK.

An example of Stateless rule can be found in article “Using Stateless polices”. (Note: Broken link, to be added)

Note-1: It is recommended NOT to enable logging on FwdFast or Stateless policy rules as cOS Core will generate a log entry for every single packet.

Note-2: None of the above applies for cOS Stream as it is handled differently in the next generation of Clavister operating system as in Stream it does not create a rule + route lookup per packet but rather keeps track of it using a type of Stateless connection. So in some cases in Stream, a Stateless rule may be slightly faster.

Related articles

Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
cOS Core IKEv2 split tunneling with Windows and local user database.
28 Mar, 2023 ikev2 windows vpn routing splittunneling
Using Stateless IP Policies in cOS Core
4 Apr, 2023 core stateless connections
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Setting up OSPF with IPsec in cOS Core
21 Dec, 2023 core routing ospf ipsec
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing
Troubleshooting cOS Core rules/routes with ping simulation
17 Mar, 2023 core routing rules ping icmp cli
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover
Public network transparency using cOS Core Proxy ARP instead of subnetting
18 Apr, 2023 core routing transparentmode proxyarp