Is FwdFast (Statless Policy) faster than Allow?

Frequently Asked Questions
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

Is FwdFast (Statless Policy) faster than Allow?

Post by jono » 18 Apr 2008, 16:22

This FAQ applies to:
  • Clavister Security Gateway


Is FwdFast faster than Allow?

No, FwdFast is not, as the name may suggest, faster than Allow.

Actually, a better name for this action would be "Stateless Forwarding" as that is exactly what it is - a bypass of the State Engine, which requires full route look ups for each and every packet that triggers on this IP Rule.

What it does is immediately forward the packet, bypassing the stateful inspection engine. This is indeed faster for the individual packet. However, since there is no state information regarding the connection, the IP Rule set and the Routing table have to be consulted for each and every packet; this consumes more CPU time than state table look ups for established connections.

Note-1: In newer versions it is not called FwdFast but rather "Stateless policy".
Note-2: It is recommended NOT to enable logging on FwdFast or Stateless policy rules as cOS Core will generate a log entry for every single packet. This does however not apply for cOS Stream as it is handled differently in the next generation of Clavister operating system. In cOs Stream it is OK to have logging enabled on Stateless rules.