Slow TLS Decryption throughput compared to Web Proxy with KVM on v18 GA.

Question

I've been converting my XG bare metal setup to a VM one using KVM+QEMU as the hypervisor. 
 The problem here is, the Web Proxy Decryption is much faster than the new DPI Engine for TLS Decryption, but currently, only on KVM. 
 
 Some Information about the Setup. 
 
 I'm using the VirtiO Drivers, which currently doesn't support Fast Path , but still, It's much faster than vmxnet3. 
 The XG VM have full access to all CPU Flags (Also AES-NI), I'm currently using a host-passthrough for the VM. 
 The XG VM have 6C/12GB RAM. 
 Host have 8C/16T / 32GB RAM. 
 M.2 SSD, both VM has been using VirtiO for the Disks.

Tested this using curl + nginx, the encrypted connection used TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2. 
 4GB iso file being transferred over HTTPS. 
 
 Without TLS Decryption or WebProxy | IPS+AV+ATP = ~287MB/s With TLS Inspection | IPS+AV+ATP = ~33.5MB/s With WebProxy + Decryption | IPS+AV+ATP = ~213MB/s 
 Using the new DPI engine for TLS Decryption I get hard stuck at ~35MB/s, doesn't matter the TLS traffic being decrypted. 
 
 I'm doing something wrong? I believe there's something wrong with this. 
 
 Also XG v18 GA is much faster in raw throughput than v17.5. With IPS Iperf3 has capable of 7.21 Gbits/sec with the XG VM, so CPU isn't the issue here.

Michael Dunn · Accepted Answer

In general the Sophos-provided hardware will have the best performance because that is what we test against and code for. Bare metal customer supplied hardware may be next, with VMs last. When you get into VMs there are just so many different setups and configurations. 
 I don't know if it helps but I recall this thread: 
 https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/118242/questions-about-the-fastpath-feature 
 
 I don't think it helps... but if you are changing from hardware to VM I wonder if there are different defaults/settings that don't copy well when doing a backup/restore. Would a fresh install and configure of a VM work better than restoring a backup?

Prism · Answer

Issue solved by using SR-IOV with both NIC's instead of the Virtio Driver. 
 Fast Path is also working now. 
 
 Thanks!

LuCar Toni · Answer

Firewall Acceleration is basically the VFP (Virtual Fast Path) architecture. 
 Here is the DOC: https://docs.sophos.com/nsg/sophos-firewall/18.0/releasenotes/en-us/nsg/sfos/releasenotes/rn_FastPath.html 
 
 As written there: 
 For virtual deployments, Virtual FastPath supports the VMware ESXi hypervisor. For other hypervisors, such as KVM, turn off FastPath using the CLI command for firewall acceleration.