THE ENGINE

A single binary that sees every packet, understands every flow, and enforces every policy.

No per-product copy. No kernel socket round-trip. One shared-memory pipeline that combines deep inspection, policy evaluation, and routing — with atomic updates and sub-millisecond latency.

inlineL7 inspectionpolicy enginemulti-modeatomic updates

ENGINE ARCHITECTURE

Three planes. One pass. Every packet.

The data plane stays on shared-memory rings from wire to egress. The control plane feeds policy, intel, and health into the match point. Observability taps every stage without slowing it down.

Zero-copy ingress

Packets enter through shared-memory rings. No kernel buffer allocation, no socket queue.

Per-core flow cache

A 5-tuple table of ten thousand flows per worker. CPU affinity keeps the cache hot.

Suffix-trie SNI match

Wildcard domain patterns resolve in logarithmic time with shared prefixes.

Atomic hot-reload

Policies, feeds, and routes swap generations without dropping a single packet.

POLICY ENGINE

14 actions. One decision tree.

Every match resolves to one — or a chain — of fourteen possible actions. No custom plumbing; the same runtime serves NGFW blocking, SASE steering, WAF redirection, and SOAR escalation.

Status:NGFW · GASASE · TestSD-WAN · TestWAF · Roadmap

Match dimensions

application
category
SNI / domain
TLS fingerprint
IP · CIDR · port
user · group · device
geography · schedule

Action verbs

allow · log
drop · reset
shape · tarpit
redirect · rewrite
scan · quarantine
exec · call-api
mark · escalate

Chain semantics

deterministic, ordered evaluation
multiple actions per match
versioned generations
atomic hot-reload
legacy and new rule sets coexist

DEPLOYMENT MODES

Same engine. Three ways to wire it.

Promoting from observation to enforcement to steering requires no configuration rewrite. The pipeline stays intact — only the interaction with the network changes.

Monitor

mode · monitor

Passive observation, zero risk

RX-only tap on a selected interface
No packet modification; forwards through the kernel untouched
Ideal for baseline, audit, and compliance programmes
Recommended first deployment before enforcement

See every flow without changing anything.

Bridge

mode · bridge

Inline enforcement at Layer 2

Transparent bridge between two interfaces
Full DPI, TLS inspection, and 14-action policy evaluation
Fails open through a pass-through on worker exit
Preserves the existing Layer-3 topology — no routing changes

Enforce without re-architecting the network.

Routed

SD-WAN · Test

mode · routed

Policy-based routing at Layer 3

Per-flow routing decisions driven by policy
Integrates with the kernel FIB and SD-WAN peer selection
Strategy-pattern transmit layer with optional SNAT
Enables hub-spoke SASE enforcement at wire speed

Steer, not just filter — per application, per user.

HOT-RELOAD

Push a policy change. Don't drop a packet.

Policy, threat-intelligence, and routing updates are applied as atomic generation swaps on a live control plane. No restart, no re-bind, no service window.

Dual-generation state

The engine keeps the current and the staged generation in memory at all times. In-flight flows finish on the old generation while new ones land on the new.

Guaranteed consistency

Pointer swaps are atomic and ordered. Policy, feeds, and routes change together or not at all.

Operator-friendly

Updates are validated before they are staged. A rejected generation is rolled back silently, with a clear reason surfaced in the control plane.

Swap latency< 5 ms

Packets dropped0

Service windownone

Rollbackautomatic on validation failure