TTechclick ⚡ XP 0% All lessons
SonicWall · Next-Gen Firewall · ArchitectureInteractive · L1 / L2 / L3

SonicWall Gen 7 & SonicOS 7 — RFDPI and How Traffic Is Processed

SonicWall Gen 7 is one modern OS (SonicOS 7) and one inspection engine (RFDPI) running across four form factors — TZ, NSa, NSsp and NSv. This lesson maps the lineup, explains what reassembly-free single-pass deep packet inspection really means, walks a packet end-to-end through GAV, IPS, Anti-Spyware, App Control and DPI-SSL, and shows where the Capture ATP / RTDMI cloud sandbox takes over.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SonicWall Gen 7 architecture and SonicOS 7 (2026): the four platform families (TZ, NSa, NSsp, NSv), the single-pass reassembly-free RFDPI engine that scans every byte over all ports and protocols, how a packet flows through GAV / IPS / Anti-Spyware / App Control / DPI-SSL, the Capture ATP / RTDMI cloud counterpart, and how to size and manage it with the object-based SonicOS 7 model.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The Gen 7 lineup

TZ, NSa, NSsp, NSv and one modern OS — SonicOS 7.

 2

RFDPI engine

Reassembly-free, single-pass, stream-based inspection.

 3

How a packet flows

Ingress to verdict, plus the Capture ATP / RTDMI cloud.

 4

Manage & size

SonicOS 7 objects/policies and throughput sanity.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is a SonicWall Gen 7 firewall a different product on every model?

Answered in The Gen 7 lineup.

2. Does RFDPI buffer the whole file before it scans?

Answered in RFDPI engine.

3. If DPI-SSL is off, what happens to threats hidden inside HTTPS?

Answered in How a packet flows.

Most engineers think…

Most people picture a firewall as a box that scans traffic in stages — first one engine reassembles the file, then antivirus checks it, then IPS, then app control, each adding delay. That mental model fails you with SonicWall in an interview and in production.

SonicWall Gen 7 is built around RFDPI — a single-pass, reassembly-free engine that inspects every byte of every packet as a stream, across all ports and protocols, without proxying or buffering the whole file. In that one pass it runs Gateway AV, Anti-Spyware, IPS, Application Control and DPI-SSL together. The same OS (SonicOS 7) and the same engine run on the TZ, NSa, NSsp and NSv families — only the size and throughput change. Understanding that single-pass design is what lets you explain why latency stays low, why DPI-SSL matters, and how the Capture ATP / RTDMI cloud fits on top.

① The Gen 7 lineup & SonicOS 7 — one OS, four form factors

The single most important idea: SonicWall Gen 7 is not four different products — it is one operating system and one inspection engine in four sizes. Every Gen 7 box runs SonicOS 7.x, and every box scans traffic with the same RFDPI engine. Skills transfer across the whole line.

The four families

The form factors are: the TZ series (desktop boxes for SMB and branch offices, often with integrated wireless), the NSa series (rack-mount mid-size to enterprise campus, higher port density and throughput), the NSsp series (large enterprise and data center — very high multi-gigabit throughput, redundant power, expansion modules and clustering / high availability), and the NSv series (a fully virtual firewall for public cloud and private VM estates — same SonicOS 7, same RFDPI, no hardware). All are multi-core platforms.

Figure 1 — One OS, four form factors
Every Gen 7 family runs the same SonicOS 7 and the same RFDPI engine — only the size and throughput change.One OS, four form factorsTZ seriesSMB / branch desktop, integrated wirelessNSa seriesMid-size to enterprise campus, 1UNSsp seriesData center — high throughput, clusteringNSv seriesVirtual firewall for cloud and VMs
Every Gen 7 family runs the same SonicOS 7 and the same RFDPI engine — only the size and throughput change.
Quick check · Q1 of 10 · Remember

Which Gen 7 family is the virtual firewall for cloud and VM environments?

Correct: c. NSv is the virtual edition — same SonicOS 7 and RFDPI, no hardware. TZ is SMB/branch desktop, NSa is mid-size/campus, and NSsp is the data-center class with clustering.
👉 So far: SonicWall Gen 7 = one OS (SonicOS 7) + one engine (RFDPI) across four families — TZ (SMB/branch), NSa (campus), NSsp (data center, clustering) and NSv (virtual).

② RFDPI — what reassembly-free, single-pass inspection means

RFDPI stands for Reassembly-Free Deep Packet Inspection, and it is the heart of every SonicWall. It is a single-pass, stream-based scanner: it inspects every byte of every packet across all ports and all protocols — but without proxying the connection or buffering the whole file first.

Why 'reassembly-free' matters

Classic proxy or buffer-and-scan designs must hold the file before they can check it — that adds latency, eats memory, and caps how many connections the box can handle. RFDPI scans the data as it flows, so no reassembly = low latency + full scanning at scale. Just as important, it runs the security engines together in one pass, not as separate sequential scans: Gateway AV, Anti-Spyware, IPS, Application Control and DPI-SSL all look at the same stream once.

Figure 2 — Single-pass RFDPI vs proxy / buffer designs
Reassembly-free scanning runs every engine once over the live stream, instead of holding the file and scanning in stages.Single-pass RFDPI vs proxy / buffer designsSingle-pass RFDPIScans the stream byte-by-byteNo proxy, no full-file bufferAll engines in one passLow latency, scales to manyProxy / buffer-and-scanReassembles or holds the fileAdds latency and memory loadEngines run in stagesConnection count is capped
Reassembly-free scanning runs every engine once over the live stream, instead of holding the file and scanning in stages.
⚙️
RFDPI
tap to flip

Reassembly-Free Deep Packet Inspection — the single-pass, stream-based engine that scans every byte over all ports and protocols without buffering the whole file.

🔓
DPI-SSL
tap to flip

The TLS decryption layer (incl. TLS 1.3). It lets RFDPI inspect inside HTTPS; with it off, encrypted threats pass the engine unscanned.

🧬
RTDMI / Capture ATP
tap to flip

The patented cloud-sandbox engine that forces malware to reveal itself in memory — catching fileless, encrypted and zero-day attacks the inline pass misses.

🖥️
SonicOS 7
tap to flip

The modern Gen 7 OS with an object-based policy model and Device / Network / Object / Policy / Monitor sections, common to TZ, NSa, NSsp and NSv.

Say 'single-pass' and 'reassembly-free' out loud

In an interview, the winning line is: RFDPI scans every byte of every packet across all ports and protocols in one pass, without proxying or buffering the whole file. That single sentence explains the low latency, the high connection scale, and why all the engines (GAV, Anti-Spyware, IPS, App Control, DPI-SSL) run together rather than in stages.

Quick check · Q2 of 10 · Understand

What does 'reassembly-free' mean in RFDPI?

Correct: b. Reassembly-free means RFDPI inspects the live stream as it flows, instead of holding/rebuilding the whole file first. That keeps latency low and lets the box handle far more connections than a buffer-and-scan design.
👉 So far: RFDPI is reassembly-free and single-pass: it scans every byte across all ports/protocols without buffering the whole file, so latency stays low and it scales — and all engines run in one pass.

③ How a packet flows — and where the cloud takes over

Follow a packet. It arrives at an interface, the firewall applies access policy, and the content is streamed into RFDPI. In that single pass the engine runs Gateway AV (malware), Anti-Spyware, IPS (exploits and attacks), and Application Control (what app/whom). If the traffic is encrypted, DPI-SSL decrypts it first — including TLS 1.3 — so the rest of the engines can actually see inside. A clean stream gets a verdict and is forwarded; a malicious one is dropped and logged.

RFDPI is fast but it is the inline brain. For files it cannot judge, SonicWall hands off to the cloud: the Capture ATP sandbox, whose patented RTDMI (Real-Time Deep Memory Inspection) engine forces malware to reveal its weaponry in memory — catching fileless, encrypted and zero-day attacks that signatures miss. RTDMI is the cloud counterpart to on-box RFDPI (covered in depth in a later lesson).

Figure 3 — How a packet flows through RFDPI
A packet is streamed through one RFDPI pass; if encrypted, DPI-SSL decrypts first, then a verdict is issued.How a packet flows through RFDPIIngressinterface + accesspolicyDPI-SSLdecrypt TLS ifencryptedRFDPI scanGAV / IPS / spyware /appVerdictforward clean or drop
A packet is streamed through one RFDPI pass; if encrypted, DPI-SSL decrypts first, then a verdict is issued.
Figure 4 — One RFDPI pass, every engine
All the inspection services look at the same stream in a single reassembly-free pass.One RFDPI pass, every engineRFDPI enginesingle-pass, stream-basedGateway Anti-VirusAnti-SpywareIPSApplication ControlDPI-SSL (TLS 1.3)Capture ATP / RTDMI
All the inspection services look at the same stream in a single reassembly-free pass.

Priya at Suntech Components, Coimbatore faces this

Gateway AV and IPS are licensed and 'on', yet a finance laptop is infected by malware downloaded over an HTTPS website — and the firewall logs show nothing was blocked.

Likely cause

DPI-SSL is not enabled, so RFDPI only sees encrypted bytes for HTTPS traffic and cannot scan inside the TLS tunnel — the threat downloads cleanly.

Diagnosis

In Monitor, confirm the download was HTTPS and that no GAV/IPS event fired; in Policy ▸ DPI-SSL the Client DPI-SSL service is disabled.

SonicOS 7 ▸ Monitor ▸ Logs / Connections + Policy ▸ DPI-SSL
Fix

Enable Client DPI-SSL, deploy the firewall's re-signing CA to managed endpoints, and add a sensible decryption-bypass list (banking, health, software-update domains).

Verify

Re-test the download — RFDPI now decrypts the TLS 1.3 session, scans the stream in one pass, GAV/IPS catch the malware, and an unknown sample is forwarded to Capture ATP / RTDMI for sandboxing.

'GAV and IPS are on, so we're covered' is wrong

If DPI-SSL is off, almost all web traffic is HTTPS and RFDPI only sees encrypted bytes — GAV and IPS can't inspect inside the tunnel. Threats ride in under TLS. Always pair the inspection engines with DPI-SSL (and a sane bypass list) or you are scanning a fraction of real traffic.

▶ Watch an HTTPS download get scanned and blocked

How a single encrypted download is inspected end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① IngressA user starts an HTTPS download; the request hits the firewall interface and access policy lets it through.
② DPI-SSLDPI-SSL decrypts the TLS 1.3 session so the engines can actually see inside the encrypted stream.
③ RFDPI scanIn one pass, RFDPI runs Gateway AV, Anti-Spyware, IPS and App Control over the decrypted stream.
④ VerdictKnown malware is dropped and logged; an unknown-but-suspicious file is forwarded to Capture ATP / RTDMI in the cloud.
Press Play to step through the healthy scan path. Then press Break it.
Quick check · Q3 of 10 · Apply

A user downloads malware over an HTTPS site and the firewall logs nothing, even though GAV and IPS are on. What is the most likely cause?

Correct: a. Without DPI-SSL, RFDPI can only see encrypted bytes for HTTPS, so GAV/IPS have nothing to inspect inside the tunnel and the threat downloads cleanly. Enabling DPI-SSL lets the engine decrypt and scan the stream.
👉 So far: A packet streams through one RFDPI pass (GAV, Anti-Spyware, IPS, App Control; DPI-SSL first if encrypted) to a verdict. Unknown files go to the Capture ATP / RTDMI cloud sandbox.

④ Managing & sizing it — SonicOS 7 objects and honest throughput

You drive all of this from SonicOS 7. The modern dashboard is organised into five sections — Device, Network, Object, Policy and Monitor — and it uses an object-based policy model: you define reusable objects (addresses, services, zones) once in Object, then reference them in Policy rules, so the same definition drives consistent rules everywhere.

Size by the honest number

The classic mistake is sizing on the big raw firewall throughput figure, which is measured with inspection off. Real traffic needs the engines on, so size by threat-prevention / DPI throughput with all engines (and DPI-SSL) enabled, plus your expected connection count. Pick the family (TZ → NSa → NSsp → NSv) that meets that inspected number with headroom, and use NSsp clustering when one box is not enough.

Figure 5 — Sizing a Gen 7 firewall the honest way
Size on inspected throughput with all engines on — not the raw firewall number measured with inspection off.Sizing a Gen 7 firewall the honest wayInspected needDPI throughput,engines onConnectionsconcurrent + new/secPick familyTZ / NSa / NSsp / NSvHeadroomcluster on NSsp ifneeded
Size on inspected throughput with all engines on — not the raw firewall number measured with inspection off.
Size on the inspected number, not the headline one

Datasheets show a big 'firewall throughput' figure measured with inspection off. Real deployments run the engines on. Always confirm the model's threat-prevention / DPI throughput (and DPI-SSL throughput) meets your traffic with headroom before you commit — that single check prevents a box that chokes the moment you turn security on.

Quick check · Q4 of 10 · Analyze

Which number should you use to size a Gen 7 firewall?

Correct: d. Raw firewall throughput is measured with inspection off, so it overstates real capacity. Size on the inspected (threat-prevention / DPI) throughput with all engines and DPI-SSL on, plus expected connection counts.
👉 So far: Manage with SonicOS 7's object-based model (Device/Network/Object/Policy/Monitor) and size by threat-prevention throughput with all engines on — never the raw inspection-off number.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does RFDPI stand for?

Correct: b. RFDPI is Reassembly-Free Deep Packet Inspection — SonicWall's single-pass, stream-based engine that inspects every byte across all ports and protocols without buffering the whole file.
Q6 · Understand

Which statement best describes how RFDPI inspects traffic?

Correct: c. RFDPI is single-pass and reassembly-free: it streams every byte across all ports/protocols through one pass, without holding the whole file, which is what keeps latency low and connection scale high.
Q7 · Apply

You need RFDPI to inspect threats hidden inside HTTPS traffic. What must be enabled?

Correct: b. DPI-SSL decrypts TLS (including TLS 1.3) so RFDPI can see and scan the content inside HTTPS. Without it, the engine only sees encrypted bytes and threats pass unscanned.
Q8 · Analyze

Why does a reassembly-free, single-pass design give lower latency and higher connection scale than a proxy/buffer design?

Correct: d. A proxy/buffer design must reassemble or hold the file before any engine can scan, adding delay and memory load and capping connections. RFDPI scans the live stream once with all engines, so it stays fast and scales.
Q9 · Evaluate

Where does the Capture ATP / RTDMI engine fit relative to on-box RFDPI?

Correct: a. RFDPI is the fast inline on-box pass; RTDMI inside the Capture ATP cloud sandbox forces unknown malware to reveal itself in memory, catching fileless and zero-day threats. They are complementary, not replacements.
Q10 · Evaluate

An interviewer asks which figure to size a Gen 7 firewall on. Best answer?

Correct: c. Raw firewall throughput is an inspection-off number that overstates real capacity. Size on the inspected (threat-prevention / DPI) throughput with all engines on, plus expected connections, so the box does not choke once security is enabled.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is RFDPI called 'reassembly-free single-pass' inspection, and why does that matter? Then compare with the expert version.

Expert version: Because RFDPI scans the traffic as a live stream — every byte of every packet, across all ports and protocols — without proxying the connection or buffering the whole file before it can check it, and it runs all the engines (Gateway AV, Anti-Spyware, IPS, Application Control, DPI-SSL) together in that one pass. Not having to reassemble the file means low latency and the ability to handle far more concurrent connections than a buffer-and-scan or proxy design. It also explains why DPI-SSL matters (the engine can only scan what it can decrypt) and why the Capture ATP / RTDMI cloud sandbox exists — to deep-inspect the unknown files the fast inline pass cannot judge.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Gen 7
SonicWall's current next-generation firewall generation — all models run SonicOS 7.x and the RFDPI engine.
SonicOS 7
The redesigned modern firewall OS with an object-based policy model and a Device / Network / Object / Policy / Monitor layout.
RFDPI
Reassembly-Free Deep Packet Inspection — single-pass, stream-based inspection of every byte across all ports and protocols, without buffering the whole file.
Single-pass inspection
Running all security engines once over the live stream instead of separate sequential scans, which keeps latency low.
DPI-SSL
Decryption and inspection of TLS (including TLS 1.3) so RFDPI can scan inside HTTPS; off means encrypted threats pass unseen.
Capture ATP
SonicWall's cloud sandbox service that analyses suspicious or unknown files the inline engine cannot judge.
RTDMI
Real-Time Deep Memory Inspection — the patented engine inside Capture ATP that forces malware to reveal itself in memory to catch fileless and zero-day threats.
Threat-prevention throughput
The realistic speed of the firewall with all inspection engines on — the number you should size by, not the raw inspection-off figure.
TZ / NSa / NSsp / NSv
The four Gen 7 platform families: SMB/branch desktop, mid-size/campus, large-enterprise/data-center with clustering, and virtual for cloud/VMs.

📚 Sources

  1. SonicWall — Gen 7 Firewalls overview (TZ, NSa, NSsp, NSv). sonicwall.com
  2. SonicWall — SonicOS 7 Administration Guide (Device / Network / Object / Policy / Monitor, object-based policies). docs.sonicwall.com
  3. SonicWall — Reassembly-Free Deep Packet Inspection (RFDPI) technology brief. sonicwall.com
  4. SonicWall — Capture ATP and RTDMI (Real-Time Deep Memory Inspection). sonicwall.com
  5. SonicWall — DPI-SSL / TLS inspection (including TLS 1.3) configuration. docs.sonicwall.com
  6. SonicWall — NSsp series data-center firewalls (clustering, high throughput). sonicwall.com

What's next?

Got the engine and the lineup? Next, go deep on the building blocks you actually configure: zones, interfaces (PortShield and VLANs), address/service objects and how routing ties them together in SonicOS 7.

Next · All interview lessons → Practice on exam.techclick.in →