What is Single-Pass Architecture?

A traffic processing design in which a single inspection engine applies all security policies (firewall, IPS, DLP, malware scanning) to each packet or flow in one pass, rather than chaining multiple sequential inspection stages.

Single-pass architecture is a critical differentiator among SASE platforms. In a multi-pass (service-chaining) architecture, traffic flows sequentially through separate engines: first the firewall, then the IPS, then the proxy for URL filtering, then the DLP scanner. Each engine decapsulates, inspects, and re-encapsulates the traffic, adding latency at every stage. In a single-pass architecture, traffic is decapsulated once, all inspection policies are applied simultaneously or in a tightly integrated pipeline, and the traffic is re-encapsulated once.

The performance difference is substantial. Service chaining can add milliseconds of latency per engine, which compounds across multiple inspection stages and is multiplied by the number of concurrent sessions. Single-pass designs maintain more consistent latency regardless of how many security functions are enabled.

When evaluating SASE vendors' single-pass claims, look beyond the marketing. Some vendors describe their architecture as single-pass but still decrypt TLS in one component and re-encrypt it before passing to another. True single-pass means TLS is terminated once, the plaintext is inspected by all engines from a shared buffer, and the traffic is re-encrypted once for forwarding. Ask vendors to detail the internal data path between their SWG, CASB, DLP, and IPS inspection engines.

One email per publish. Unsubscribe anytime.