I don’t know about you, but when it comes to products that I use every day and are indispensable to me, I’m always up to date with the latest developments. This concerns mostly technical devices, but I’m also a geek. 😄
For all these devices, I follow a clear strategy when it is time to replace the product with its successor. I apply this strategy to Sophos Firewall in this blog post to find out whether it is worth switching to the new XGS hardware or not.
Spoiler: In most cases, it actually doesn’t. 🤐
4 reasons to think about buying a new XGS firewall
The new XGS hardware has been on the market since April 2021. There are different factors when the purchase of an XGS hardware is really worthwhile. In the following section, we look at 4 signs that can justify a purchase decision:
When a device breaks down and the warranty has expired, it often has to happen quickly and there is no time for in-depth research. Here, you should know in advance how to get the infrastructure up and running again and what the delivery times for a replacement device are, if any. The firewall is the heart of the network. Very few can afford a longer interruption. However, companies with more than 20 employees often have an HA solution, which can alleviate the situation somewhat in the event of an outage.
SG Firewall with UTM OS 🤕
Unfortunately, we often see customers with SG hardware still using the UTM OS. In such a situation, the purchase of an XGS firewall is not recommended. The operation should work again as soon as possible and there is no time for a migration to the SFOS. You should therefore reorder the same model of the SG firewall as quickly as possible, in order to restore the configuration from the backup copy in an uncomplicated manner.
We generally recommend all customers who still use an SG Firewall with the UTM operating system to consider migrating to the SFOS. The migration of the license is free of charge and the runtime will be taken over 1:1. For the migration the following instructions may help you: Install Sophos XG Firewall OS on an SG Appliance
If you need assistance migrating from UTM to SFOS, we’ll be happy to help. The UTM hardcore fans among you who don’t want to switch to SFOS under any circumstances can simply wait until the UTM OS goes End-of-Life. That will certainly not be the case before the end of 2025. However, the following two blogposts may help you to change your mind:
2. no more updates
When a software has not received any updates for more than a year, my feelings change. If it’s been over two years (often even before that), people start looking for alternatives to replace it. For this reason alone, it would be inconceivable for me to still operate a Sophos Firewall with the UTM operating system today. 😜
Anyone else who has SFOS installed on their SG Firewall or has an XG Firewall should check to see if their appliance can still have SFOS v18.5+ installed. In the following post, we have described which appliances will no longer receive the latest version: Sophos Firewall appliances: supported hardware for SFOS v18+
Note: Sophos initially wanted to cut off SG Firewalls with SFOS and older generation XG Firewalls from updates as well. However, at the beginning of 2021, Sophos deviated from this plan and all current SG and XG models will still receive the latest SFOS versions.
So unless you have an older revision of an SG or XG firewall that no longer receives updates, I can’t really recommend buying the XGS firewall here either.
3. no more warranty
Another point that plays an important role in my personal purchasing strategy is a product’s warranty. As soon as it expires, I automatically check whether there are any options for an extension or whether it is time to replace the product.
The XG firewalls have a 5-year warranty with the corresponding license. If you are one of the people who bought the first revision of an XG Firewall in 2016, your firewall is no longer covered by the manufacturer’s warranty. In this case, I would make the following two considerations:
- A single appliance is operated: Here the risk would be too great for me and I would replace the hardware with a new XGS model.
- There are two appliances in an HA cluster: Here, too, I would aim for a change. If the budget is not there, you can also wait until one of the two firewalls fails and then buy two new XGS models.
4. not enough power
The last item on my list that can contribute to the decision of a new purchase is the performance of a product. It happens that firmware updates make a device slower over time as new features are packed in. Or, quite simply, one’s own requirements change so that the original performance no longer fits.
These points can also be applied to a Sophos Firewall. Just check the load of your firewall, because the number of devices in your network or the number of employees may have changed over the last few years, and the originally required performance no longer meets the current requirements. In such a case, switching to XGS Firewall would certainly not be a bad idea, budget permitting. The license can often be transferred to the new appliance free of charge.
On the other hand, do you have a current SG or XG firewall that still gets the latest updates from SFOS (SFOS 18.5+), is still covered by the manufacturer’s warranty and has no performance problems? Then buying an XGS firewall is not worth it. You should only keep an eye on the End-of-Life date of the XG Firewalls. This date was recently postponed by Sophos from 31.12.2024 to 31.03.2025.
If I apply the 4 points of my personal purchase strategy to the XGS firewall, there is probably no need for action for most existing customers. For new customers, of course, the case is clear and here we would always advise the XGS hardware! Finally, I have put together a flowchart for you to help you with the purchase decision process. Just play through it yourself and you will get our clear recommendation at the end.
For those who have an XG firewall and are undecided at the moment, I recommend the following blog article that describes what the difference is between an XG and an XGS firewall:
Briefly summarized: The decisive advantages of the new XGS hardware
The XGS series offers massively better performance by, among other things, processing traffic intelligently and efficiently and offloading certain tasks such as TLS inspection to the hardware. The new dual-processor architecture with a multi-core CPU and an Xstream flow processor enables better hardware acceleration. In the coming SFOS versions, more processes will be optimized here for the new hardware.
Each unit features a 64-bit CPU and a separate Xtream processor, also known as a Network Processing Unit (NPU). The new series is equipped with additional network ports, allowing optional modules to be added and flexible options for network port selection. The XGS series now offers PoE (Power over Ethernet) ports and fail-to-wire (bypass), allowing traffic to continue even if the device loses power.
Network Flow FastPath
Unlike the virtual FastPath, which is processed by the CPU in the XG series, the FastPath in the XGS series is processed by the Xstream flow processor. This is located between the CPU and the physical ports with the PCIe (PCI Express). Thus, the data traffic outsourced to the FastPath is handled by the Xstream Flow processor and the CPU is less burdened to deal with other tasks that cannot (yet) be outsourced.
Fail-to-Wire is a fault tolerance feature that protects enterprise communications in the event of a power failure. In this case, the WAN and LAN are bypassed, transparently protecting network connectivity. This relay establishes a physical connection between the two ports in the bypass pair and forwards traffic whether power is present or not.
Note: Fail-to-Wire is not enabled by default and must be configured via the extended shell using the xgs-ftw command.
Have you come to a decision and would like to purchase a new XGS Firewall? Then don’t forget to take a look at our promo page first. The discounter Sophos has a suitable promo for almost every scenario. 😅