I don’t know about you, but when it comes to products that I use every day and are indispensable to me, I’m always up to date with the latest developments. This concerns mostly technical devices, but I’m also a geek. 😄
With all these devices, I follow a clear strategy as to when it is time to replace the product with its successor. I apply this strategy to Sophos Firewall in this blog post to find out whether it’s worth switching to the new XGS hardware or not.
Spoiler: In most cases, it actually doesn’t. 🤐
4 reasons to think about buying a new XGS firewall
The new XGS hardware has now been on the market since April 2021. There are various factors when it is really worth buying XGS hardware. In the following section, we’ll look at 4 omens that can justify a purchase decision:
When a device breaks and the warranty has expired, it often has to happen quickly and there is no time for more in-depth research. It is important to know in advance how to get the infrastructure up and running again and what the delivery times for a replacement device might be. The firewall is the heart of the network. Very few can afford a longer interruption. However, companies with more than 20 employees often have an HA solution, which can alleviate the situation somewhat in the event of an outage.
SG Firewall with UTM OS 🤕
Unfortunately, we often see that it hits customers with SG hardware who are still using the UTM OS. In such a situation, buying an XGS firewall is not recommended. The operation should work again as soon as possible and there is no time for a migration to the SFOS. So you should reorder the same model of SG Firewall as soon as possible to easily restore the configuration from the backup copy.
We generally recommend that all customers who are still using an SG Firewall with the UTM operating system consider migrating to the SFOS. The migration of the license is free of charge and the runtime is transferred 1:1. The following instructions may help you with the migration: Install Sophos XG Firewall OS on an SG Appliance
If you need assistance in migrating from UTM to SFOS, we will be happy to help. The UTM hardcore fans among you, who don’t want to switch to the SFOS by any means, can also just wait until the UTM OS goes end-of-life. That will certainly not be the case before the end of 2025. But maybe the following two blogposts can make you rethink:
2. no more updates
When a software has not received any updates for over a year, my feelings change. With more than two years (often even before), alternatives are sought to replace them. For this reason alone, it would be inconceivable for me to still operate a Sophos firewall with the UTM operating system today. 😜
All others who have the SFOS installed on their SG Firewall or have an XG Firewall should check if the SFOS v18.5+ can still be installed on their appliance. In the following post, we have described which devices will no longer receive the latest version: Sophos Firewall Appliances: Supported Hardware for SFOS v18+
Note: Sophos initially wanted to cut off SG Firewalls with SFOS and older generation XG Firewalls from updates as well. However, at the beginning of 2021, Sophos deviated from this plan and all current SG and XG models will still receive the latest SFOS versions.
So unless you have an older revision of an SG or XG firewall that no longer receives updates, I can’t really recommend buying the XGS firewall here either.
3. no more warranty
Another point that plays an important role in my personal buying strategy is a product’s warranty. Because once it expires, I automatically check to see if there are any options for renewal, or if it’s time to replace the product.
XG Firewalls have a 5-year warranty with the appropriate license. If you are one of the people who bought the first revision of an XG firewall in 2016, your firewall is no longer covered by the manufacturer’s warranty. In this case, I would make the following two considerations:
- A single appliance is operated: Here the risk would be too great for me and I would replace the hardware with a new XGS model.
- There are two appliances in an HA cluster: again, I would look to switch. If the budget isn’t there, you can also wait until one of the two firewalls fails and then buy two new XGS models.
4. not enough power
The last item on my list that can contribute to the decision of a new purchase is the performance of a product. It happens that firmware updates make a device slower over time because new features are packed in. Or your own requirements may simply change, so that the original performance no longer fits.
These points can also be applied to a Sophos Firewall. Just check the load of your firewall, because again the number of devices in your network or the number of employees might have changed over the last years, where the originally needed performance does not meet the current requirements anymore. In such a case, switching to the XGS Firewall would certainly not be a bad idea, if the budget allows it. The license can often be transferred to the new appliance free of charge.
On the other hand, do you have a current SG or XG firewall that still gets the latest updates from SFOS (SFOS 18.5+), is still covered by the manufacturer’s warranty, and has no performance issues? Then it is not worth buying an XGS firewall. You should only keep an eye on the end-of-life date of the XG Firewalls. This date was still recently pushed out by Sophos from 12/31/2024 to 3/31/2025.
If I apply the 4 points of my personal purchase strategy to the XGS Firewall, there is probably a need for action for very few existing customers. The case is clear for new customers, of course, and here we would always advise the XGS hardware! Finally, I have put together a flowchart for you to help you with the purchase decision process. Just play through it yourself and you’ll get our clear recommendation at the end.
For those who have an XG firewall and are undecided at the moment, I recommend the following blog article that describes what the difference is between an XG and an XGS firewall:
Briefly summarized: The decisive advantages of the new XGS hardware
The XGS series offers massively better performance by, among other things, processing traffic intelligently and efficiently and offloading certain tasks such as TLS inspection to the hardware. The new dual-processor architecture with a multi-core CPU and an Xstream flow processor enables better hardware acceleration. In the coming SFOS versions, further processes will be optimized here for the new hardware.
Each unit has a 64-bit CPU and a separate Xtream processor, also known as a Network Processing Unit (NPU). The new series is equipped with additional network ports and allows to add optional modules and use flexible options for network port selection. The XGS series now offers PoE (Power over Ethernet) ports and fail-to-wire (bypass), allowing traffic to continue even if the device loses power.
Network Flow FastPath
Unlike the virtual FastPath, which is processed by the CPU in the XG series, the FastPath in the XGS series is processed by the Xstream flow processor. This is located between the CPU and the physical ports with the PCIe (PCI Express). Thus, traffic offloaded to the FastPath is handled by the Xstream flow processor, and the CPU is less burdened to deal with other tasks that cannot (yet) be offloaded.
Fail-to-Wire is a fault tolerance feature that protects enterprise communications in the event of a power failure. In this case, WAN and LAN are bridged, transparently protecting network connectivity. This relay establishes a physical connection between the two ports in the bypass pair and forwards traffic whether or not power is present.
Note: Fail-to-Wire is not enabled by default and must be configured via the extended shell using the xgs-ftw command.
You have come to a decision and want to purchase a new XGS Firewall? Then don’t forget to check out our promo page first. The discounter Sophos has a suitable promo for almost every scenario. 😅