New Sophos Firewall models in the XGS Desktop series available
With the introduction of the new Sophos XGS Desktop Firewalls, Sophos is improving the current desktop models and appears to have listened to user feedback. These firewalls offer not only significant performance improvements, but also higher energy efficiency and enhanced threat protection through Version 21.
End of Life for the “old” desktop series
To address existing customers’ concerns right away, because Sophos has not always handled End-of-Life announcements very gracefully in the past: the affected models, which Sophos refers to as “first-generation XGS Desktop models”, are XGS 87(w), XGS 107(w), XGS 116(w), XGS 126(w), and XGS 136(w). These models will continue to be supported for another five years after the End-of-Sale announcement, which has not yet been made.
Now that Sophos has sold off its inventory, the End-of-Sale announcement for this XGS series is expected around the end of March 2025. This means the models listed above can still be used until at least the end of March 2030. That is great news for all users of these appliances.
New 1U and 2U Models
Customers with the larger models in particular are wondering what comes next, as in the past the older models often received a refresh shortly after a hardware update.
At the moment, it looks as though no new hardware is planned for the 1U and 2U models, meaning the XGS 2100 and above, before the end of 2025. We do not expect a new generation before mid-2026 at the earliest.
What’s new with the Sophos XGS Desktop Firewalls?
Highlights in brief
- 50% lower power consumption on all models up to the XGS 128(w): The new models feature a particularly energy-efficient architecture that significantly reduces power consumption while improving performance.
- Fanless models XGS 88 and XGS 108: The XGS 88 and XGS 108 models are fanless, making them ideal for noise-sensitive environments such as offices or workplaces where quiet operation is required.
- 2.5G interfaces on every model: All new Sophos XGS Firewalls are equipped with 2.5 Gigabit Ethernet ports, providing fast wired connectivity for networks.
- Wi-Fi 6 support on the w-models: The Wi-Fi models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support Wi-Fi 6 (802.11ax), which can operate in both the 2.4 GHz and 5 GHz bands simultaneously. This ensures better performance and stability in wireless networks.
- Two 10G SFP+ interfaces on the XGS 138 model: The XGS 138 model is equipped with two 10G SFP+ ports, enabling direct fiber connectivity and making it ideal for networks with high bandwidth requirements.
- Efficient single-processor architecture up to the XGS 128(w): Models up to the XGS 128(w) feature a new, efficient single-processor architecture that enables higher performance with reduced power consumption.
- Dual processor architecture on the XGS 138: The XGS 138 model has been equipped with an updated dual-processor architecture to ensure improved performance and processing capacity. There is no Wi-Fi variant of this model.
- New, cost-effective 5G module: A new, cost-effective 5G module will be available for the XGS 118(w), XGS 128(w), and XGS 138 models, providing additional redundancy and flexibility for SD-WAN solutions.
Performance gains and efficiency
The new Sophos XGS Desktop Firewalls offer up to twice the overall performance of their predecessors. The exception is the XGS 138, which delivers more performance but not a full doubling. Thanks to improved acceleration in FastPath technology in SFOS v21, combined with an optimized architecture in eight of the nine new models, IPsec VPN throughput can improve by up to three times. This higher performance helps networks stay better protected against modern threats such as zero-day attacks.
In addition to better performance, the new cooling systems and fanless models (XGS 88 and XGS 108) provide particularly quiet operation, which is ideal for noise-sensitive environments.
Power consumption has been reduced by up to 50% at maximum load. In idle mode, the appliances use only slightly less power. The reason is that Sophos is no longer using the CPU and NPU combination that was heavily promoted with the XGS series to improve performance. Instead, the new models return to a CPU-only design, saving one processor while still increasing performance.
Below is a comparison table of the individual appliances, comparing the first generation with the new generation of desktop models.
XGS 87 / 88
| Metric | XGS 88(w) | XGS 87(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 9,900 Mbps | 3,850 Mbps | 157.14 % |
| Firewall IMIX | 6,500 Mbps | 3,000 Mbps | 116.67 % |
| IPS Throughput | 2,000 Mbps | 1,200 Mbps | 66.67 % |
| Threat Protection Throughput | 2,000 Mbps | 850 Mbps | 135.29 % |
| NGFW | 2,000 Mbps | 700 Mbps | 185.71 % |
| Concurrent Connections | 1,600,000 | 1,600,000 | 0.00 % |
| New Connections per Second | 40,500 | 35,700 | 13.45 % |
| IPsec VPN Throughput | 6,000 Mbps | 3,000 Mbps | 100.00 % |
| Concurrent SSL VPN Tunnels | 500 | 500 | 0.00 % |
| Concurrent IPsec VPN Tunnels | 500 | 500 | 0.00 % |
| Xstream SSL/TLS Inspection | 600 Mbps | 375 Mbps | 60.00 % |
| Concurrent Xstream SSL/TLS Connections | 8,192 | 8,192 | 0.00 % |
XGS 107 / 108
| Metric | XGS 108(w) | XGS 107(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 12,500 Mbps | 7,000 Mbps | 78.57 % |
| Firewall IMIX | 8,100 Mbps | 3,750 Mbps | 116.00 % |
| IPS Throughput | 2,500 Mbps | 1,500 Mbps | 66.67 % |
| Threat Protection Throughput | 2,500 Mbps | 1,110 Mbps | 125.23 % |
| NGFW | 2,600 Mbps | 1,050 Mbps | 147.62 % |
| Concurrent Connections | 4,190,000 | 1,600,000 | 161.88 % |
| New Connections per Second | 53,000 | 44,400 | 19.37 % |
| IPsec VPN Throughput | 8,250 Mbps | 4,000 Mbps | 106.25 % |
| Concurrent SSL VPN Tunnels | 1,000 | 1,000 | 0.00 % |
| Concurrent IPsec VPN Tunnels | 1,000 | 1,000 | 0.00 % |
| Xstream SSL/TLS Inspection | 800 Mbps | 420 Mbps | 90.48 % |
| Concurrent Xstream SSL/TLS Connections | 12,288 | 8,192 | 50.00 % |
XGS 116 / 118
| Metric | XGS 118(w) | XGS 116(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 15,500 Mbps | 7,700 Mbps | 101.30 % |
| Firewall IMIX | 11,000 Mbps | 4,500 Mbps | 144.44 % |
| IPS Throughput | 3,500 Mbps | 2,500 Mbps | 40.00 % |
| Threat Protection Throughput | 3,250 Mbps | 2,160 Mbps | 50.46 % |
| NGFW | 3,950 Mbps | 2,000 Mbps | 97.50 % |
| Concurrent Connections | 5,500,000 | 1,600,000 | 243.75 % |
| New Connections per Second | 62,650 | 61,500 | 1.87 % |
| IPsec VPN Throughput | 13,000 Mbps | 4,800 Mbps | 170.83 % |
| Concurrent IPsec VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,250 | 1,250 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,100 Mbps | 650 Mbps | 69.23 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 8,192 | 125.00 % |
XGS 126 / 128
| Metric | XGS 128(w) | XGS 126(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 19,100 Mbps | 10,500 Mbps | 81.90 % |
| Firewall IMIX | 14,500 Mbps | 5,250 Mbps | 176.19 % |
| IPS Throughput | 4,650 Mbps | 3,250 Mbps | 43.08 % |
| Threat Protection Throughput | 4,000 Mbps | 2,700 Mbps | 48.15 % |
| NGFW | 4,350 Mbps | 2,500 Mbps | 74.00 % |
| Concurrent Connections | 6,000,000 | 5,000,000 | 20.00 % |
| New Connections per Second | 72,250 | 69,900 | 3.36 % |
| IPsec VPN Throughput | 15,050 Mbps | 5,500 Mbps | 173.64 % |
| Concurrent IPsec VPN Tunnels | 2,500 | 2,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,450 Mbps | 800 Mbps | 81.25 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 12,288 | 50.00 % |
XGS 136 / 138
| Metric | XGS 138 | XGS 136(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 19,100 Mbps | 11,500 Mbps | 66.09 % |
| Firewall IMIX | 10,500 Mbps | 6,500 Mbps | 61.54 % |
| IPS Throughput | 5,850 Mbps | 4,000 Mbps | 46.25 % |
| Threat Protection Throughput | 4,750 Mbps | 3,000 Mbps | 58.33 % |
| NGFW | 5,100 Mbps | 3,000 Mbps | 70.00 % |
| Concurrent Connections | 6,550,000 | 6,400,000 | 2.34 % |
| New Connections per Second | 105,000 | 74,500 | 40.94 % |
| IPsec VPN Throughput | 6,600 Mbps | 6,350 Mbps | 3.94 % |
| Concurrent IPsec VPN Tunnels | 2,500 | 2,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,700 Mbps | 950 Mbps | 78.95 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 18,432 | 0.00 % |
Performance data from the firewall brochure
Fair comparisons: a look behind the scenes of performance testing
Hardware performance comparisons are important because customers need to understand which solution fits their requirements. Sophos recently adjusted its testing methodology to allow fair comparisons with competitors such as Fortinet. Previous differences in packet sizes led to weaker published results, even though real-world performance was good. Sophos now uses the same test conditions as the competition to ensure a fair comparison.
The new testing methodology in detail
Sophos now uses a standardized methodology with the following parameters:
- General: Maximum throughput under ideal test conditions, measured with industry-standard Keysight-Ixia BreakingPoint tools. Actual performance may vary depending on network conditions.
- Firewall: Measurement with HTTP traffic and a response size of 512 KB.
- Firewall IMIX: UDP throughput based on packet sizes of 66, 570, and 1518 bytes.
- IPS: Measurement with HTTP traffic, standard IPS rule set, and an object size of 512 KB.
- IPSec VPN: HTTP throughput via multiple tunnels and 512 KB response size.
- TLS Inspection: Performance measurement with IPS, HTTPS sessions, and various encryption suites.
- Threat Protection: Measurement with enabled firewall, IPS, application control, and malware prevention with Enterprise Traffic Mix.
- NGFW: Measurement with enabled IPS and application control using HTTP traffic and 512 KB object size.
This standardized methodology ensures that performance data can be compared directly with competitor figures.
Thanks to the adjusted tests, Sophos customers get more transparency when evaluating performance. The XGS models offer up to three times higher performance in threat protection and significant improvements in IPSec VPN performance. These improvements are the result of the new architecture and an adapted testing methodology that clearly demonstrate the practical benefit.
Faster interfaces
All new models offer advanced interfaces that support multi-gigabit speeds, ensuring seamless data transfer and optimal network performance. This combination makes it possible to ensure a stable and reliable connection even with high data volumes – a decisive advantage for demanding business environments.
2.5 Gigabit Ethernet ports
All new models are equipped with 2.5 Gigabit Ethernet ports as standard, providing fast and reliable wired connectivity. These ports enable stable, high-performance connections, which are especially important for business-critical applications. With support for 2.5 Gigabit speeds, the new firewalls are ideal for growing companies that expect higher network utilization while still needing strong performance.
Wi-Fi 6 support
The Wi-Fi models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support the latest Wi-Fi 6 standard. This technology not only enables higher speeds, but also improves network performance when many devices are connected at the same time. Especially in office environments where many devices access the network simultaneously, Wi-Fi 6 helps ensure a stable and efficient connection. Bandwidth can be distributed more effectively so that all devices are served evenly and without delays.
10G SFP+ for the XGS 138
The XGS 138 model is also equipped with two 10G SFP+ ports, enabling direct fiber connectivity. These high-speed connections provide particularly high bandwidth and are ideal for scenarios that require fast and secure data transfers, such as distributed network environments or data center connectivity. SFP+ support also provides a future-proof way to meet rising bandwidth requirements, while offering a cost-effective option for SD-WAN solutions that require flexible and scalable connectivity.
Models and variants
The new models include:
The models differ in areas such as the number of network ports, Wi-Fi support, and performance characteristics.
Prices and availability
The new second-generation models are available immediately and are being sold in parallel with the existing first-generation models. They can be purchased at the same price as the Gen.1 models. Seen from that perspective, buying the old devices no longer makes much sense, unless their performance is sufficient for your needs and you have a better offer.
The first-generation models will be supported for another five years after a future End-of-Sale announcement, so users can still benefit from a full firewall lifecycle.
Conclusion
My personal highlights are the 2x SFP+ ports in the XGS 138 and the fanless XGS 88 and XGS 108 models, although we never used the XGS 88 because of its limitations. Fan noise was a major point of criticism with the old models.
On the other hand, I find it unfortunate that W models still exist. Sophos itself moved its Wi-Fi strategy from the firewall to Central, but the W models and REDs with wireless adapters can still only be managed via the firewall. That again leads to inconsistent management and an uneven feature set.
In my opinion, the packaging could also have been designed in a more environmentally friendly way, as it still uses a lot of Styrofoam and plastic and takes up an unnecessary amount of space.
Either way, the hardware and performance were good and are now even better. As of today, October 17, 2024, Version 21 is available as GA for all XGS models.
