Shopping Cart

No products in the cart.

New Sophos Firewall XGS Desktop Series models available

With the introduction of the new Sophos XGS desktop firewalls, Sophos is improving the current desktop models and has obviously listened to user feedback. These firewalls not only offer significant performance improvements, but also increased energy efficiency and enhanced threat protection through the use of version 21.

End of Life of the “old” Desktop series

To allay the concerns of existing customers at the outset, as Sophos has a history of unfortunate behavior with End-of-Life announcements: The affected models, which Sophos refers to as “first generation XGS desktop models”, are: XGS 87(w), XGS 107(w), XGS 116(w), XGS 126(w) and XGS 136(w). These models will be supported for a further five years following the End-of-Sale announcement – which has not yet been made.

Now that Sophos has sold off the stock, it is expected that the End-of-Sale of this XGS series will be announced at the end of March 2025. This means that these models can still be used until at least the end of March 2030. This is great news for all users of these devices!

New 1U and 2U models

Customers of the larger models in particular are wondering what will happen next, as in the past the older models have often received a refresh shortly after a hardware update.

It currently looks as if no new hardware is planned for the 1U and 2U models, i.e. from the XGS 2100 upwards, until the end of 2025. We do not expect a new generation until mid-2026 at the earliest.

What’s new with the Sophos XGS desktop firewalls?

Highlights in brief

  • 50 % lower energy consumption for all models up to the XGS 128(w): The new models are characterized by a particularly energy-efficient architecture that significantly reduces energy consumption while improving performance.
  • Fanless models XGS 88 and XGS 108: The XGS 88 and XGS 108 models are fanless and therefore ideal for noise-sensitive environments such as offices or workstations where quiet operation is required.
  • 2.5G interfaces on every model: All new Sophos XGS firewalls are equipped with 2.5 Gigabit Ethernet ports that provide a fast wired connection for networks.
  • Wi-Fi 6 support on the w models: The WLAN models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support Wi-Fi 6 (802.11ax), which can be operated in both the 2.4 GHz and 5 GHz ranges simultaneously. This ensures better performance and stability in wireless networks.
  • Two 10G SFP+ interfaces on the XGS 138 model: The XGS 138 model is equipped with two 10G SFP+ ports, which enable a direct fiber optic connection and are ideal for networks with high bandwidth requirements.
  • Efficient single-processor architecture up to XGS 128(w): The models up to XGS 128(w) have a new, efficient single-processor architecture that enables higher performance with reduced energy consumption.
  • Dual processor architecture on the XGS 138: The XGS 138 model has been equipped with an updated dual processor architecture to ensure improved performance and processing capacity. There is no WLAN version of this model.
  • New, cost-effective 5G module: A new, cost-effective 5G module will be available for the XGS 118(w), XGS 128(w) and XGS 138 models, providing additional redundancy and flexibility for SD-WAN solutions.
YouTube video
New Sophos XGS Series Desktop Firewalls

Increased performance and efficiency

The new Sophos XGS desktop firewalls offer up to a doubling of overall performance compared to their predecessors (exception: XGS 138, which offers more performance but no doubling). Thanks to the improved acceleration capabilities of FastPath technology in SFOS v21, combined with an optimized architecture in eight of the nine new models, up to a 3x improvement in IPsec VPN throughput performance can be achieved. This increased performance ensures that networks are better protected against modern threats, such as zero-day attacks.

In addition to the improved performance, the use of new cooling systems and fanless models (XGS 88 and XGS 108) ensures particularly quiet operation – ideal for noise-sensitive environments.

Energy consumption has been reduced by up to 50 % at maximum load, while the appliances only require slightly less power when idle. The background to this is that a CPU and NPU are no longer installed to improve performance, as announced in the XGS series, but instead only one CPU is used, thus saving a processor and still increasing performance.

Below is a comparison table of the individual appliances compared to Generation 1 and the new generation of desktop models.

MetricsXGS 88(w)XGS 87(w)Improvement (%)
Firewall Throughput9,900 Mbps3,850 Mbps157.14 %
Firewall IMIX6,500 Mbps3,000 Mbps116.67 %
IPS Throughput2,000 Mbps1,200 Mbps66.67 %
Threat protection throughput2,000 Mbps850 Mbps135.29 %
NGFW2,000 Mbps700 Mbps185.71 %
Simultaneous connections1.600.0001.600.0000.00 %
New connections per second40.50035.70013.45 %
IPsec VPN throughput6,000 Mbps3,000 Mbps100.00 %
Simultaneous SSL VPN tunnels5005000.00 %
Simultaneous IPsec VPN tunnels5005000.00 %
Xstream SSL/TLS inspection600 Mbps375 Mbps60.00 %
Simultaneous Xstream SSL/TLS connections8.1928.1920.00 %

Performance data from Firewall brochure
MetricsXGS 108(w)XGS 107(w)Improvement (%)
Firewall Throughput12,500 Mbps7,000 Mbps78,57 %
Firewall IMIX8,100 Mbps3.750 Mbps116,00 %
IPS Throughput2,500 Mbps1,500 Mbps66,67 %
Threat protection throughput2,500 Mbps1.110 Mbps125,23 %
NGFW2,600 Mbps1,050 Mbps147,62 %
Simultaneous connections4.190.0001.600.000161,88 %
New connections per second53.00044.40019,37 %
IPsec VPN throughput8.250 Mbps4,000 Mbps106,25 %
Simultaneous SSL VPN tunnels1.0001.0000,00 %
Simultaneous IPsec VPN tunnels1.0001.0000,00 %
Xstream SSL/TLS inspection800 Mbps420 Mbps90,48 %
Simultaneous Xstream SSL/TLS connections12.2888.19250,00 %
Performance data from Firewall brochure
MetricsXGS 118(w)XGS 116(w)Improvement (%)
Firewall Throughput15,500 Mbps7,700 Mbps101,30 %
Firewall IMIX11,000 Mbps4,500 Mbps144,44 %
IPS Throughput3,500 Mbps2,500 Mbps40,00 %
Threat protection throughput3.250 Mbps2,160 Mbps50,46 %
NGFW3,950 Mbps2,000 Mbps97,50 %
Simultaneous connections5.500.0001.600.000243,75 %
New connections per second62.65061.5001,87 %
IPsec VPN throughput13,000 Mbps4,800 Mbps170,83 %
Simultaneous IPsec VPN tunnels1.5001.5000,00 %
Simultaneous SSL VPN tunnels1.2501.2500,00 %
Xstream SSL/TLS inspection1,100 Mbps650 Mbps69,23 %
Simultaneous Xstream SSL/TLS connections18.4328.192125,00 %
Performance data from Firewall brochure
MetricsXGS 128(w)XGS 126(w)Improvement (%)
Firewall Throughput19.100 Mbps10,500 Mbps81,90 %
Firewall IMIX14,500 Mbps5.250 Mbps176,19 %
IPS Throughput4.650 Mbps3.250 Mbps43,08 %
Threat protection throughput4,000 Mbps2,700 Mbps48,15 %
NGFW4.350 Mbps2,500 Mbps74,00 %
Simultaneous connections6.000.0005.000.00020,00 %
New connections per second72.25069.9003,36 %
IPsec VPN throughput15.050 Mbps5,500 Mbps173,64 %
Simultaneous IPsec VPN tunnels2.5002.5000,00 %
Simultaneous SSL VPN tunnels1.5001.5000,00 %
Xstream SSL/TLS inspection1.450 Mbps800 Mbps81,25 %
Simultaneous Xstream SSL/TLS connections18.43212.28850,00 %
Performance data from Firewall brochure
MetricsXGS 138XGS 136(w)Improvement (%)
Firewall Throughput19.100 Mbps11,500 Mbps66,09 %
Firewall IMIX10,500 Mbps6,500 Mbps61,54 %
IPS Throughput5,850 Mbps4,000 Mbps46,25 %
Threat protection throughput4.750 Mbps3,000 Mbps58,33 %
NGFW5,100 Mbps3,000 Mbps70,00 %
Simultaneous connections6.550.0006.400.0002,34 %
New connections per second105.00074.50040,94 %
IPsec VPN throughput6,600 Mbps6.350 Mbps3,94 %
Simultaneous IPsec VPN tunnels2.5002.5000,00 %
Simultaneous SSL VPN tunnels1.5001.5000,00 %
Xstream SSL/TLS inspection1,700 Mbps950 Mbps78,95 %
Simultaneous Xstream SSL/TLS connections18.43218.4320,00 %
Performance data from Firewall brochure

Comparisons at eye level: a look behind the scenes of the performance tests

Hardware performance comparisons are critical for customers to know which solution meets their needs. Sophos has recently adapted its testing methodology to enable fair comparisons with competitors such as Fortinet. Previous differences in packet sizes led to poorer results even though the actual performance was good. Now Sophos uses the same test conditions as the competition to ensure a fair comparison.

The new test methodology in detail

Sophos now uses a standardized methodology with the following parameters:

  • General: Maximum throughput under ideal test conditions measured with industry standard Keysight-Ixia BreakingPoint tools. Actual performance may vary depending on network conditions.
  • Firewall: Measurement with HTTP traffic and a response size of 512 KB.
  • Firewall IMIX: UDP throughput based on packet sizes of 66, 570 and 1518 bytes.
  • IPS: Measurement with HTTP traffic, standard IPS rule set and an object size of 512 KB.
  • IPSec VPN: HTTP throughput via multiple tunnels and 512 KB response size.
  • TLS Inspection: Performance measurement with IPS, HTTPS sessions and various encryption suites.
  • Threat protection: Measurement with activated firewall, IPS, application control and malware prevention with Enterprise Traffic Mix.
  • NGFW: Measurement with activated IPS and application control using HTTP traffic and 512 KB object size.

This standardized methodology ensures that the performance data is directly comparable with that of the competition.

Thanks to the adapted tests, Sophos customers can argue with increased transparency. The XGS models offer up to three times higher threat protection performance and significant improvements in IPSec VPN performance. These improvements are the result of the new architecture and an adapted test methodology that clearly demonstrate the actual benefits.

Faster interfaces

All new models offer advanced interfaces that support multi-gigabit speeds, ensuring seamless data transfer and optimal network performance. This combination makes it possible to ensure a stable and reliable connection even with high data volumes – a decisive advantage for demanding business environments.

2.5 Gigabit Ethernet ports

All new models are equipped with 2.5 Gigabit Ethernet ports as standard, providing fast and reliable wired connectivity. These ports enable a stable and powerful connection, which is particularly necessary for business-critical applications. With support for 2.5 Gigabit speeds, the new firewalls are ideal for growing businesses that expect increased network utilization while requiring high performance.

Wi-Fi 6 support

The WLAN models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support the latest Wi-Fi 6 standard. This technology not only ensures higher speeds, but also improves network performance with a high number of simultaneously connected devices. Especially in office environments where many devices access the network at the same time, Wi-Fi 6 ensures a stable and efficient connection. This enables a better distribution of bandwidth so that all devices can be supplied evenly and without delays.

10G SFP+ for the XGS 138

The XGS 138 model is also equipped with two 10G SFP+ ports, which enable a direct fiber optic connection. These high-speed ports offer particularly high bandwidth and are ideal for scenarios that require fast and secure data transmission, such as in distributed network environments or when connecting data centers. Support for SFP+ also provides a future-proof solution to meet increasing bandwidth requirements while offering a cost-effective option for SD-WAN solutions that require flexible and scalable connectivity.

Models and variants

The new models include:

The models differ in terms of the number of network connections, WLAN support and the various performance features, among other things.

Prices and availability

The new second generation models are available immediately and will be sold alongside the existing first generation models. They can be purchased at the same price as the Gen.1 models. From this perspective, it no longer makes much sense to buy the old devices, provided the performance is good enough and you have a better offer.

The first generation models will be supported for five years after a future End-of-Sale announcement, so you can continue to benefit from a full firewall lifecycle.

Conclusion

My personal highlights are the 2x SFP+ ports in the XGS 138 and the fanless models XGS 88 and XGS 108, although we never used the XGS 88 due to limitations. The volume of the fans in particular was a major criticism of the old models.

On the other hand, I think it’s a pity that there are still W models, as Sophos Firewall itself has moved from the firewall to Central with its WLAN strategy, but the W models and REDs with wireless adapters can still only be managed via the firewall, which in turn leads to a non-homogeneous management and feature set.

In my opinion, the packaging could have been designed to be more environmentally friendly, as a lot of polystyrene and plastic is still used and this takes up an unnecessary amount of space.

However, the hardware and performance were good and are now even better. As of today, October 17, 2024, version 21 is available as GA for all XGS models.

Patrizio
Patrizio

Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.