
New Sophos Firewall XGS Desktop Series models available
With the introduction of the new Sophos XGS desktop firewalls, Sophos is improving the current desktop models and has obviously listened to user feedback. These firewalls not only offer significant performance improvements, but also increased energy efficiency and enhanced threat protection through the use of version 21.
Topics
End of Life of the “old” Desktop series
To allay the concerns of existing customers at the outset, as Sophos has a history of unfortunate behavior with End-of-Life announcements: The affected models, which Sophos refers to as “first generation XGS desktop models”, are: XGS 87(w), XGS 107(w), XGS 116(w), XGS 126(w) and XGS 136(w). These models will be supported for a further five years following the End-of-Sale announcement – which has not yet been made.
Now that Sophos has sold off the stock, it is expected that the End-of-Sale of this XGS series will be announced at the end of March 2025. This means that these models can still be used until at least the end of March 2030. This is great news for all users of these devices!
New 1U and 2U models
Customers of the larger models in particular are wondering what will happen next, as in the past the older models have often received a refresh shortly after a hardware update.
It currently looks as if no new hardware is planned for the 1U and 2U models, i.e. from the XGS 2100 upwards, until the end of 2025. We do not expect a new generation until mid-2026 at the earliest.
What’s new with the Sophos XGS desktop firewalls?
Highlights in brief
- 50 % lower energy consumption for all models up to the XGS 128(w): The new models are characterized by a particularly energy-efficient architecture that significantly reduces energy consumption while improving performance.
- Fanless models XGS 88 and XGS 108: The XGS 88 and XGS 108 models are fanless and therefore ideal for noise-sensitive environments such as offices or workstations where quiet operation is required.
- 2.5G interfaces on every model: All new Sophos XGS firewalls are equipped with 2.5 Gigabit Ethernet ports that provide a fast wired connection for networks.
- Wi-Fi 6 support on the w models: The WLAN models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support Wi-Fi 6 (802.11ax), which can be operated in both the 2.4 GHz and 5 GHz ranges simultaneously. This ensures better performance and stability in wireless networks.
- Two 10G SFP+ interfaces on the XGS 138 model: The XGS 138 model is equipped with two 10G SFP+ ports, which enable a direct fiber optic connection and are ideal for networks with high bandwidth requirements.
- Efficient single-processor architecture up to XGS 128(w): The models up to XGS 128(w) have a new, efficient single-processor architecture that enables higher performance with reduced energy consumption.
- Dual processor architecture on the XGS 138: The XGS 138 model has been equipped with an updated dual processor architecture to ensure improved performance and processing capacity. There is no WLAN version of this model.
- New, cost-effective 5G module: A new, cost-effective 5G module will be available for the XGS 118(w), XGS 128(w) and XGS 138 models, providing additional redundancy and flexibility for SD-WAN solutions.
Increased performance and efficiency
The new Sophos XGS desktop firewalls offer up to a doubling of overall performance compared to their predecessors (exception: XGS 138, which offers more performance but no doubling). Thanks to the improved acceleration capabilities of FastPath technology in SFOS v21, combined with an optimized architecture in eight of the nine new models, up to a 3x improvement in IPsec VPN throughput performance can be achieved. This increased performance ensures that networks are better protected against modern threats, such as zero-day attacks.
In addition to the improved performance, the use of new cooling systems and fanless models (XGS 88 and XGS 108) ensures particularly quiet operation – ideal for noise-sensitive environments.
Energy consumption has been reduced by up to 50 % at maximum load, while the appliances only require slightly less power when idle. The background to this is that a CPU and NPU are no longer installed to improve performance, as announced in the XGS series, but instead only one CPU is used, thus saving a processor and still increasing performance.
Below is a comparison table of the individual appliances compared to Generation 1 and the new generation of desktop models.
Metrics | XGS 88(w) | XGS 87(w) | Improvement (%) |
---|---|---|---|
Firewall Throughput | 9,900 Mbps | 3,850 Mbps | 157.14 % |
Firewall IMIX | 6,500 Mbps | 3,000 Mbps | 116.67 % |
IPS Throughput | 2,000 Mbps | 1,200 Mbps | 66.67 % |
Threat protection throughput | 2,000 Mbps | 850 Mbps | 135.29 % |
NGFW | 2,000 Mbps | 700 Mbps | 185.71 % |
Simultaneous connections | 1.600.000 | 1.600.000 | 0.00 % |
New connections per second | 40.500 | 35.700 | 13.45 % |
IPsec VPN throughput | 6,000 Mbps | 3,000 Mbps | 100.00 % |
Simultaneous SSL VPN tunnels | 500 | 500 | 0.00 % |
Simultaneous IPsec VPN tunnels | 500 | 500 | 0.00 % |
Xstream SSL/TLS inspection | 600 Mbps | 375 Mbps | 60.00 % |
Simultaneous Xstream SSL/TLS connections | 8.192 | 8.192 | 0.00 % |
Performance data from Firewall brochure
Metrics | XGS 108(w) | XGS 107(w) | Improvement (%) |
---|---|---|---|
Firewall Throughput | 12,500 Mbps | 7,000 Mbps | 78,57 % |
Firewall IMIX | 8,100 Mbps | 3.750 Mbps | 116,00 % |
IPS Throughput | 2,500 Mbps | 1,500 Mbps | 66,67 % |
Threat protection throughput | 2,500 Mbps | 1.110 Mbps | 125,23 % |
NGFW | 2,600 Mbps | 1,050 Mbps | 147,62 % |
Simultaneous connections | 4.190.000 | 1.600.000 | 161,88 % |
New connections per second | 53.000 | 44.400 | 19,37 % |
IPsec VPN throughput | 8.250 Mbps | 4,000 Mbps | 106,25 % |
Simultaneous SSL VPN tunnels | 1.000 | 1.000 | 0,00 % |
Simultaneous IPsec VPN tunnels | 1.000 | 1.000 | 0,00 % |
Xstream SSL/TLS inspection | 800 Mbps | 420 Mbps | 90,48 % |
Simultaneous Xstream SSL/TLS connections | 12.288 | 8.192 | 50,00 % |
Metrics | XGS 118(w) | XGS 116(w) | Improvement (%) |
---|---|---|---|
Firewall Throughput | 15,500 Mbps | 7,700 Mbps | 101,30 % |
Firewall IMIX | 11,000 Mbps | 4,500 Mbps | 144,44 % |
IPS Throughput | 3,500 Mbps | 2,500 Mbps | 40,00 % |
Threat protection throughput | 3.250 Mbps | 2,160 Mbps | 50,46 % |
NGFW | 3,950 Mbps | 2,000 Mbps | 97,50 % |
Simultaneous connections | 5.500.000 | 1.600.000 | 243,75 % |
New connections per second | 62.650 | 61.500 | 1,87 % |
IPsec VPN throughput | 13,000 Mbps | 4,800 Mbps | 170,83 % |
Simultaneous IPsec VPN tunnels | 1.500 | 1.500 | 0,00 % |
Simultaneous SSL VPN tunnels | 1.250 | 1.250 | 0,00 % |
Xstream SSL/TLS inspection | 1,100 Mbps | 650 Mbps | 69,23 % |
Simultaneous Xstream SSL/TLS connections | 18.432 | 8.192 | 125,00 % |
Metrics | XGS 128(w) | XGS 126(w) | Improvement (%) |
---|---|---|---|
Firewall Throughput | 19.100 Mbps | 10,500 Mbps | 81,90 % |
Firewall IMIX | 14,500 Mbps | 5.250 Mbps | 176,19 % |
IPS Throughput | 4.650 Mbps | 3.250 Mbps | 43,08 % |
Threat protection throughput | 4,000 Mbps | 2,700 Mbps | 48,15 % |
NGFW | 4.350 Mbps | 2,500 Mbps | 74,00 % |
Simultaneous connections | 6.000.000 | 5.000.000 | 20,00 % |
New connections per second | 72.250 | 69.900 | 3,36 % |
IPsec VPN throughput | 15.050 Mbps | 5,500 Mbps | 173,64 % |
Simultaneous IPsec VPN tunnels | 2.500 | 2.500 | 0,00 % |
Simultaneous SSL VPN tunnels | 1.500 | 1.500 | 0,00 % |
Xstream SSL/TLS inspection | 1.450 Mbps | 800 Mbps | 81,25 % |
Simultaneous Xstream SSL/TLS connections | 18.432 | 12.288 | 50,00 % |
Metrics | XGS 138 | XGS 136(w) | Improvement (%) |
---|---|---|---|
Firewall Throughput | 19.100 Mbps | 11,500 Mbps | 66,09 % |
Firewall IMIX | 10,500 Mbps | 6,500 Mbps | 61,54 % |
IPS Throughput | 5,850 Mbps | 4,000 Mbps | 46,25 % |
Threat protection throughput | 4.750 Mbps | 3,000 Mbps | 58,33 % |
NGFW | 5,100 Mbps | 3,000 Mbps | 70,00 % |
Simultaneous connections | 6.550.000 | 6.400.000 | 2,34 % |
New connections per second | 105.000 | 74.500 | 40,94 % |
IPsec VPN throughput | 6,600 Mbps | 6.350 Mbps | 3,94 % |
Simultaneous IPsec VPN tunnels | 2.500 | 2.500 | 0,00 % |
Simultaneous SSL VPN tunnels | 1.500 | 1.500 | 0,00 % |
Xstream SSL/TLS inspection | 1,700 Mbps | 950 Mbps | 78,95 % |
Simultaneous Xstream SSL/TLS connections | 18.432 | 18.432 | 0,00 % |
Comparisons at eye level: a look behind the scenes of the performance tests
Hardware performance comparisons are critical for customers to know which solution meets their needs. Sophos has recently adapted its testing methodology to enable fair comparisons with competitors such as Fortinet. Previous differences in packet sizes led to poorer results even though the actual performance was good. Now Sophos uses the same test conditions as the competition to ensure a fair comparison.
The new test methodology in detail
Sophos now uses a standardized methodology with the following parameters:
- General: Maximum throughput under ideal test conditions measured with industry standard Keysight-Ixia BreakingPoint tools. Actual performance may vary depending on network conditions.
- Firewall: Measurement with HTTP traffic and a response size of 512 KB.
- Firewall IMIX: UDP throughput based on packet sizes of 66, 570 and 1518 bytes.
- IPS: Measurement with HTTP traffic, standard IPS rule set and an object size of 512 KB.
- IPSec VPN: HTTP throughput via multiple tunnels and 512 KB response size.
- TLS Inspection: Performance measurement with IPS, HTTPS sessions and various encryption suites.
- Threat protection: Measurement with activated firewall, IPS, application control and malware prevention with Enterprise Traffic Mix.
- NGFW: Measurement with activated IPS and application control using HTTP traffic and 512 KB object size.
This standardized methodology ensures that the performance data is directly comparable with that of the competition.
Thanks to the adapted tests, Sophos customers can argue with increased transparency. The XGS models offer up to three times higher threat protection performance and significant improvements in IPSec VPN performance. These improvements are the result of the new architecture and an adapted test methodology that clearly demonstrate the actual benefits.
Faster interfaces
All new models offer advanced interfaces that support multi-gigabit speeds, ensuring seamless data transfer and optimal network performance. This combination makes it possible to ensure a stable and reliable connection even with high data volumes – a decisive advantage for demanding business environments.
2.5 Gigabit Ethernet ports
All new models are equipped with 2.5 Gigabit Ethernet ports as standard, providing fast and reliable wired connectivity. These ports enable a stable and powerful connection, which is particularly necessary for business-critical applications. With support for 2.5 Gigabit speeds, the new firewalls are ideal for growing businesses that expect increased network utilization while requiring high performance.
Wi-Fi 6 support
The WLAN models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support the latest Wi-Fi 6 standard. This technology not only ensures higher speeds, but also improves network performance with a high number of simultaneously connected devices. Especially in office environments where many devices access the network at the same time, Wi-Fi 6 ensures a stable and efficient connection. This enables a better distribution of bandwidth so that all devices can be supplied evenly and without delays.
10G SFP+ for the XGS 138
The XGS 138 model is also equipped with two 10G SFP+ ports, which enable a direct fiber optic connection. These high-speed ports offer particularly high bandwidth and are ideal for scenarios that require fast and secure data transmission, such as in distributed network environments or when connecting data centers. Support for SFP+ also provides a future-proof solution to meet increasing bandwidth requirements while offering a cost-effective option for SD-WAN solutions that require flexible and scalable connectivity.
Models and variants
The new models include:
The models differ in terms of the number of network connections, WLAN support and the various performance features, among other things.
Prices and availability
The new second generation models are available immediately and will be sold alongside the existing first generation models. They can be purchased at the same price as the Gen.1 models. From this perspective, it no longer makes much sense to buy the old devices, provided the performance is good enough and you have a better offer.
The first generation models will be supported for five years after a future End-of-Sale announcement, so you can continue to benefit from a full firewall lifecycle.
Conclusion
My personal highlights are the 2x SFP+ ports in the XGS 138 and the fanless models XGS 88 and XGS 108, although we never used the XGS 88 due to limitations. The volume of the fans in particular was a major criticism of the old models.
On the other hand, I think it’s a pity that there are still W models, as Sophos Firewall itself has moved from the firewall to Central with its WLAN strategy, but the W models and REDs with wireless adapters can still only be managed via the firewall, which in turn leads to a non-homogeneous management and feature set.
In my opinion, the packaging could have been designed to be more environmentally friendly, as a lot of polystyrene and plastic is still used and this takes up an unnecessary amount of space.
However, the hardware and performance were good and are now even better. As of today, October 17, 2024, version 21 is available as GA for all XGS models.