New Sophos Firewall Models of the XGS Desktop Series Available
With the introduction of the new Sophos XGS Desktop Firewalls, Sophos improves the current desktop models and has apparently listened to user criticism. These firewalls offer not only significant performance improvements but also increased energy efficiency and enhanced protection against threats through the use of Version 21.
End of Life of the “old” Desktop Series
To dispel existing customers’ concerns right from the start, as Sophos has shown an unfortunate approach to End-of-Life announcements in the past: The affected models, referred to by Sophos as “first-generation XGS Desktop models”, are: XGS 87(w), XGS 107(w), XGS 116(w), XGS 126(w), and XGS 136(w). These models will be supported for another five years after the End-of-Sale announcement – which has not yet occurred.
Now that Sophos has sold off the inventory, it is expected that the End-of-Sale of this XGS series will likely be announced at the end of March 2025. This means that the mentioned models can still be used until at least the end of March 2030. This is great news for all users of these devices!
New 1U and 2U Models
Especially customers of the larger models are wondering what’s next, as in the past, older models often received a refresh shortly after a hardware update.
Currently, it looks like no new hardware is planned for the 1U and 2U models, i.e., from the XGS 2100 upwards, until the end of 2025. We do not expect a new generation until mid-2026 at the earliest.
What’s new with the Sophos XGS Desktop Firewalls?
Highlights in brief
- 50% lower power consumption on all models up to the XGS 128(w): The new models feature a particularly energy-efficient architecture that significantly reduces power consumption while improving performance.
- Fanless models XGS 88 and XGS 108: The XGS 88 and XGS 108 models are fanless, making them ideal for noise-sensitive environments such as offices or workplaces where quiet operation is required.
- 2.5G interfaces on every model: All new Sophos XGS Firewalls are equipped with 2.5 Gigabit Ethernet ports, providing a fast wired connection for networks.
- Wi-Fi 6 support on the w-models: The Wi-Fi models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support Wi-Fi 6 (802.11ax), which can operate in both the 2.4 GHz and 5 GHz bands simultaneously. This ensures better performance and stability in wireless networks.
- Two 10G SFP+ interfaces on the XGS 138 model: The XGS 138 model is equipped with two 10G SFP+ ports, enabling a direct fiber connection and ideal for networks with high bandwidth requirements.
- Efficient single-processor architecture up to the XGS 128(w): Models up to the XGS 128(w) feature a new, efficient single-processor architecture that enables higher performance with reduced power consumption.
- Dual processor architecture on the XGS 138: The XGS 138 model has been equipped with an updated dual-processor architecture to ensure improved performance and processing capacity. There is no Wi-Fi variant of this model.
- New, cost-effective 5G module: A new, cost-effective 5G module will be available for the XGS 118(w), XGS 128(w), and XGS 138 models, providing additional redundancy and flexibility for SD-WAN solutions.
Performance Increase and Efficiency
The new Sophos XGS Desktop Firewalls offer up to double the overall performance compared to their predecessors (Exception: XGS 138, which offers more performance but not doubling). Thanks to the improved acceleration functions of the FastPath technology in SFOS v21, combined with an optimized architecture in eight of the nine new models, an up to 3x improvement in IPsec VPN throughput performance can be achieved. This increased performance ensures that networks are better protected against modern threats, such as zero-day attacks.
In addition to improved performance, the use of new cooling systems and fanless models (XGS 88 and XGS 108) ensures particularly quiet operation – ideal for noise-sensitive environments.
Energy consumption has been reduced by up to 50% at maximum load; in idle mode, the appliances require only slightly less power. The background here is that a CPU and NPU are no longer installed as heavily advertised in the XGS series to improve performance, but instead relying only on a CPU again, saving a processor while still increasing performance.
Below is a comparison table of the individual appliances compared to Generation 1 and the new generation of desktop models.
XGS 87 / 88
| Metric | XGS 88(w) | XGS 87(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 9,900 Mbps | 3,850 Mbps | 157.14 % |
| Firewall IMIX | 6,500 Mbps | 3,000 Mbps | 116.67 % |
| IPS Throughput | 2,000 Mbps | 1,200 Mbps | 66.67 % |
| Threat Protection Throughput | 2,000 Mbps | 850 Mbps | 135.29 % |
| NGFW | 2,000 Mbps | 700 Mbps | 185.71 % |
| Concurrent Connections | 1,600,000 | 1,600,000 | 0.00 % |
| New Connections per Second | 40,500 | 35,700 | 13.45 % |
| IPsec VPN Throughput | 6,000 Mbps | 3,000 Mbps | 100.00 % |
| Concurrent SSL VPN Tunnels | 500 | 500 | 0.00 % |
| Concurrent IPsec VPN Tunnels | 500 | 500 | 0.00 % |
| Xstream SSL/TLS Inspection | 600 Mbps | 375 Mbps | 60.00 % |
| Concurrent Xstream SSL/TLS Connections | 8,192 | 8,192 | 0.00 % |
XGS 107 / 108
| Metric | XGS 108(w) | XGS 107(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 12,500 Mbps | 7,000 Mbps | 78.57 % |
| Firewall IMIX | 8,100 Mbps | 3,750 Mbps | 116.00 % |
| IPS Throughput | 2,500 Mbps | 1,500 Mbps | 66.67 % |
| Threat Protection Throughput | 2,500 Mbps | 1,110 Mbps | 125.23 % |
| NGFW | 2,600 Mbps | 1,050 Mbps | 147.62 % |
| Concurrent Connections | 4,190,000 | 1,600,000 | 161.88 % |
| New Connections per Second | 53,000 | 44,400 | 19.37 % |
| IPsec VPN Throughput | 8,250 Mbps | 4,000 Mbps | 106.25 % |
| Concurrent SSL VPN Tunnels | 1,000 | 1,000 | 0.00 % |
| Concurrent IPsec VPN Tunnels | 1,000 | 1,000 | 0.00 % |
| Xstream SSL/TLS Inspection | 800 Mbps | 420 Mbps | 90.48 % |
| Concurrent Xstream SSL/TLS Connections | 12,288 | 8,192 | 50.00 % |
XGS 116 / 118
| Metric | XGS 118(w) | XGS 116(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 15,500 Mbps | 7,700 Mbps | 101.30 % |
| Firewall IMIX | 11,000 Mbps | 4,500 Mbps | 144.44 % |
| IPS Throughput | 3,500 Mbps | 2,500 Mbps | 40.00 % |
| Threat Protection Throughput | 3,250 Mbps | 2,160 Mbps | 50.46 % |
| NGFW | 3,950 Mbps | 2,000 Mbps | 97.50 % |
| Concurrent Connections | 5,500,000 | 1,600,000 | 243.75 % |
| New Connections per Second | 62,650 | 61,500 | 1.87 % |
| IPsec VPN Throughput | 13,000 Mbps | 4,800 Mbps | 170.83 % |
| Concurrent IPsec VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,250 | 1,250 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,100 Mbps | 650 Mbps | 69.23 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 8,192 | 125.00 % |
XGS 126 / 128
| Metric | XGS 128(w) | XGS 126(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 19,100 Mbps | 10,500 Mbps | 81.90 % |
| Firewall IMIX | 14,500 Mbps | 5,250 Mbps | 176.19 % |
| IPS Throughput | 4,650 Mbps | 3,250 Mbps | 43.08 % |
| Threat Protection Throughput | 4,000 Mbps | 2,700 Mbps | 48.15 % |
| NGFW | 4,350 Mbps | 2,500 Mbps | 74.00 % |
| Concurrent Connections | 6,000,000 | 5,000,000 | 20.00 % |
| New Connections per Second | 72,250 | 69,900 | 3.36 % |
| IPsec VPN Throughput | 15,050 Mbps | 5,500 Mbps | 173.64 % |
| Concurrent IPsec VPN Tunnels | 2,500 | 2,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,450 Mbps | 800 Mbps | 81.25 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 12,288 | 50.00 % |
XGS 136 / 138
| Metric | XGS 138 | XGS 136(w) | Improvement (%) |
|---|---|---|---|
| Firewall Throughput | 19,100 Mbps | 11,500 Mbps | 66.09 % |
| Firewall IMIX | 10,500 Mbps | 6,500 Mbps | 61.54 % |
| IPS Throughput | 5,850 Mbps | 4,000 Mbps | 46.25 % |
| Threat Protection Throughput | 4,750 Mbps | 3,000 Mbps | 58.33 % |
| NGFW | 5,100 Mbps | 3,000 Mbps | 70.00 % |
| Concurrent Connections | 6,550,000 | 6,400,000 | 2.34 % |
| New Connections per Second | 105,000 | 74,500 | 40.94 % |
| IPsec VPN Throughput | 6,600 Mbps | 6,350 Mbps | 3.94 % |
| Concurrent IPsec VPN Tunnels | 2,500 | 2,500 | 0.00 % |
| Concurrent SSL VPN Tunnels | 1,500 | 1,500 | 0.00 % |
| Xstream SSL/TLS Inspection | 1,700 Mbps | 950 Mbps | 78.95 % |
| Concurrent Xstream SSL/TLS Connections | 18,432 | 18,432 | 0.00 % |
Performance data from firewall brochure
Comparisons on equal footing: A look behind the scenes of performance tests
Hardware performance comparisons are crucial so that customers know which solution meets their requirements. Sophos has recently adjusted the testing methodology to allow fair comparisons with competitors like Fortinet. Previous differences in packet sizes led to worse results, although actual performance was good. Now Sophos uses the same test conditions as the competition to ensure a fair comparison.
The new testing methodology in detail
Sophos now uses a standardized methodology with the following parameters:
- General: Maximum throughput under ideal test conditions, measured with industry-standard Keysight-Ixia BreakingPoint tools. Actual performance may vary depending on network conditions.
- Firewall: Measurement with HTTP traffic and a response size of 512 KB.
- Firewall IMIX: UDP throughput based on packet sizes of 66, 570, and 1518 bytes.
- IPS: Measurement with HTTP traffic, standard IPS rule set, and an object size of 512 KB.
- IPSec VPN: HTTP throughput via multiple tunnels and 512 KB response size.
- TLS Inspection: Performance measurement with IPS, HTTPS sessions, and various encryption suites.
- Threat Protection: Measurement with enabled firewall, IPS, application control, and malware prevention with Enterprise Traffic Mix.
- NGFW: Measurement with enabled IPS and application control using HTTP traffic and 512 KB object size.
This standardized methodology ensures that performance data is directly comparable to that of the competition.
Thanks to the adapted tests, Sophos customers can argue with increased transparency. The XGS models offer up to three times higher performance in threat protection and significant improvements in IPSec VPN performance. These improvements are the result of the new architecture and an adapted testing methodology that clearly demonstrate the actual benefit.
Faster interfaces
All new models offer advanced interfaces that support multi-gigabit speeds, ensuring seamless data transfer and optimal network performance. This combination makes it possible to ensure a stable and reliable connection even with high data volumes – a decisive advantage for demanding business environments.
2.5 Gigabit Ethernet Ports
All new models are equipped with 2.5 Gigabit Ethernet ports as standard, providing fast and reliable wired connectivity. These ports enable a stable and powerful connection, which is particularly necessary for business-critical applications. Thanks to the support of 2.5 Gigabit speeds, the new firewalls are ideal for growing companies that expect increased network utilization and simultaneously require high performance.
Wi-Fi 6 Support
The Wi-Fi models (XGS 88w, XGS 108w, XGS 118w, XGS 128w) support the latest Wi-Fi 6 standard. This technology ensures not only higher speeds but also improves network performance with a high number of simultaneously connected devices. Especially in office environments where many devices access the network simultaneously, Wi-Fi 6 ensures a stable and efficient connection. This allows for better distribution of bandwidth so that all devices can be supplied evenly and without delays.
10G SFP+ for the XGS 138
The XGS 138 model is additionally equipped with two 10G SFP+ ports, enabling a direct fiber connection. These high-speed connections offer particularly high bandwidth and are ideal for scenarios requiring fast and secure data transfers, such as in distributed network environments or when connecting data centers. SFP+ support also ensures a future-proof solution to meet increasing bandwidth requirements while offering a cost-effective option for SD-WAN solutions requiring flexible and scalable connectivity.
Models and Variants
The new models include:
The models differ, among other things, in the number of network connections, Wi-Fi support, and various performance features.
Prices and Availability
The new second-generation models are available immediately and are sold in parallel with the existing first-generation models. You can purchase them at the same price as the Gen.1 models. Seen in this way, it no longer makes much sense to buy the old devices, provided the performance is sufficient and you have a better offer.
The first-generation models will be supported for another five years after a future End-of-Sale announcement, so you can continue to benefit from a full firewall lifecycle.
Conclusion
My personal highlight is the 2x SFP+ ports in the XGS 138 and the fanless models XGS 88 and XGS 108, although we never used the XGS 88 due to limitations. The volume of the fans was a major point of criticism with the old models.
On the other hand, I find it a pity that there are still W-models, as Sophos itself has moved from the firewall to Central with the WLAN strategy, but the W-models and REDs with wireless adapters can still only be managed via the firewall, which in turn leads to non-homogeneous management and feature set.
In my opinion, the packaging could certainly have been designed more environmentally friendly, as a lot of Styrofoam and plastic is still used and this requires unnecessarily much space.
Anyway, the hardware and performance were good and are now even better. Since today, October 17, 2024, Version 21 is available as GA for all XGS models.
