Sophos Firewall Migration from XG to XGS

The migration from Sophos XG Firewall to the new XGS series is becoming urgent for many companies, as the End-of-Life date for the XG series is approaching. This blog post gives IT administrators a practical guide to successfully migrating from XG to XGS and highlights the most important benefits and differences between the two firewall series. If you really do not want to deal with it yourself, we have already completed many migrations and are happy to take care of it for you (contact us).

Why migrate from XG to XGS?

The Sophos XG series will officially reach end of life on March 31, 2025. That means no more updates, no more support, and no more license orders after the end of March 2025.

There are several reasons why this change makes sense:

• Price increase: One reason is that Sophos increased prices for XG licenses by 30%, which makes staying on the old hardware worthwhile only in limited cases. Yes, we keep mentioning this because it was simply an uncool move by the manufacturer and left a very bad aftertaste 💩.
• Future-proofing: Future software releases such as Sophos Firewall v21 will only be available for the XGS series.
• Higher performance: The XGS series uses a dual-processor architecture specifically optimized for high loads and encrypted traffic. With multi-core CPUs, encryption-intensive operations such as TLS inspection can be handled much more efficiently.
• Improved hardware quality: The XGS series was developed in close cooperation with leading hardware manufacturers, resulting in higher reliability and a longer device lifecycle. The appliances were also extensively tested to ensure high quality standards.

Migration process in detail

Migration from XG to XGS is relatively straightforward thanks to the seamless backup and restore function. These are the key steps:

Preparation

• Create a backup of the XG configuration: Before the migration, create a current backup of the XG firewall. Make sure the backup encryption password and the Secure Storage Master Key are available.
• Check the SFOS versions: The XGS target device must run at least the same SFOS version as the XG source, or a newer one.
  • Updating firmware on Sophos Firewall

Sophos Firewall v20 MR2 Upgrade

If possible, update the Sophos XGS Firewall to Sophos Firewall v20 MR2 or higher before restoring the configuration, as the migration workflow was significantly improved in this version.

The Backup and Restore Assistant greatly simplifies the migration of firewall configurations. You can create backups from v19.5 MR4 onward and restore them to v20 MR2 or higher. This simplifies upgrades from XG to XGS, migrations between XGS models, and migrations to or from virtual and cloud appliances. Interfaces can be mapped flexibly, which is particularly helpful when optimizing network infrastructure. Pseudo-interfaces act as placeholders for unused interfaces.

Backup restore

The XG backup can be transferred directly to the XGS. The Migration Assistant makes it possible to adjust port assignments if the hardware configurations of the two devices differ.

• Sophos has removed the restrictions, so configurations can now be migrated between devices with different numbers of ports without issue. It is also possible to restore a backup from a wireless appliance to an XGS appliance without integrated Wi-Fi functionality.
• With the Port Mapping Assistant in v20 MR2, you can flexibly define how the current hardware ports should be mapped to the new device.

On the Sophos Backup Compatibility Tool website, you can check whether a backup is compatible between XG and XGS hardware, cloud, or virtual devices.

Post-processing and tests

• Make corrections: After the restore, check all settings and adjust them if necessary, especially network interfaces, VLANs, and firewall rules.
• Perform tests: Finally, the functionality of the firewall should be comprehensively tested to ensure that all services and rules have been migrated correctly.

Step-by-step video guide

This video explains the process of switching from XG to XGS again:

Single Appliance

The video explains the migration from Sophos XG to XGS Firewalls using the new Backup Restore Assistant. It covers the prerequisites, including compatibility, the backup encryption password, and the Secure Storage Master Key. It shows step by step how to create a backup, transfer it to the target device, and complete the configuration. Important: port mapping must be checked beforehand, because it can no longer be changed after the restore. Further details are available in the linked video.

For an HA cluster, the process is identical, with the most important addition being to configure the HA link, which must use an appropriate port type on both the old and new systems.

XG to XGS Migration (High Availability)

The video shows the migration from Sophos XG to XGS Firewalls in a High Availability configuration using the new Backup Restore Assistant. It explains prerequisites such as compatibility, the backup encryption password, and the Secure Storage Master Key. The migration process is shown step by step: create the backup, transfer it to the target device, adjust the ports, and complete the configuration. Important: the HA link port mapping must match beforehand. Pseudo-ports should be avoided. Further details are available in the linked video.

FAQ