Sophos Firewall Migration from XG to XGS

The migration from the Sophos XG Firewall to the new XGS series is an urgent matter for many companies, as the End-of-Life date for the XG series is approaching. This blog post provides a comprehensive guide for IT administrators on how to successfully migrate from XG to XGS and highlights the key benefits and differences between the two firewall series. If you absolutely don’t want to deal with it, we have many migrations behind us and are happy to take care of it (contact us).

Why migrate from XG to XGS?

The Sophos XG series will be officially discontinued on March 31, 2025. This means no more updates, no more support, and no more license orders after the end of March 2025.

There are several reasons why this change makes sense:

• Price increase: One reason is that Sophos increased prices for XG licenses by 30% and it is only conditionally worthwhile to remain on the old hardware. Yes, we have to mention this again and again, as this was simply an uncool action by the manufacturer and leaves a very bad taste 💩.
• Future-proofing: Future software releases such as Sophos Firewall v21 will only be available for the XGS series.
• Higher Performance: The XGS series is equipped with a dual-processor architecture specifically optimized for high loads and encrypted data traffic. By using multi-core CPUs, encryption operations such as TLS inspection can be performed significantly more efficiently.
• Improved hardware quality: The XGS series was developed in close cooperation with leading hardware manufacturers, resulting in higher reliability and longer lifespan of the devices. In addition, the devices have been extensively tested to ensure the highest quality standards.

Migration process in detail

Migration from XG to XGS is relatively easy to perform thanks to the seamless backup and restore function. Here are the key steps:

Preparation

• Create XG configuration backup: Before migration, an up-to-date backup of the XG firewall should be made. It is important that the backup encryption password and the Secure Storage Master Key are available.
• Check SFOS versions: The XGS target device must have at least the same or a higher version of SFOS installed than the XG source.
  • Updating firmware on Sophos Firewall

Sophos Firewall v20 MR2 Upgrade

If possible, the Sophos XGS Firewall should be updated to Sophos Firewall v20 MR2 or higher before restoring the config, as the migration process has been significantly improved in this version.

The Backup and Restore Assistant greatly simplifies the migration of firewall configurations. You can create backups from versions v19.5 MR4 and restore them to v20 MR2 or higher. This simplifies upgrading from XG to XGS, as well as migrating between XGS models or to/from virtual and cloud appliances. Interfaces can be flexibly assigned, which is particularly helpful for network infrastructure optimization. Pseudo-interfaces act as placeholders for unused interfaces.

Backup Restore

The XG backup can be directly transferred to the XGS. The Migration Assistant function offers the possibility to adjust the port assignments if the hardware configurations of the two devices differ.

• Sophos has lifted the restrictions, so you can now easily migrate configurations between devices with different numbers of ports. It is also possible to restore a backup of a wireless device to an XGS appliance without integrated WLAN functionality.
• With the Port Mapping Assistant (in v20 MR2), you can flexibly determine how the current hardware ports are mapped to the new device.

On the website Sophos Backup Compatibility Tool, you can check whether a backup is compatible between XG and XGS hardware, cloud or virtual devices.

Post-processing and tests

• Make corrections: After restoration, all settings should be checked and adjusted if necessary, especially network interfaces, VLANs and firewall rules.
• Perform tests: Finally, the functionality of the firewall should be comprehensively tested to ensure that all services and rules have been migrated correctly.

Step-by-step video guide

This video explains the process for switching from XG to XGS again:

Single Appliance

The video explains the migration from Sophos XG to XGS Firewalls using the new Backup Restore Assistant. It covers the prerequisites, including compatibility, backup encryption password, and the Secure Storage Master Key. It shows step by step how to create a backup, transfer it to the target device, and complete the configuration. Important: The port assignment must be checked beforehand, as it cannot be changed after restoration. Further details in the linked video.

For an HA cluster, the process is identical, with the most important addition being to configure the HA link, which must use an appropriate port type on both the old and new systems.

XG to XGS Migration (High Availability)

The video shows the migration from a Sophos XG to an XGS Firewall with High Availability configured using the new Backup-Restore Assistant, which is available in SFOS v20 MR2. It explains prerequisites such as compatibility, backup encryption password, and the Secure Storage Master Key. The migration process is shown step by step: create backup, transfer to target device, adapt ports, and complete configuration. Important: The HA link port assignment must match beforehand. Pseudo-ports should be avoided. Further details in the linked video.

FAQ