Sophos XGS Series – new firewalls with more performance

Sophos XGS Series – new firewalls with more performance

22. APRIL 2021

In this article, we run through all the changes and innovations in the XGS Series that make it the best firewall appliance Sophos has ever built.

A quick overview of the Sophos XGS Series

It really did happen in the end…

At the Sophos Discover Conference 2017 in Lisbon, the new hardware was presented for the first time. Back then, the message was that it would be available in 2018. The launch never happened, though, and things went very quiet around the new hardware. Now, a little more than three years later, it is finally here. We had the privilege of taking part in an exclusive EAP for the XGS series from February 2021. We were able to test an XGS 2300 with v18.5 and share our findings with Sophos. Short conclusion in advance: it is seriously fast! 🚀

The main innovations in the XGS Series

The Sophos XGS Firewall has been completely redesigned and turned into a brand‑new and much more efficient product. The hardware looks similar to the XG Series from the outside, but what really matters is what is inside the new XGS Series. Under the hood, the new firewall is designed for maximum protection and more efficient network security.

Key innovations in the XGS hardware series

Dual-processor architecture

All appliances in the XGS Series now come with two different multi‑core processors. On the one hand there is the multi‑core CPU, and on the other the multi‑core network processing unit called the Xstream Flow Processor. Up to now, the Xstream architecture, which we will come back to later, was purely software‑based. In the XGS Series, however, it now has a hardware layer that boosts the efficiency metrics of this architecture enormously.

In the upcoming firmware releases SFOS 19.0 and 19.5, the software will be further optimized so that the hardware can offload even more tasks to the NPU, for example SD‑WAN, VPN and endpoint AV/TLS.

More ports and greater flexibility

The XGS Series offers a larger number of integrated interfaces and more diverse options for connecting external modules, ensuring that this series can keep pace with constant changes in network infrastructure. The XGS Series is not designed to protect your network for just the next year, but to meet the requirements of the next four to five years. Covid-19 has affected all of us differently, but based on the last 18 months, network requirements can change drastically and your firewall appliances need to be flexible enough to adapt to a wide variety of infrastructure changes.

Note: The FleXi Port modules from the XG Firewall are no longer compatible with the XGS Series.

Protection & performance

A smarter and more focused handling of data flows frees up resources so they can be used for more intensive tasks such as core firewall tasks, TLS inspection and deep packet inspection. Depending on which statistics you look at, the XGS Series delivers up to three times, or even more, performance gains compared with previous appliances.

The Xstream architecture

The new XGS Series includes a new Xstream Flow Processor, which acts as a multi-core networking processing unit, or NPU for short. Before we can explain how this new processor significantly improves the performance of the XGS compared with the XG, we need to take a look at what the Xstream architecture actually is.

Sophos Xstream architecture

Introduced in v18, the Xstream architecture is an efficient way to handle traffic by consolidating security into a single streaming deep packet inspection engine. It creates a virtual fast path to offload previously verified and trusted traffic, which is particularly useful for applications with real-time data such as SaaS and cloud applications. In the XG Series, the Xstream architecture was entirely software-based, but in the XGS Series Sophos has added a hardware layer, the Xstream Flow Processor. This provides a dedicated fast path for application acceleration. All of this reduces the load on the CPU so it can focus all resources on core firewall tasks and deep packet inspection, significantly reducing latency and delivering much more efficient network protection.

The XGS appliances

The new hardware brings a range of new devices that are divided into different categories. Depending on the size of the IT infrastructure, you then choose the appropriate hardware size. Before we dive into each category and device in detail, we should look at the portfolio to see how the devices differ from the XG Series.

Sophos XG 86 → Sophos XGS 87
Sophos XG 106 → Sophos XGS 107
Sophos XG 115 → Sophos XGS 116
Sophos XG 125 → Sophos XGS 126
Sophos XG 135 → Sophos XGS 136
Sophos XG 210 → Sophos XGS 2100
Sophos XG 230 → Sophos XGS 2300
Sophos XG 310 → Sophos XGS 3100
Sophos XG 330 → Sophos XGS 3300
Sophos XG 430 → Sophos XGS 4300
Sophos XG 450 → Sophos XGS 4500
Sophos XG 550 → Sophos XGS 5500
Sophos XG 650 → Sophos XGS 6500
Sophos XG 750 → Sophos XGS 6500

All devices in the XG Series have an XGS equivalent, with the exception of the XG 750. However, thanks to the improved hardware, all devices in the XGS Series clearly outperform their XG counterpart, so the XGS 6500 is far ahead of the XG 750.

Sophos XG vs. XGS appliance performance differences

If the power of an XGS 6500 is still not enough, we should mention that the XGS 7500 and XGS 8500 models are planned for release next year 🤐.

Let’s take a look at the three categories the XGS Series devices fall into:

Desktop range

All devices from the XGS 87 up to the XGS 136 are in the “desktop range” category. These devices are best suited for small offices, branches and retail sites. The highlights of this category are:

Sophos XGS Firewall hardware – desktop appliance highlights

All devices in this category come with the dual-processor architecture.
All devices in this series include an SFP port, which is now even built into the XGS 87 (it was not available on the XG 86).
The XGS 116(w) to 136(w) can now all be fitted with optional modules (this was not available on the XG 115(w)).
A second Wi-Fi module can now optionally be installed in the XGS 116w, 126w and 136w (this was not possible on the XG 115w and XG 125w).
The XGS 116(w) to 136(w) now include a built-in Power over Ethernet (PoE) port.
The XGS 136(w) now has 2.5 GE ports.
All models except the XGS 87(w) have an optional second power supply.

1U rackmount

All devices from XGS 2100 to XGS 4500 are in the “1U rackmount” category. These devices are a great fit for distributed sites and multiple branch locations. The highlights of this category are:

Sophos XGS Firewall hardware – 1U model appliance highlights

All devices in this range feature the dual-processor architecture.
The XGS 2100 to XGS 3300 come with one Flexi‑Port bay, and the XGS 4300 and XGS 4500 come with two Flexi‑Port bays.
Models from the XGS 3100 upwards include an integrated SFP+ port.
The XGS 2100 to XGS 3300 ship with one LAN bypass port pair, and the XGS 4300 and XGS 4500 come with two LAN bypass port pairs.
The XGS 4300 and XGS 4500 now feature integrated 2.5 GE ports.
The memory in devices from the XGS 3300 upwards has been increased to deliver better TLS inspection.
All devices in the 1U rackmount range support optional centrally powered PoE Flexi‑Port modules.
All devices in the 1U rackmount range support optional external redundant power.
The XGS 4500 comes with a dual SSD and optional internal redundant power supply.

2U rackmount

The XGS 5500 and XGS 6500 are in the “2U rackmount” category. These devices are ideal for enterprise requirements. The highlights of this category are:

Sophos XGS Firewall hardware – 2U model appliance highlights

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.