Sophos XGS series – New firewalls with more power

In this article, we’ll go over all the changes and innovations to the XGS series that make it the best firewall appliance Sophos has ever developed.

It came true after all…

At the Sophos Discover Conference 2017 in Lisbon, the new hardware was presented for the first time. At that time, it was said that it would be available in 2018. However, the release did not happen and it became very quiet about the new hardware. Now, a little more than three years later, it is here. We had the great honor of participating in an exclusive EAP for the XGS since February 2021. We were able to test an XGS 2300 with v18.5 and share our findings with Sophos. Small conclusion beforehand: It is really fast! 🚀

The main innovations of the XGS series

Sophos’s XGS Firewall has been redesigned from the ground up to become a completely new and much more efficient product. The hardware resembles the XG series from the outside, but what is crucial is what is inside the new XGS series. Under the hood, the new firewall has been designed for maximum protection and more efficient network security.

Dual processor architecture

All XGS series appliances are now equipped with two different multi-core processors. On the one hand, there is the multi-core CPU, and on the other hand, there is the multi-core network processing unit, called Xstream Flow Processor. Until now, the Xstream architecture, which will be discussed later, has been software-based only. But now, in the XGS series, it has a hardware layer that boosts the efficiency metrics of this architecture immeasurably.

In the upcoming firmware releases SFOS 19.0 and 19.5, the software will be further optimized to allow the hardware to offload even more tasks to the NPU e.g. SD-WAN, VPN and Endpoint AV/TLS.

More ports and increased flexibility

The XGS series has a greater number of integrated interfaces and offers more diverse connection options for external modules to ensure that this series can keep pace with the ever-growing changes in a network infrastructure. The XGS series does not aim to protect your network for the next year, but to meet the requirements for the next 4-5 years. We’ve all been hit differently hard by Covid-19, but based on the last 18 months, network requirements can change drastically and your firewall appliances need to be flexible enough to adapt to a variety of changes to the infrastructure.

Note: The FleXi port modules of the XG Firewall are no longer compatible for the XGS series.

Protection & Performance

Smarter and more focused stream processing frees up resources so they can be used for more intensive tasks such as core firewall tasks, TLS inspections, and deep packet inspection. Depending on which statistics you look at, the XGS series offers up to a 3X or even greater performance increase over previous appliances.

The Xstream architecture

The new XGS series features a new Xstream Flow Processor that serves as a multi-core networking processing unit, or NPU for short. Before we can get into how the new processor significantly improves the performance of the XGS over the XG, we need to take a look at what the Xstream architecture is.

The Xstream architecture introduced in v18 is an efficient way to handle traffic by consolidating security into a single streaming deep packet inspection engine. It creates a virtual fast path to offload previously verified and trusted traffic and is of great use for applications with real-time data such as SaaS and cloud applications. In the XG series, the Xstream architecture was entirely software-based, but in the XGS series, Sophos added a hardware layer, the Xstream Flow Processor. This offers a dedicated fast path for app acceleration. All this means less load on the CPU, which can focus all resources on core firewall and deep packet inspection tasks, significantly improving latency and providing much more efficient network protection.

The XGS Appliances

The new hardware comes with a number of new devices that are divided into different categories. Depending on how large the IT infrastructure is, the appropriate hardware size then comes into play. But before we go into detail about all the categories and devices, we have to take a look at the portfolio to see how the devices have changed compared to the XG series.

• Sophos XG 86 → Sophos XGS 87
• Sophos XG 106 → Sophos XGS 107
• Sophos XG 115 → Sophos XGS 116
• Sophos XG 125 → Sophos XGS 126
• Sophos XG 135 → Sophos XGS 136
• Sophos XG 210 → Sophos XGS 2100
• Sophos XG 230 → Sophos XGS 2300
• Sophos XG 310 → Sophos XGS 3100
• Sophos XG 330 → Sophos XGS 3300
• Sophos XG 430 → Sophos XGS 4300
• Sophos XG 450 → Sophos XGS 4500
• Sophos XG 550 → Sophos XGS 5500
• Sophos XG 650 → Sophos XGS 6500
• Sophos XG 750 → Sophos XGS 6500

All devices in the XG series have an XGS equivalent with the exception of the XG 750. However, the improved hardware makes all XGS series devices far superior to their XG series counterpart, so the XGS 6500 is miles ahead of the XG 750.

If the power of an XGS 6500 is still not enough for someone, I would like to mention at this point that the XGS 7500 and XGS 8500 models will be added next year 🤐.

Let’s take a look at the three categories offered by the XGS series devices:

Desktop series

All devices, starting with the XGS 87 up to the XGS 136 are categorized as “Desktop Range”. These devices are best suited for small offices, branches and retail stores. The highlights of this category are:

• All devices in this range feature the dual-processor architecture.
• All devices in this series have an SFP port, which is now also installed in the XGS 87 (was not available in the XG 86).
• The XGS 116(w) to 136(w) are now all equipped with optional modules (was not available on the XG 115(w))
• In the XGS 116w, 126w and 136w, a second WiFi module can now be optionally installed (was not possible with the XG 115w & XG 125w)
• The XGS 116(w) to 136(w) now have a Power over Ethernet (POE) port built in.
• The XGS 136(w) now has 2.5 GE ports.
• All models except the XGS 87(w) have an optional second power connector.

1U Rackmount

All devices from XGS 2100 to XGS 4500 are categorized as “1U Rackmount”. These devices are perfect for distributed locations and multiple stores. The highlights of this category are:

• All devices in this series feature the dual-processor architecture.
• The XGS 2100 to XGS 3300 have one Flexi-Port bay and the XGS 4300 & XGS 4500 have two Flexi-Port bays.
• The models from XGS 3100 and higher have a SFP+ port built in.
• The XGS 2100 to XGS 3300 come with one LAN bypass port pair and the XGS 4300 & XGS 4500 come with two LAN bypass port pairs.
• The XGS 4300 and XGS 4500 now have 2.5 GE ports installed.
• The RAM in the devices starting with the XGS 3300 has been increased for better TLS checking.
• All devices in 1U rackmount come with optional centrally powered PoE flexi-port modules.
• All devices in 1U rackmount come with optional external redundant power supply.
• The XGS 4500 comes with a dual SSD and optional internal redundant power supply

2U Rackmount

The XGS 5500 and XGS 6500 are categorized as “2U Rackmount”. These devices are perfect for enterprise requirements. The highlights of this category are: