Shopping Cart

No products in the cart.

The new XG Firewall – What you need to know

It wasn’t that long ago that Sophos introduced the new SG Firewall in April 2014. The new hardware replaced the UTM series at that time and brought significantly better performance. In November 2015, Sophos again presented us with something new in the form of the new XG Firewall. What has changed now?

Hardware – outside the same, inside too…

For those of you who have just recently purchased a new Sophos SG, I can first reassure you. The hardware of the “new” Sophos Firewall is identical compared to the SG Firewall. An SG 125 therefore corresponds 1:1 to an XG 125. Only the labeling is different. The only, but crucial difference, is the pre-installed operating system.

Update: Since revision 3, there are now also optical differences between the SG and the XG. Check out this blogpost: Sophos Firewall Rev. 3: SG/XG 85-135 completely redesigned

For homes or small businesses that need to cover fewer than 5 users, the XG series now includes the Sophos XG 85. For those of you who thought the SG 650 was too puny, the Sophos XG 750 is also available. Please in the cluster.

Sophos Firewall OS

A completely new operating system has been developed for the XG Firewall. The Sophos SG continues to ship with Sophos UTM 9.x, while the Sophos XG comes with the newSophos Firewall OS”. Since the SG and XG are exactly the same, the newSophos Firewall OS” can also be installed on an SG appliance. For the Sophos SG series and UTM, the old blogpost still applies.

The new Sophos Firewall OS unfortunately does not yet bring all the features that are available in UTM 9.x.

Update: 09/29/2017 – Since SFOS v17.0, there is almost feature parity between UTM and SFOS.

Virtual appliance

Unlike the UTM, the newSophos Firewall OS” is no longer licensed per IP in the network, but as it should be, by performance. The software licenses for the newSophos Firewall OS” can be purchased in our Sophos Shop.


A new licensing model has also been designed for the new Sophos Firewall OS. Here, in my opinion, some things have been improved. If you don’t want to read, you can watch the video here. 🙂

Base Licence

The free Essential Firewall of the UTM is no longer available on the XG Firewall. It is now called Enhanced Base Fire wall or simply XG Base Firewall. Here are a few facts about the new “Base License”:

  • If you buy an XG appliance, the base license is already included in the price. With the virtual or software appliance, this must be purchased in addition.
  • No renewal is necessary for the “Base License”. The license is always valid and does not require renewal.
  • The “Wireless Protection” is now included, without restrictions and all functions.
  • IPsec and SSL VPN are also included.

Enterprise Guard

The two modulesNetwork Protection” andWeb Protection” are usually purchased in addition to a UTM. That is why XG Firewall now offers the EnterpriseGuard license bundle, which combines Network and Web Protection. Together with the hardware, it would then be the EnterpriseProtect bundle. 🙂

Sophos XG Firewall Licensing Guide


If you take a look at our comparison table of the XG and SG in our store, it seems that the new XG hardware has completely different performance data. More IPS throughput, but less VPN, how come?

As mentioned, the hardware of the SG and XG is really the same. But due to the new and optimizedSophos Firewall OS”, more IPS throughput can be achieved than before, for example. The testing procedure has also been changed. With the “SG series”, the data was measured at a CPU load of 100% in each case. This looks good on paper, but in active operation, it is no longer possible to work with 100% CPU utilization, or only very slowly.

All values of the XG hardware were measured with a CPU load of 50%. Therefore, the data of the XG hardware is certainly more realistic for active operation.

Read more here: Sophos XG Series – Sizing Guide

Sophos XG Firewall Policy Management

Finally, I would like to briefly mention the newSophos XG Firewall Policy Manager”. There’s not much to say here, except that it will take some getting used to for die-hard UTM lovers. You can get the most important information in the following video.


Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.