It is not really that long ago that Sophos introduced the new SG Firewall in April 2014. At that time, the new hardware replaced the UTM series and brought much more performance. In November 2015, Sophos presented us with the new XG Firewall, a new innovation. What has changed now?
Hardware - same on the outside, also on the inside...
Those of you who have just recently purchased a new Sophos SG have bought, I can first of all reassure you. The hardware of the "new Sophos Firewall is identical compared to the SG Firewall. An SG 125 is therefore 1:1 the same as an XG 125, only the labeling is different. The only, but decisive difference is the pre-installed operating system.
Update: Since revision 3 there are now also visual differences between the SG and the XG. Have a look at the following blogpost: Sophos Firewall Rev. 3: SG/XG 85-135 completely revised
For private households or small businesses that need to cover less than 5 users, the XG Series now includes the Sophos XG 85. For those of you who have found the SG 650 too small, Sophos XG 750 is also available. In the cluster, please.
Sophos Firewall OS
A completely new operating system has been developed for the XG Firewall. The Sophos SG continues to ship with Sophos UTM 9.x, while the Sophos XG comes with the new "Sophos Firewall OS". Since the SG and XG are exactly the same, the new "Sophos Firewall OS" can also be installed on an SG appliance. For the Sophos SG series and UTM, the old blogpost.
The new Sophos Firewall OS unfortunately does not yet bring all the features that are available in UTM 9.x.
Update: 29.09.2017 - Since SFOS v17.0 there are almost the same features between UTM and SFOS
Unlike the UTM, the new "Sophos Firewall OS" is no longer licensed per IP in the network, but as it should be, by performance. The software licenses for the new "Sophos Firewall OS" can be purchased in our Sophos Shop.
A new license model has also been designed for the new Sophos Firewall OS. In my opinion, some improvements have been made here. If you don't want to read, you can watch the video here. 🙂
The free Essential Firewall of the UTM no longer exists on the XG Firewall. This is now called Enhanced Base Firewall or simply XG Base Firewall. Here are a few facts about the new "Base License":
- If you buy an XG appliance, the base license is already included in the price. With the virtual or software appliance, this must be purchased in addition.
- No renewal is necessary for the "Base License". The license is always valid and does not require renewal.
- The "Wireless Protection" is now included, without restrictions and all functions.
- IPsec and SSL VPN are also included.
The two modules "Network Protection" and "Web Protection" are usually purchased in addition to a UTM. That is why the XG Firewall now offers the following license bundle EnterpriseGuardwhich combines the Network and Web Protection. Together with the hardware it would be the EnterpriseProtect Bundle. 🙂
If you take a look at our comparison table of the XG and SG in our shop, it seems that the new XG hardware has completely different performance data. More IPS throughput, but less VPN, how come?
As mentioned, the hardware of the SG and XG is really the same. But due to the new and optimized "Sophos Firewall OS", more IPS throughput can be achieved than before, for example. The testing procedure has also been changed. With the "SG series", the data was measured at a CPU load of 100% in each case. This looks good on paper, but you cannot work with a CPU load of 100% in active use or only very slowly.
With the XG hardware, all values were measured at a CPU load of 50%. Therefore, the data of the XG hardware for active operation can be classified more realistically.
Read more here: Sophos XG Series - sizing guide
Sophos XG Firewall Policy Management
Finally, I would like to briefly mention the new "Sophos XG Firewall Policy Manager". There's not much to say here, except that it will take some getting used to for die-hard UTM lovers. You can get the most important information in the following video.