The new XG Firewall: What you need to know
It is not really that long ago that Sophos introduced the new SG Firewall in April 2014. At that time, the new hardware replaced the UTM series and brought much more performance. In November 2015, Sophos presented us with the new XG Firewall, a new innovation. What has changed now?
Hardware - same on the outside, also on the inside…
For those of you who have just recently bought a new Sophos SG, I can calm down. The hardware of the “new” XG Firewall is identical to the SG Firewall. So an SG 125 corresponds 1:1 to an XG 125, only the lettering is different. The only significant difference is the pre-installed operating system.
For private households or small businesses that need to cover less than 5 users, the XG Series now includes the Sophos XG 85. For those of you who have found the SG 650 too small, Sophos XG 750 is also available. In the cluster, please. :P
Sophos Firewall OS
A completely new operating system has been developed for the XG Firewall. The Sophos SG will continue to be shipped with Sophos UTM 9. x, while the Sophos XG comes with the new “Firewall OS”. Since SG and XG are exactly the same design, the new “Firewall OS” can also be installed on a SG appliance. For the Sophos SG series and UTM, the old blog post still applies.
Unfortunately, the new Sophos Firewall OS does not have all the features of UTM 9. x yet.
Update: 29.09.2017 - Since SFOS v17.0 there are almost the same features between UTM and SFOS
Unlike the UTM, the new “Firewall OS” no longer licenses per IP in the network, but according to performance as it should be. The software licenses for the new “Firewall OS” can be purchased in our Sophos Shop.
A new license model has also been designed for the new Firewall OS. In my opinion, some improvements have been made here. If you don’t want to read, you can watch the video here. :)
The free Essential Firewall of the UTM is no longer available on the XG Firewall. Now this is called Enhanced Base Firewall or simply XG Base Firewall. Here are some facts about the new “Base Licence”:
- When you buy an XG appliance, the base license is already included in the price. With the virtual or software appliance, this must be purchased separately.
- No renewal is necessary for the “Base Licence”. The license is always valid and does not require a renewal.
- The “Wireless Protection” is now included, without any restrictions or functions.
- IPsec and SSL VPN are also included.
The two modules “Network Protection” and “Web Protection” are usually purchased together with a UTM. That’s why XG Firewall now has the license bundle EnterpriseGuard, which combines network and web protection. Together with the hardware it would be the EnterpriseProtect Bundle. :)
If you take a look at our comparison table of the XG and SG in our shop, it seems that the new XG hardware has completely different performance data. More IPS throughput, but less VPN, how come?
As I said, the SG and XG hardware is really the same. But thanks to the new and optimized “Firewall OS”, more IPS throughput can be achieved than before. The test procedure has also been changed. In the “SG series”, the data were measured at a CPU load of 100%. This looks good on paper, but in active operation you can’t work with 100% CPU load or very slowly.
With the XG hardware, all values were measured at a CPU load of 50%. Therefore, the data of the XG hardware for active operation can be classified more realistically.
More information here: Sophos XG Series - Sizing Guide
Sophos XG Firewall Policy Management
Finally, I would like to mention briefly the new Sophos XG Firewall Policy Manager. There’s not much to say here, except that this one is very difficult for hardcore UTM lovers to get used to. You can get the most important information in the following video.