Skip to content
Avanet
Sophos XG Firewall – The new generation of network security

The new XG Firewall – What you need to know

It was only relatively recently, in April 2014, that Sophos introduced the SG Firewall. This new hardware replaced the UTM Series and delivered significantly better performance. Then, in November 2015, Sophos unveiled something new again: the XG Firewall. So what has changed?

Hardware - looks the same on the outside, and on the inside too…

If you have only recently purchased a Sophos SG, there is no need for concern. The hardware of the “new” Sophos Firewall is identical to that of the SG Firewall. An SG 125 is therefore a direct, like-for-like counterpart to an XG 125. The only visible difference is the labelling. The only - but crucial - distinction lies in the pre-installed operating system.

Sophos XG Firewall Sizing Chart

Update: Since Revision 3, there are now also visible differences between the SG and the XG models. Take a look at this blog post for more details: Sophos Firewall Rev. 3: SG/XG 85-135 completely redesigned

For home users or small businesses with fewer than 5 users, the XG series now includes the Sophos XG 85. And if the SG 650 always felt a little too small for your needs, the Sophos XG 750 is now available as well. Ideally in a cluster.

Sophos Firewall OS

Sophos developed a completely new operating system for the XG Firewall. The Sophos SG continues to ship with Sophos UTM 9.x, while the Sophos XG comes with the new “Sophos Firewall OS”. Since the SG and XG appliances are built on identical hardware, the new “Sophos Firewall OS” can also be installed on an SG appliance. For the Sophos SG series and UTM, the previous blog post still applies.

Unfortunately, the new Sophos Firewall OS does not yet include all the features available in UTM 9.x.

Update: 2017-09-29 - Since SFOS v17.0, UTM and SFOS have reached near feature parity.

Virtual appliance

Unlike the UTM, the new “Sophos Firewall OS” is no longer licensed per IP address in the network, but by performance, as it should be. You can purchase software licenses for the new “Sophos Firewall OS” in our Sophos shop.

Licenses

A new licensing model was also introduced for the new Sophos Firewall OS. In my opinion, quite a few things have been improved here. If you would rather watch than read, you can simply check out the video below. 🙂

Base Licence

The free Essential Firewall available on UTM no longer exists on the XG Firewall. It is now called Enhanced Base Firewall, or simply XG Base Firewall. Here are a few key facts about the new “Base Licence”:

  • If you buy an XG appliance, the “Base Licence” is already included in the price. For a virtual or software appliance, it must be purchased separately.
  • The “Base Licence” does not need to be renewed. It remains valid permanently and requires no renewal.
  • “Wireless Protection” is now included as standard, without limitations and with all features enabled.
  • IPsec and SSL VPN are also included.

Enterprise Guard

The two modules “Network Protection” and “Web Protection” are often purchased together with a UTM. That is why XG Firewall now offers the EnterpriseGuard licensing bundle, which combines Network and Web Protection. Together with the hardware, this becomes the EnterpriseProtect Bundle. 🙂

Sophos XG Firewall Licensing Guide

Performance

If you look at our XG vs SG comparison table in our shop, it may appear that the new XG hardware has completely different performance metrics. More IPS throughput but less VPN - how does that make sense?

As mentioned, the SG and XG hardware are genuinely identical. However, thanks to the new and optimised “Sophos Firewall OS”, higher IPS throughput can, for example, be achieved than before. The test methodology has also changed. With the “SG Series”, values were measured at 100% CPU utilisation. That looks impressive on paper, but in live operation you can hardly work at all - or only very slowly - when the CPU is permanently at 100%.

For the XG hardware, all values were measured at 50% CPU utilisation. As a result, the performance figures for the XG hardware are much more representative of real-world production use.

More details here: Sophos XG Series - Sizing Guide

Sophos XG Firewall Policy Management

To conclude, a brief word on the new “Sophos XG Firewall Policy Manager”. There is not much to say here, other than that, for die-hard UTM fans, it takes some getting used to. You will find the most important information in the video below.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.