Skip to content
Avanet

Sophos Firewall - hardware or virtual appliance?

Sophos Firewall

Today, Sophos Firewall is usually deployed as an XGS hardware appliance or as a virtual appliance. For new projects, the key factors are performance, operating model, existing infrastructure, supportability and proper sizing.

Quick decision

  • XGS hardware appliance: Choose this option when you want a dedicated firewall with predictable performance, integrated ports, hardware acceleration and straightforward support.
  • Virtual appliance: Choose this option when a stable virtualization or cloud environment already exists and CPU, RAM, storage and networking should remain flexible.
  • Size first: Do not decide by user count alone. SSL/TLS inspection, IPS, VPN, web protection, mail protection, RED sites, access points and internet bandwidth can significantly change the required performance.

XGS hardware appliance

An XGS hardware appliance is usually the simplest and most predictable option. Performance is determined by the selected model, so firewall throughput, VPN performance, available ports, expansion options and hardware resources are clearly defined.

Hardware appliances are especially useful at sites where the firewall should run as a dedicated security component. Support, replacement hardware and lifecycle management are also easier because hardware and firewall operating system are delivered as a matched system.

When selecting the right appliance, calculate the required performance conservatively. Users and devices matter, but enabled security features and expected traffic are just as important. Our Sophos Firewall Sizing Guide provides a useful starting point.

Virtual appliance

A virtual Sophos Firewall makes sense when a powerful virtualization platform or cloud infrastructure is already available. The firewall can then run closer to existing server workloads, and resources can be adjusted more flexibly.

With virtual appliances, performance depends more heavily on the environment. Sufficient CPU performance, enough RAM, fast storage, suitable virtual network adapters and clean separation of network zones are important. The firewall should not run on an overloaded host because security features such as IPS or SSL/TLS inspection can be resource-intensive.

The licensing model for virtual and software-based Sophos Firewall instances has been simplified: Since March 1, 2025, licensing is based only on CPU cores. The previous RAM restriction has been removed, so assigned memory is no longer limited by the license. More details are available in our March 3, 2025 blog post: Sophos Firewall VM & SW - CPU only - No more RAM limit.

Recommendation

For typical branch or office locations, an XGS hardware appliance is usually the more robust choice because performance, ports and support are clearly defined. A virtual appliance is especially interesting when the firewall should be integrated into a data center, cloud environment or existing virtualization strategy.

If the environment has high throughput requirements, SSL/TLS inspection, many VPN connections or several security modules, sizing should be reviewed carefully before purchase. We are happy to help you choose the right Sophos Firewall.