Skip to content
Avanet

Sophos Firewall Sizing Guide: Properly Dimensioning XGS

Sophos Firewall sizing is not just about the number of users. A firewall can be under very different loads with the same number of users: due to internet bandwidth, TLS Inspection, IPS, VPN, Web Protection, WAF, reporting, HA, many VLANs, or many simultaneous connections.

Good sizing ensures that the Sophos Firewall not only works on the first day but also has reserves with activated protection functions, realistic growth, and clean operation. For the decision between hardware and virtual appliance, see Sophos Firewall - Hardware or Virtual Appliance?.

Sizing Objective

The goal is not to find the smallest model that is just sufficient under ideal lab conditions. In practice, the firewall should remain stable even when several things happen simultaneously:

  • many users work in parallel,
  • TLS Inspection or IPS is active,
  • site-to-site or remote-access VPNs are running,
  • reporting and logging generate additional load,
  • backups, updates, or support diagnostics run in the background,
  • a site grows or gains more bandwidth.

Therefore, always plan with reserves. A tightly dimensioned firewall later generates support effort: slow internet connections, high CPU load, packet loss, sluggish WebAdmin, unstable VPN connections, or lack of reserves for new security functions.

Key Sizing Factors

Internet Bandwidth and Traffic Profile

The booked internet line is a good starting point, but not the whole truth. It is important how much of it is actually used simultaneously and what traffic runs through the firewall.

Check:

  • symmetrical or asymmetrical line,
  • peak traffic during business hours,
  • many small web sessions or few large downloads,
  • cloud backups, Microsoft 365, VoIP, online meetings,
  • site networking via VPN or SD-WAN,
  • internal traffic between VLANs that is also routed through the firewall.

If the firewall also acts as an internal routing and segmentation device, you must plan not only WAN throughput but also east-west traffic. The basics of zones, VLANs, and interface design are in Configure Sophos Firewall Zones and Interfaces.

Protection Functions

The more security modules are active, the more robust the appliance must be. Particularly relevant are:

  • IPS,
  • Web Protection,
  • Application Control,
  • SSL/TLS Inspection,
  • Zero-Day Protection,
  • WAF,
  • Mail Protection,
  • Threat Feeds,
  • Reporting and Log Viewer.

Data sheet values are only comparable if it is clear which function was measured. Firewall throughput without security inspection is not the same as threat protection or TLS inspection throughput. For productive environments, you should not only look at the highest marketing value but at the metric that fits your own use.

With TLS Inspection, it is also important whether the organisation can technically and organisationally manage the rollout cleanly. The practical procedure is described in Roll Out Sophos Firewall TLS Inspection Cleanly.

Users, Devices, and Sessions

The number of users remains important but is not sufficient. An office with 50 users, few cloud services, and no TLS Inspection loads the firewall differently than a site with 50 users, terminal servers, many SaaS applications, VoIP, guest network, IoT, remote access, and multiple server zones.

Additionally, consider:

  • number of devices per user,
  • guest and IoT networks,
  • servers, printers, cameras, and special devices,
  • simultaneous sessions,
  • many small DNS or web requests,
  • remote access users,
  • automated systems like backup, monitoring, or EDR.

In mixed environments with many VLANs, you should plan more according to traffic flows than just headcount.

VPN, SD-WAN, and Site Networking

VPN can heavily load a firewall, especially when many tunnels, high bandwidth, or many remote access users come together.

Plan for:

  • site-to-site IPsec,
  • route-based VPN with XFRM interfaces,
  • remote access via Sophos Connect or SSL VPN,
  • SD-WAN policy routes,
  • multiple WAN lines,
  • failover scenarios,
  • MTU/MSS issues on VPN routes.

For VPN performance, you should not only consider the tunnel status. What matters is whether the productive traffic runs stably with activated rules, NAT, routing, and security inspection. For routing and VPN paths, IPsec Route on Sophos Firewall and SD-WAN Routing for Reply Packets and System Traffic are suitable deep dives.

Logging, Reporting, and Storage

Logging helps in operation but also generates load and storage requirements. Those who use many firewall rules with logging, web filter, IPS, application control, and Central Firewall Reporting should clarify reporting requirements early.

Check:

  • Which rules should have logging active?
  • How long must logs be available?
  • Is Sophos Central Firewall Reporting used?
  • Is there Syslog or SIEM?
  • Must reports be created regularly?
  • Are log data needed for troubleshooting or compliance?

For longer evaluations, the firewall alone is often not the right place. Then you should plan for Sophos Central Firewall Reporting or a Syslog/SIEM export.

Hardware, Virtual, or Cloud?

XGS Hardware Appliance

An XGS hardware appliance is usually the most predictable option for traditional sites. Hardware, ports, support, lifecycle, and performance are defined as a complete package.

Advantages:

  • dedicated firewall hardware,
  • clear port and expansion options,
  • simple support and RMA handling,
  • predictable performance,
  • less dependency on a hypervisor.

Hardware is particularly useful when the firewall is the central security and routing point at the site.

Virtual Sophos Firewall

A virtual firewall fits well in data centres, cloud environments, or virtualised network segments. Performance then strongly depends on CPU, RAM, storage, hypervisor, virtual network cards, and host load.

Important:

  • CPU resources must not be permanently overbooked.
  • Virtual NICs and port groups must be cleanly separated.
  • Storage latency can affect logging and reporting.
  • Backup and restore must fit the virtualisation platform.
  • HA and failover design must be planned in advance.

Licensing and the decision between hardware and virtual appliance should be checked separately. For this, see Sophos Firewall - Hardware or Virtual Appliance?.

Classifying Appliance Classes

The following areas help with rough orientation. The specific selection must then be checked with bandwidth, functions, reserve, and operating model.

Sophos Desktop Appliances - Small Business

Desktop appliances are suitable for small sites, branches, offices, and environments with limited space requirements. It is particularly important here whether the appliance only handles internet access and basic security or also has to support many VLANs, VPNs, TLS Inspection, and reporting.

XGS 88
XGS 108
XGS 118
XGS 128
XGS 138

Sophos 1U Rack Appliances - Midsize Business

1U appliances are typically relevant for larger SMEs, central sites, and environments with more port requirements, more throughput, or higher security load. These models are often the better choice when multiple WAN lines, many VLANs, multiple VPN tunnels, or high logging requirements come together.

XGS 2100
XGS 2300
XGS 3100
XGS 3300
XGS 4300
XGS 4500

Sophos 2U Rack Appliances - Enterprise Business

2U appliances belong in environments with very high bandwidth, many simultaneous sessions, multiple security modules, and high availability requirements. Here, sizing should always be done with specific traffic data, growth assumptions, and HA design.

XGS 5500
XGS 6500
XGS 7500
XGS 8500

Reserve, HA, and Growth

A firewall should not run close to its limit permanently. Reserves are important for:

  • growth of the internet line,
  • new sites or VLANs,
  • later activation of TLS Inspection or IPS,
  • more remote access users,
  • additional logging and reporting requirements,
  • firmware updates with new functions,
  • disruption situations and failover.

With HA, you must plan particularly carefully. In an active-passive design, a single node must be able to handle the productive load alone. Active-active is not a free pass for tight sizing because not every load is distributed linearly. The most important architectural points are in Understanding Sophos Firewall HA Cluster Variants.

As a rule of thumb, you should not plan on a firewall in new projects that already shows very high CPU, RAM, or session utilisation in normal operation. The article Correctly Interpreting Sophos Firewall Performance Metrics helps with later operational checks.

Practical Sizing Process

1. Capture the Initial Situation

First, describe the environment:

  • sites and WAN lines,
  • users and devices,
  • VLANs and internal zones,
  • server and DMZ services,
  • VPN and remote access requirements,
  • actively planned security modules,
  • reporting and log requirements,
  • HA or cloud requirements.

2. Mark Critical Load Drivers

Then mark the points that can drive the model upwards:

  • widespread use of TLS Inspection,
  • many IPS-protected connections,
  • high VPN throughput,
  • many simultaneous sessions,
  • many firewall rules with logging,
  • WAF or Mail Protection,
  • strong segmentation with internal traffic through the firewall,
  • growth in the next three to five years.

3. Read Data Sheet Values Correctly

Data sheet values should be understood as comparison values, not as a guarantee for every environment. What matters is which measurement fits the planned use:

Important metrics:

  • Firewall Throughput: rough guidance for simple packet throughput.
  • IPS Throughput: relevant for environments with active Intrusion Prevention.
  • Threat Protection: often more realistic when several protection functions are active at the same time.
  • TLS Inspection: important for environments with decrypted HTTPS traffic.
  • IPsec VPN Throughput: relevant for site-to-site connectivity and VPN load.
  • Concurrent Connections: important with many clients, web sessions, and services.

If several of these points are relevant at the same time, you should not only consider a single metric.

4. Determine Reserve

Before the final model selection, you should consciously decide how much reserve to plan. A small reserve may suffice for very simple sites. For central firewalls, HA clusters, strong growth, or broad security use, the reserve should be significantly larger.

5. Validate After Commissioning

Sizing does not end with the order. After commissioning, you should check whether the assumptions are correct:

  • CPU and RAM utilisation at peak times,
  • session numbers,
  • VPN throughput,
  • WebAdmin response time,
  • Log Viewer and reporting,
  • packet loss or retransmits,
  • WAN utilisation,
  • performance after activating additional protection functions.

For reproducible measurements, Using Sophos Firewall iPerf Speedtest for Troubleshooting can help. For simple WAN speed tests, Correctly Interpreting Sophos Firewall Internet Speedtest is the appropriate starting point.

Common Sizing Mistakes

  • Dimensioning only by the number of users.
  • Confusing data sheet values for firewall throughput with threat protection load.
  • Activating TLS Inspection later without planning for reserve.
  • Planning HA but not checking if one node alone has enough performance.
  • Ignoring inter-VLAN traffic.
  • Underestimating reporting and logging.
  • Operating virtual firewalls on overbooked hosts.
  • Not considering the growth of the internet line.
  • Planning remote access and site-to-site VPN only by the number of tunnels instead of throughput.

Checklist

  • Internet bandwidth and actual peak usage known.
  • Users, devices, VLANs, and server zones recorded.
  • Planned security modules documented.
  • TLS Inspection, IPS, VPN, WAF, Mail Protection, and reporting evaluated separately.
  • Internal traffic through the firewall considered.
  • HA design and failover load checked.
  • Hardware or virtual appliance consciously decided.
  • Growth reserve planned for several years.
  • Performance metrics checked after commissioning.

FAQ

Is the number of users sufficient for Sophos Firewall sizing?

No. The number of users is only a starting point. Bandwidth, security inspection, VPN, sessions, VLANs, logging, and growth are often more important.

Which Sophos Firewall is suitable for a 1 Gbit/s internet line?

It depends on whether the line is only simply routed or if IPS, Web Protection, TLS Inspection, VPN, and reporting are active. For a serious selection, you need to know the planned protection functions and simultaneous traffic.

Why should you plan for reserve?

Because firewalls grow in operation: more bandwidth, more cloud traffic, more VPN, new protection functions, and more logging. Without reserve, the firewall will later become a bottleneck.

Is a virtual Sophos Firewall as fast as a hardware appliance?

Not automatically. A virtual firewall can work very well, but it strongly depends on CPU, RAM, storage, hypervisor, virtual network cards, and host load. Hardware appliances are more predictable as a complete package.

Do you need to check sizing again after commissioning?

Yes. After go-live, you should check CPU, RAM, sessions, VPN throughput, Log Viewer, reporting, and WAN utilisation at peak times. This way, you can quickly see if the assumptions were realistic.