Sophos Firewall Sizing Guide: Properly Dimensioning XGS
Sophos Firewall sizing is not just about the number of users. A firewall can be under very different loads with the same number of users: due to internet bandwidth, TLS Inspection, IPS, VPN, Web Protection, WAF, reporting, HA, many VLANs, or many simultaneous connections.
Good sizing ensures that the Sophos Firewall not only works on the first day but also has reserves with activated protection functions, realistic growth, and clean operation. For the decision between hardware and virtual appliance, see Sophos Firewall - Hardware or Virtual Appliance?.
Sizing Objective
The goal is not to find the smallest model that is just sufficient under ideal lab conditions. In practice, the firewall should remain stable even when several things happen simultaneously:
- many users work in parallel,
- TLS Inspection or IPS is active,
- site-to-site or remote-access VPNs are running,
- reporting and logging generate additional load,
- backups, updates, or support diagnostics run in the background,
- a site grows or gains more bandwidth.
Therefore, always plan with reserves. A tightly dimensioned firewall later generates support effort: slow internet connections, high CPU load, packet loss, sluggish WebAdmin, unstable VPN connections, or lack of reserves for new security functions.
Key Sizing Factors
Internet Bandwidth and Traffic Profile
The booked internet line is a good starting point, but not the whole truth. It is important how much of it is actually used simultaneously and what traffic runs through the firewall.
Check:
- symmetrical or asymmetrical line,
- peak traffic during business hours,
- many small web sessions or few large downloads,
- cloud backups, Microsoft 365, VoIP, online meetings,
- site networking via VPN or SD-WAN,
- internal traffic between VLANs that is also routed through the firewall.
If the firewall also acts as an internal routing and segmentation device, you must plan not only WAN throughput but also east-west traffic. The basics of zones, VLANs, and interface design are in Configure Sophos Firewall Zones and Interfaces.
Protection Functions
The more security modules are active, the more robust the appliance must be. Particularly relevant are:
- IPS,
- Web Protection,
- Application Control,
- SSL/TLS Inspection,
- Zero-Day Protection,
- WAF,
- Mail Protection,
- Threat Feeds,
- Reporting and Log Viewer.
Data sheet values are only comparable if it is clear which function was measured. Firewall throughput without security inspection is not the same as threat protection or TLS inspection throughput. For productive environments, you should not only look at the highest marketing value but at the metric that fits your own use.
With TLS Inspection, it is also important whether the organisation can technically and organisationally manage the rollout cleanly. The practical procedure is described in Roll Out Sophos Firewall TLS Inspection Cleanly.
Users, Devices, and Sessions
The number of users remains important but is not sufficient. An office with 50 users, few cloud services, and no TLS Inspection loads the firewall differently than a site with 50 users, terminal servers, many SaaS applications, VoIP, guest network, IoT, remote access, and multiple server zones.
Additionally, consider:
- number of devices per user,
- guest and IoT networks,
- servers, printers, cameras, and special devices,
- simultaneous sessions,
- many small DNS or web requests,
- remote access users,
- automated systems like backup, monitoring, or EDR.
In mixed environments with many VLANs, you should plan more according to traffic flows than just headcount.
VPN, SD-WAN, and Site Networking
VPN can heavily load a firewall, especially when many tunnels, high bandwidth, or many remote access users come together.
Plan for:
- site-to-site IPsec,
- route-based VPN with XFRM interfaces,
- remote access via Sophos Connect or SSL VPN,
- SD-WAN policy routes,
- multiple WAN lines,
- failover scenarios,
- MTU/MSS issues on VPN routes.
For VPN performance, you should not only consider the tunnel status. What matters is whether the productive traffic runs stably with activated rules, NAT, routing, and security inspection. For routing and VPN paths, IPsec Route on Sophos Firewall and SD-WAN Routing for Reply Packets and System Traffic are suitable deep dives.
Logging, Reporting, and Storage
Logging helps in operation but also generates load and storage requirements. Those who use many firewall rules with logging, web filter, IPS, application control, and Central Firewall Reporting should clarify reporting requirements early.
Check:
- Which rules should have logging active?
- How long must logs be available?
- Is Sophos Central Firewall Reporting used?
- Is there Syslog or SIEM?
- Must reports be created regularly?
- Are log data needed for troubleshooting or compliance?
For longer evaluations, the firewall alone is often not the right place. Then you should plan for Sophos Central Firewall Reporting or a Syslog/SIEM export.
Hardware, Virtual, or Cloud?
XGS Hardware Appliance
An XGS hardware appliance is usually the most predictable option for traditional sites. Hardware, ports, support, lifecycle, and performance are defined as a complete package.
Advantages:
- dedicated firewall hardware,
- clear port and expansion options,
- simple support and RMA handling,
- predictable performance,
- less dependency on a hypervisor.
Hardware is particularly useful when the firewall is the central security and routing point at the site.
Virtual Sophos Firewall
A virtual firewall fits well in data centres, cloud environments, or virtualised network segments. Performance then strongly depends on CPU, RAM, storage, hypervisor, virtual network cards, and host load.
Important:
- CPU resources must not be permanently overbooked.
- Virtual NICs and port groups must be cleanly separated.
- Storage latency can affect logging and reporting.
- Backup and restore must fit the virtualisation platform.
- HA and failover design must be planned in advance.
Licensing and the decision between hardware and virtual appliance should be checked separately. For this, see Sophos Firewall - Hardware or Virtual Appliance?.
Classifying Appliance Classes
The following areas help with rough orientation. The specific selection must then be checked with bandwidth, functions, reserve, and operating model.
Sophos Desktop Appliances - Small Business
Desktop appliances are suitable for small sites, branches, offices, and environments with limited space requirements. It is particularly important here whether the appliance only handles internet access and basic security or also has to support many VLANs, VPNs, TLS Inspection, and reporting.
Sophos 1U Rack Appliances - Midsize Business
1U appliances are typically relevant for larger SMEs, central sites, and environments with more port requirements, more throughput, or higher security load. These models are often the better choice when multiple WAN lines, many VLANs, multiple VPN tunnels, or high logging requirements come together.
Sophos 2U Rack Appliances - Enterprise Business
2U appliances belong in environments with very high bandwidth, many simultaneous sessions, multiple security modules, and high availability requirements. Here, sizing should always be done with specific traffic data, growth assumptions, and HA design.
Reserve, HA, and Growth
A firewall should not run close to its limit permanently. Reserves are important for:
- growth of the internet line,
- new sites or VLANs,
- later activation of TLS Inspection or IPS,
- more remote access users,
- additional logging and reporting requirements,
- firmware updates with new functions,
- disruption situations and failover.
With HA, you must plan particularly carefully. In an active-passive design, a single node must be able to handle the productive load alone. Active-active is not a free pass for tight sizing because not every load is distributed linearly. The most important architectural points are in Understanding Sophos Firewall HA Cluster Variants.
As a rule of thumb, you should not plan on a firewall in new projects that already shows very high CPU, RAM, or session utilisation in normal operation. The article Correctly Interpreting Sophos Firewall Performance Metrics helps with later operational checks.
Practical Sizing Process
1. Capture the Initial Situation
First, describe the environment:
- sites and WAN lines,
- users and devices,
- VLANs and internal zones,
- server and DMZ services,
- VPN and remote access requirements,
- actively planned security modules,
- reporting and log requirements,
- HA or cloud requirements.
2. Mark Critical Load Drivers
Then mark the points that can drive the model upwards:
- widespread use of TLS Inspection,
- many IPS-protected connections,
- high VPN throughput,
- many simultaneous sessions,
- many firewall rules with logging,
- WAF or Mail Protection,
- strong segmentation with internal traffic through the firewall,
- growth in the next three to five years.
3. Read Data Sheet Values Correctly
Data sheet values should be understood as comparison values, not as a guarantee for every environment. What matters is which measurement fits the planned use:
Important metrics:
- Firewall Throughput: rough guidance for simple packet throughput.
- IPS Throughput: relevant for environments with active Intrusion Prevention.
- Threat Protection: often more realistic when several protection functions are active at the same time.
- TLS Inspection: important for environments with decrypted HTTPS traffic.
- IPsec VPN Throughput: relevant for site-to-site connectivity and VPN load.
- Concurrent Connections: important with many clients, web sessions, and services.
If several of these points are relevant at the same time, you should not only consider a single metric.
4. Determine Reserve
Before the final model selection, you should consciously decide how much reserve to plan. A small reserve may suffice for very simple sites. For central firewalls, HA clusters, strong growth, or broad security use, the reserve should be significantly larger.
5. Validate After Commissioning
Sizing does not end with the order. After commissioning, you should check whether the assumptions are correct:
- CPU and RAM utilisation at peak times,
- session numbers,
- VPN throughput,
- WebAdmin response time,
- Log Viewer and reporting,
- packet loss or retransmits,
- WAN utilisation,
- performance after activating additional protection functions.
For reproducible measurements, Using Sophos Firewall iPerf Speedtest for Troubleshooting can help. For simple WAN speed tests, Correctly Interpreting Sophos Firewall Internet Speedtest is the appropriate starting point.
Common Sizing Mistakes
- Dimensioning only by the number of users.
- Confusing data sheet values for firewall throughput with threat protection load.
- Activating TLS Inspection later without planning for reserve.
- Planning HA but not checking if one node alone has enough performance.
- Ignoring inter-VLAN traffic.
- Underestimating reporting and logging.
- Operating virtual firewalls on overbooked hosts.
- Not considering the growth of the internet line.
- Planning remote access and site-to-site VPN only by the number of tunnels instead of throughput.
Checklist
- Internet bandwidth and actual peak usage known.
- Users, devices, VLANs, and server zones recorded.
- Planned security modules documented.
- TLS Inspection, IPS, VPN, WAF, Mail Protection, and reporting evaluated separately.
- Internal traffic through the firewall considered.
- HA design and failover load checked.
- Hardware or virtual appliance consciously decided.
- Growth reserve planned for several years.
- Performance metrics checked after commissioning.