Comparing Sophos Firewall Bundles
Before purchasing or renewing a Sophos Firewall, it is important to consider not only the hardware model. It is also crucial to determine which protection modules, support, and Central functions are truly needed in operation. This is where the Sophos Firewall Bundles come into play.
A bundle can be more economical than individual licenses. However, it can also lead to purchasing functions that are rarely used in everyday operations. Therefore, it is important to first clarify which security functions, reporting requirements, and support expectations match the environment.
Which License Item Fits?
License and purchasing decisions are related but answer different questions:
- Compare Standard Protection, Xstream Protection, and Epic Protection: This article.
- Dimension firewall model and performance class: Sophos Firewall Sizing Guide: Properly Dimensioning XGS.
- Clearly separate Base License, Support, and Subscriptions: Understanding Sophos Firewall Base License.
- Choose hardware, virtual firewall, software appliance, or cloud deployment: Sophos Firewall: Hardware, Virtual, or Cloud?.
- Check warranty, support status, or RMA questions: Understanding Sophos Hardware Warranty, Support, and RMA.
- Activate license key on the firewall: Activate Sophos Firewall License Key.
- Transfer firewall to another Sophos Central account: Transfer Sophos Firewall to Another Sophos Central Account.
This separation is important: The right bundle does not replace sizing, lifecycle review, or proper account assignment. Conversely, the best hardware model is of little use if support, protection modules, or reporting do not match the operation.
Overview of Sophos Firewall Bundles
For XGS Firewall Appliances with Sophos Firewall OS, three bundle variants typically take center stage:
- Standard Protection: Base License, Network Protection, Web Protection, Enhanced Support. Classic UTM functions, web filtering, IPS, support, and firmware updates.
- Xstream Protection: Standard Protection plus Zero-Day Protection, Central Orchestration, and additional Xstream/Central functions per offer. Environments with a stronger focus on cloud, SD-WAN, reporting, or advanced malware.
- Epic Protection: Xstream Protection plus Email Protection and Webserver Protection. Environments that want to operate mail security or WAF functions directly on the firewall.

The table is intentionally not meant as a complete license matrix. Sophos can change bundle names, promotions, durations, and included additional services. Therefore, for purchase or renewal, the specific offer and the visible license view in Sophos Central or on the firewall should always be checked against the technical needs.
Understanding Standard Protection
Standard Protection is the pragmatic entry point in many environments when a Sophos Firewall is primarily intended to take over classic gateway security: IPS, Web Protection, Application Control, support, and update entitlement.
Standard Protection is sensible if these points apply:
- A single or few firewalls protect office, server, or site networks.
- Web Protection and IPS are genuinely used and logged.
- Zero-Day Protection, Central Orchestration, or firewall-based mail/WAF functions are not part of the operational model.
- Reporting is resolved locally, via Syslog, SIEM, or separately through Central Firewall Reporting.
- The environment should not be pushed into a higher bundle due to a hardware promo.
For many smaller and medium-sized environments, this is the cleanest starting point. However, the decisive factor is not the bundle name, but whether the protection functions are also activated, monitored, and maintained.
Understanding Xstream Protection
Xstream Protection complements Standard Protection primarily with functions that lean more towards Advanced Threat Protection, Central functions, reporting, DNS/cloud protection, and SD-WAN orchestration. The bundle is not automatically worthwhile just because it looks attractive in a promo.
Xstream Protection should be considered if at least one of these points is relevant:
- Zero-Day Protection is to be genuinely used for downloads or web traffic.
- TLS Inspection is planned or already introduced to meaningfully analyse encrypted traffic.
- Multiple firewalls are to be managed more efficiently via Sophos Central and SD-WAN orchestration.
- Central functions such as reporting, orchestration, DNS Protection, or additional cloud services are part of the operational concept.
- There is a person or team that regularly reviews alerts, exceptions, and false positives.
With Sophos Firewall Zero-Day Protection, it is particularly important: The license alone does not automatically protect every download. Appropriate policies, TLS inspection planning, user acceptance, exceptions, and monitoring are crucial. Without this operational work, the practical benefit remains limited.
We often see the greatest practical benefit of Xstream Protection where third-party threat feeds are actively used. This allows known malicious IPs, compromised systems, or other external threat intelligence sources to be directly considered in the firewall policy.
Central Orchestration is particularly interesting when multiple firewalls, multiple VPN sites, or more complex SD-WAN designs are operated. For a single firewall or a few simple site-to-site tunnels, manual configuration may still be sufficient. For central firewall changes, the Sophos Central Firewall Management Task Queue should also be incorporated into the operational process.
Understanding Epic Protection
Epic Protection is the more comprehensive bundle but should not be understood as the standard answer for every environment. The added value depends heavily on whether Email Protection and Webserver Protection are truly to be operated on the Sophos Firewall.
Epic Protection is more sensible if these questions are answered with yes:
- Should the Sophos Firewall work as a mail protection component in its own mail flow?
- Are published web servers or applications protected via the firewall?
- Are there clear responsibilities for mail, WAF, certificate, and exception operations?
- Are logging, quarantine, troubleshooting, and changes for these functions covered organisationally?
If email security is already resolved through Sophos Central Email, Microsoft 365 Security, another secure email gateway, or a specialised service, Email Protection on the firewall does not automatically need to be additionally purchased. Similarly, for Webserver Protection: A WAF on the firewall is only sensible if it fits the application architecture, TLS operation, and responsibility model.
Decision Matrix for Purchase and Renewal
Before purchasing, renewing, or changing bundles, it is better to have a short technical matrix rather than just comparing prices:
- Which protection functions are actively used today? Purchased but unconfigured modules do not provide a security gain.
- Which functions are to be introduced in the next 12 to 36 months? A bundle can be sensible if the introduction is realistically planned.
- Is there enough time for maintenance, exceptions, and log review? IPS, Web Protection, Zero-Day Protection, and WAF generate operational effort.
- Where are logs stored long-term? Local reporting often does not suffice for longer evidence or audits.
- How many firewalls, sites, and VPNs are there? Central Orchestration is more worthwhile with multiple firewalls and more complex topologies.
- Which security functions already run outside the firewall? Endpoint, DNS, email, WAF, and SIEM can partially replace or complement functions.
- Is the offer tied to a fixed term? Multi-year offers can be financially good but bind budget and architecture.
This matrix is particularly helpful for renewals. An environment that started with Xstream Protection three years ago may today only use standard functions. Conversely, a previously simple firewall may now require more reporting, SD-WAN, or advanced malware protection.
Properly Evaluating Promo Offers

Sophos promos can appear very attractive at first glance because hardware is heavily discounted when a certain bundle or term is chosen. However, for the technical decision, the discount alone is not decisive.
Before making a promo decision, these points should be considered separately:
- Total costs over the entire term, not just the hardware price.
- Prepayment and budget commitment for multi-year terms.
- Truly needed modules compared to purchased modules.
- Effort for introduction, monitoring, and maintenance of additional functions.
- Renewal situation after the promo expires.
- Risk that functions are purchased due to the bundle but never operated.
An Xstream promo can be sensible if Zero-Day Protection, Central Orchestration, or additional Central functions are genuinely used. If these functions are not operated, Standard Protection, despite a smaller hardware discount, is often the more honest decision.
What a Bundle Does Not Replace
A bundle does not solve architecture or operational problems. It unlocks functions but does not configure them sensibly.
Do not infer from a bundle:
- that the firewall model is properly dimensioned,
- that all security features are automatically activated,
- that TLS Inspection works without a rollout plan,
- that logs are retained long enough,
- that HA, backup, or restore are cleanly planned,
- that a support case can be quickly resolved without a serial number, license status, and documentation.
For the technical basis, Properly Configuring Sophos Firewall After the Setup Wizard, Creating or Restoring a Sophos Firewall Backup, and Sophos Firewall Firmware Update: Preparation and Best Practices should be considered in parallel.
Renewal Checklist
Before a renewal, the license should not simply be extended unchanged. A brief operational review is better:
- Check the serial number and model of the firewall.
- Document current Base License, Support, and Subscriptions.
- Match used modules with the current bundle.
- Identify unused modules.
- Justify missing modules based on specific requirements.
- Check firmware status and update entitlement.
- Classify XG, SG, or XGS lifecycle.
- Check reporting retention and Syslog/SIEM integration.
- HA cluster: check both nodes, roles, and license synchronization.
- Virtual firewalls: check CPU cores, instance, license, and account assignment.
For serial number and account assignment, Finding the Serial Number of the Sophos Firewall and Transfer Sophos Firewall to Another Sophos Central Account are suitable. For platform and lifecycle questions, Sophos XG vs. XGS: Differences, EOL, and Migration is helpful.
Common Mistakes
- Choosing a bundle just for the hardware discount: Functions are paid for but not operated. Check functional needs and operating costs separately from the discount.
- Confusing Base License with Support: Update and support capability is misjudged. Check Base License, Support, and Subscriptions separately.
- Buying Zero-Day Protection without a TLS inspection plan: Protection effect remains limited or leads to user frustration. Plan rollout, exceptions, test group, and monitoring.
- Choosing Central Orchestration for a very simple environment: Additional license brings little practical benefit. Evaluate number of firewalls, VPNs, and SD-WAN complexity.
- Double licensing Email Protection: Mail security becomes unnecessarily complex or expensive. Review existing email security architecture.
- Forgetting reporting requirements: Logs are later missing for analysis, audit, or insurance. Plan Central Reporting, Syslog, or SIEM early.