Spoiler: In most cases, it actually doesn’t. \ud83e\udd10<\/p>\n<\/blockquote>\n\n
4 reasons to think about buying a new XGS firewall<\/h2>\n\n
The new XGS hardware has been on the market since April 2021.\nThere are different factors when the purchase of an XGS hardware is really worthwhile.\nIn the following section, we look at 4 signs that can justify a purchase decision: <\/p>\n\n
1. defect<\/h3>\n\n
When a device breaks down and the warranty has expired, it often has to happen quickly and there is no time for in-depth research.\nHere, you should know in advance how to get the infrastructure up and running again and what the delivery times for a replacement device are, if any.\nThe firewall is the heart of the network.\nVery few can afford a longer interruption.\nHowever, companies with more than 20 employees often have an HA solution, which can alleviate the situation somewhat in the event of an outage. <\/p>\n\n
- \n
- What are the variants for a Sophos Firewall HA cluster?<\/a><\/li>\n<\/ul>\n\n
SG Firewall with UTM OS \ud83e\udd15<\/h4>\n\n
Unfortunately, we often see customers with SG hardware still using the UTM OS.\nIn such a situation, the purchase of an XGS firewall is not recommended.\nThe operation should work again as soon as possible and there is no time for a migration to the SFOS.\nYou should therefore reorder the same model of the SG firewall as quickly as possible, in order to restore the configuration from the backup copy in an uncomplicated manner. <\/p>\n\n
\n
We generally recommend all customers who still use an SG Firewall with the UTM operating system to consider migrating to the SFOS.\nThe migration of the license is free of charge and the runtime will be taken over 1:1.\nFor the migration the following instructions may help you: Install Sophos XG Firewall OS on an SG Appliance<\/a> <\/p>\n<\/blockquote>\n\n
If you need assistance migrating from UTM to SFOS, we’ll be happy to help.\nThe UTM hardcore fans among you who don’t want to switch to SFOS under any circumstances can simply wait until the UTM OS goes End-of-Life.\nThat will certainly not be the case before the end of 2025.\nHowever, the following two blogposts may help you to change your mind: <\/p>\n\n
- \n
- Sophos UTM: End of support at the end of 2021<\/a><\/li>\n\n\n\n
- 7 reasons why XG Firewall (SFOS) is better than UTM<\/a><\/li>\n<\/ul>\n\n
2. no more updates<\/h3>\n\n
When a software has not received any updates for more than a year<\/strong>, my feelings change.\nIf it’s been over two years<\/strong> (often even before that), people start looking for alternatives to replace it. For this reason alone, it would be inconceivable for me to still operate a Sophos Firewall with the UTM operating system today. \ud83d\ude1c <\/p>\n\n
Anyone else who has SFOS installed on their SG Firewall or has an XG Firewall should check to see if their appliance can still have SFOS v18.5+ installed.\nIn the following post, we have described which appliances will no longer receive the latest version: Sophos Firewall appliances: supported hardware for SFOS v18+<\/a> <\/p>\n\n
\n
Note<\/strong>: Sophos initially wanted to cut off SG Firewalls with SFOS and older generation XG Firewalls from updates as well.\nHowever, at the beginning of 2021, Sophos deviated from this plan and all current SG and XG models will still receive the latest SFOS versions. <\/p>\n<\/blockquote>\n\n
So unless you have an older revision of an SG or XG firewall that no longer receives updates, I can’t really recommend buying the XGS firewall here either.<\/p>\n\n
3. no more warranty<\/h3>\n\n
Another point that plays an important role in my personal purchasing strategy is a product’s warranty.\nAs soon as it expires, I automatically check whether there are any options for an extension or whether it is time to replace the product. <\/p>\n\n
The XG firewalls have a 5-year warranty with the corresponding license.\nIf you are one of the people who bought the first revision of an XG Firewall in 2016, your firewall is no longer covered by the manufacturer’s warranty.\nIn this case, I would make the following two considerations: <\/p>\n\n
- \n
- A single appliance is operated:<\/strong> Here the risk would be too great for me and I would replace the hardware with a new XGS model.<\/li>\n\n\n\n
- There are two appliances in an HA cluster:<\/strong> Here, too, I would aim for a change.\nIf the budget is not there, you can also wait until one of the two firewalls fails and then buy two new XGS models. <\/li>\n<\/ul>\n\n
4. not enough power<\/h3>\n\n
The last item on my list that can contribute to the decision of a new purchase is the performance of a product.\nIt happens that firmware updates make a device slower over time as new features are packed in.\nOr, quite simply, one’s own requirements change so that the original performance no longer fits. <\/p>\n\n
These points can also be applied to a Sophos Firewall.\nJust check the load of your firewall, because the number of devices in your network or the number of employees may have changed over the last few years, and the originally required performance no longer meets the current requirements.\nIn such a case, switching to XGS Firewall would certainly not be a bad idea, budget permitting.\nThe license can often be transferred to the new appliance free of charge. <\/p>\n\n
On the other hand, do you have a current SG or XG firewall that still gets the latest updates from SFOS (SFOS 18.5+), is still covered by the manufacturer’s warranty and has no performance problems?\nThen buying an XGS firewall is not worth it.\nYou should only keep an eye on the End-of-Life date of the XG Firewalls.\nThis date was recently postponed by Sophos from 31.12.2024 to 31.03.2025<\/strong>. <\/p>\n\n
- \n
- End of Sale: Sophos XG Firewall Hardware<\/a><\/li>\n<\/ul>\n\n
\n\nSummary<\/h2>\n\n
If I apply the 4 points of my personal purchase strategy to the XGS firewall, there is probably no need for action for most existing customers.\nFor new customers, of course, the case is clear and here we would always advise the XGS hardware!\nFinally, I have put together a flowchart for you to help you with the purchase decision process.\nJust play through it yourself and you will get our clear recommendation at the end. <\/p>\n\n
\n ![\"Sophos](\"https:\/\/www.avanet.com\/assets\/new-sophos-xgs-firewall-decision-flow-de-990x1024.png\")
<\/a><\/figure>\n<\/figure>\n\nFor those who have an XG firewall and are undecided at the moment, I recommend the following blog article that describes what the difference is between an XG and an XGS firewall:<\/p>\n\n
- \n
- What is the difference between an XG and XGS firewall?<\/a><\/li>\n<\/ul>\n\n
Briefly summarized: The decisive advantages of the new XGS hardware<\/h2>\n\n
The XGS series offers massively better performance by, among other things, processing traffic intelligently and efficiently and offloading certain tasks such as TLS inspection to the hardware.\nThe new dual-processor architecture with a multi-core CPU and an Xstream flow processor enables better hardware acceleration.\nIn the coming SFOS versions, more processes will be optimized here for the new hardware. <\/p>\n\n
Each unit features a 64-bit CPU and a separate Xtream processor, also known as a Network Processing Unit (NPU).\nThe new series is equipped with additional network ports, allowing optional modules to be added and flexible options for network port selection.\nThe XGS series now offers PoE (Power over Ethernet) ports and fail-to-wire (bypass), allowing traffic to continue even if the device loses power. <\/p>\n\n
Network Flow FastPath<\/h3>\n\n
Unlike the virtual FastPath, which is processed by the CPU in the XG series, the FastPath in the XGS series is processed by the Xstream flow processor.\nThis is located between the CPU and the physical ports with the PCIe (PCI Express).\nThus, the data traffic outsourced to the FastPath is handled by the Xstream Flow processor and the CPU is less burdened to deal with other tasks that cannot (yet) be outsourced. <\/p>\n\n
\n ![\"Sophos](\"https:\/\/www.avanet.com\/assets\/sophos-xgs-firewall-network-flow-fastpath-1024x462.png\")
<\/a><\/figure>\n<\/figure>\n\nFail-to-Wire<\/h3>\n\n
Fail-to-Wire is a fault tolerance feature that protects enterprise communications in the event of a power failure.\nIn this case, the WAN and LAN are bypassed, transparently protecting network connectivity.\nThis relay establishes a physical connection between the two ports in the bypass pair and forwards traffic whether power is present or not. <\/p>\n\n
- What is the difference between an XG and XGS firewall?<\/a><\/li>\n<\/ul>\n\n
- There are two appliances in an HA cluster:<\/strong> Here, too, I would aim for a change.\nIf the budget is not there, you can also wait until one of the two firewalls fails and then buy two new XGS models. <\/li>\n<\/ul>\n\n
- 7 reasons why XG Firewall (SFOS) is better than UTM<\/a><\/li>\n<\/ul>\n\n
- Sophos UTM: End of support at the end of 2021<\/a><\/li>\n\n\n\n
![\"Sophos](\"https:\/\/www.avanet.com\/assets\/sophos-xgs-firewall-fail-to-wire-1024x538.png\")
<\/a><\/figure>\n<\/figure>\n\n