Networking, wireless, Xstream architecture, unlimited remote access VPN ... 5G using the expansion bay on all XGS 116/126/136 models, an optional ...
Sophos Firewall Much More Than a Firewall Sophos Firewall and XGS Series appliances are at the heart of the world's best network security platform. Consolidate your network protection with our integrated and extensible platform to secure your hybrid networked world. Internet Apps Sophos Firewall SAAS Apps DNS Protection Protection Zero-Day ML Web & Sandboxing Protection Protection & IPS Cloud Firew Cloud Apps Messaging all & ZTNA Remote Workers ZTNA Identity, Authentication & Zero Trust Access Network Secure SD-WAN Remote Locations Automated Active Adversary Protection, Detection & Response Server/Applications Switch Wireless Endpoints Sophos Central SIngle Cloud Console Integrated with MDR & XDR Powerful Protection and Performance Sophos Firewall includes the latest advanced protection technologies and threat intelligence, including: Ì Streaming DPI engine with web protection and IPS Ì Accelerated TLS 1.3 encrypted traffic inspection Ì Zero-day AI and machine learning analysis Ì Real-time cloud sandboxing Ì DNS Protection The best part is, you don' t need to compromise on performance. This is thanks to our programmable Xstream architecture. It offloads benign traffic flows and crypto operations as well as VPN and select application routing to accelerate these network traffic flows and create performance headroom for traffic that actually needs deep packet inspection. Sophos Firewall leverages the Sophos Cloud to ensure that your organization is protected from the latest threats and further maximize your performance. You get the latest AI and machine learning technology from SophosLabs working to identify previously unseen threats and malicious URLs. Using a common cloud, any new threat attacking a single Sophos customer is instantly shared across all our customers, blocking it everywhere. In addition, offloading this analysis from your firewall to the cloud boosts your performance even further. sales@corporatearmo1r.com 877.449.0458 Sophos Firewall Active Threat Response Sophos Firewall uniquely integrates with many Sophos products to automatically coordinate a response to an active adversary or attack: Ì Sophos Endpoint and XDR Ì Sophos Managed Detection and Response services Ì Sophos switches and wireless access points Ì Sophos ZTNA remote access Ì Sophos messaging protection Ì And third-party threat intelligence solutions Regardless of how the threat is first identified, whether at the firewall, by another product, or by a security analyst, Sophos Firewall coordinates a Synchronized Security response across Sophos products. It will identify and isolate the compromised host and prevent lateral movement and external communications until the threat can be investigated and cleaned up. Sophos Synchronized Security integration between products also provides additional capabilities you can't get anywhere else that adds tremendous value to your network: Ì Synchronized Application Control takes advantage of telemetry gathered by the endpoint about active, networked applications and shares that with the firewall enabling control of applications that might otherwise go unidentified. Ì Synchronized User ID works similarly to share user identity between the endpoint agent and the firewall to enforce user-based policies without the need for a separate client or server identity solution. Ì Synchronized SD-WAN leverages Synchronized Application Control for traffic matching operations to effectively route custom or otherwise unknown application traffic across your network. Work From Anywhere Sophos Firewall offers the ultimate in flexible connectivity and secure access for even the most demanding networks. You get a fully integrated SD-WAN solution, along with a full suite of secure access products for Zero Trust Network Access, SD-RED edge devices, VPN, switching, and wireless -- all managed from Sophos Central. Securing and managing remote workers with ZTNA ensures users only have access to the applications they need, and not the whole network. ZTNA also integrates with Sophos Firewall and Sophos Endpoint to ensure a compromised device can't access the network at all. ZTNA also protects your applications from hacks and attacks by making them invisible to the outside world. The best part is, Sophos Firewall integrates a Sophos ZTNA gateway directly into your firewall to make deployment easy. Sophos Firewall also includes one of the best integrated SD-WAN solutions available in any firewall. Xstream SDWAN provides a powerful integrated SD-WAN solution with: Ì Performance-based link selection and routing Ì Load balancing with configurable weightings across multiple links Ì Zero-impact transitions between links in the event of a disruption Ì Central cloud-managed orchestration Ì Xstream FastPath acceleration of VPN tunnel traffic Sophos Firewall makes interconnecting your hybrid distributed enterprise easy and makes it extremely robust, ensuring maximum reliability and uptime. 2 Single Console Management With Sophos Central, you get a single cloud management platform for all your Sophos products, including rich and powerful tools for group firewall management, SDWAN overlay network orchestration, ZTNA and user management, and infrastructure management for your switches and wireless access points. You also get full indepth dashboards and reports, cross-product integration and automation with other Sophos products, and much more. Sophos Firewall is so much more than just a firewall consolidate and streamline your network security management starting with your firewall. Ì Manage all of your Sophos Firewalls and other Sophos products from a single console Ì Configure changes and apply them to a group of firewalls or manage each firewall individually Ì Create a backup schedule and store up to five backups in the cloud Ì Schedule firmware updates across your entire network with just a few clicks Ì Use zero-touch deployment for new firewalls from Sophos Central: just drop ship the device to any location and set it up remotely. A USB drive is no longer required (but can still be used if you prefer). Central Management is available at no extra cost. Sophos Firewall Sophos Central also includes powerful reporting and orchestration tools that enable you to visualize your network, web, application activity, and security over time: Ì Flexible reporting combines a variety of builtin reports with powerful tools that you can use to create your own custom reports Ì Analyze data to identify security gaps, suspicious user behavior, or other events requiring policy changes Ì Data is shared across Sophos products through the Sophos Central data lake for threat hunting, forensics, and automated response to active threats Ì Utilize point-and-click SD-WAN orchestration to easily setup a fully redundant VPN overlay network for your hybrid distributed network Ì Central reporting is available at no extra cost with storage of up to seven days of reporting data* Central Orchestration and Central Reporting with up to 30 days* of data retention are included at no extra charge in the Xstream Protection bundle. Premium reporting options with longer data retention are available for optional purchase. * Calculated based on average traffic volumes per appliance size. In high-traffic environments, the retention period can be lower. Learn more about the Sophos Central ecosystem at sophos.com/firewall-central 3 Sophos Firewall Xstream Protection: A single bundle for ultimate protection All the next-gen protection, performance, and value you need to power even the most demanding networks. Also available with the XGS Series model of your choice included. Base Firewall Features Ì Networking and SD-WAN: Wireless, SD-WAN, application-aware routing, traffic shaping Ì Protection and Performance: Xstream architecture with Network Flow FastPath, TLS 1.3 inspection, deep packet inspection Ì SD-WAN and VPN: Xstream SD-WAN, IPsec/SSL site-to-site and remote access VPN (unlimited), SD-RED site-to-site Ì Reporting: Historical on-box logging and reporting, Sophos Central cloud reporting (seven-day data retention) Network Protection Ì Xstream TLS inspection: TLS 1.3 Ì Xstream DPI engine: Streaming deep packet inspection Ì IPS: Next-gen intrusion prevention Ì Active Threat Response: Sophos X-Ops threat feeds Ì Synchronized Security: Automatically identify and isolate threats Ì Clientless VPN: HTML5 Ì SD-RED VPN: Manage SD-RED devices Ì Reporting: Extensive network and threat reporting Web Protection Ì Xstream TLS inspection: TLS 1.3 Ì Xstream DPI engine: Streaming deep packet inspection Ì Web Control: By user, group, category, URL, keyword Ì Web Protection: from the latest threats Ì App Control: By user, group, category, risk, and more Ì Synchronized App Control: Identify unknown apps Ì Synchronized SD-WAN: Route unknown apps Ì Reporting: Extensive web and app reporting Zero-Day Protection Ì Xstream TLS inspection: TLS 1.3 Ì Xstream DPI engine: Streaming deep packet inspection Ì Zero-day threat protection: ML and Sandboxing analysis of files Ì Machine learning: Using multiple deep learning models Ì Cloud sandboxing: Dynamic run- time analysis of unknown files Ì Reporting: Extensive threat intelligence analysis reporting DNS Protection and Xstream Protection Bundle-Only Features Ì Domain name resolution service: Backed by SophosLabs and powered by AI to block malicious or unwanted URLs Ì Active Threat Response: For Sophos MDR/XDR threat feeds Ì Active Threat Response: For third-party regional/vertical threat feeds Sophos Central Management Ì Group firewall management: Synchronized policy across firewall groups Ì Backup and firmware updates: Storage and scheduling Ì Zero-touch deployment: For new firewalls from the cloud Enhanced Support Sophos Central Orchestration Ì SD-WAN orchestration: Point-and click site-to-site VPN orchestration Ì Cloud firewall reporting: Multi-firewall reporting, save, schedule and export reports (30-day data retention) Ì XDR and MDR connector: Support for XDR and MDR services 4 Sophos Firewall All Licensing Options We recommend the Xstream Protection bundle for the ultimate in security. If you prefer to customize your protection, all subscriptions are also available for individual purchase. Xstream Protection Bundle: Base License Network Protection Web Protection Zero-Day Protection Central Orchestration DNS Protection (not sold separately) Bundle-only Features (not sold separately) Enhanced Support Networking, wireless, Xstream architecture, unlimited remote access VPN, site-to-site VPN, reporting Xstream TLS/DPI, IPS, Active Threat Response with Sophos X-Ops threat feeds, Heartbeat, SD-RED, reporting Xstream TLS and DPI engine, web security and control, application control, reporting Machine learning and sandboxing file analysis, reporting SD-WAN VPN orchestration, Central Firewall Advanced Reporting (30-days), MDR/XDR data lake connector Cloud-based DNS service for web security and compliance Active Threat Response with MDR/XDR threat feeds and third-party threat feeds 24/7 support, feature updates, advanced replacement hardware warranty for term Custom protection: You can choose the Standard Protection bundle or purchase any of the protection modules separately. Standard Protection Bundle: Base License Networking, wireless, Xstream architecture, Xstream SD-WAN, unlimited remote access VPN, site-to-site VPN Network Protection Xstream TLS and DPI engine, IPS, ATP, Security Heartbeat, manage SD-RED, reporting Web Protection Xstream TLS and DPI engine, web security and control, application control, reporting Enhanced Support 24/7 support, feature updates, advanced replacement hardware warranty for term Additional Protection Modules: Email Protection On-box anti-spam, AV, DLP, encryption Web Server Protection Web Application Firewall Sophos Central managing and reporting: Sophos Central Management and Reporting (included at no charge): Sophos Central Management Group firewall management, backup management, firmware update scheduling Sophos Central Firewall Reporting Pre-packaged and custom report tools, with seven days cloud storage for no extra charge (see other options) Additional protection: Additional Protection Services, Products, and Modules: Managed Detection 24/7 threat hunting, detection, and response and Response delivered by an expert team (more info) Sophos Intercept X Sophos Central managed next-gen endpoint Endpoint with XDR protection with EDR (more info) Zero Trust Network Access A ZTNA gateway is integrated into your firewall (more info) Central Email Advanced Sophos Central managed antispam, AV, DLP, encryption (more info) Sophos Switch Cloud-managed access layer switches (more info) Sophos Wireless Scalable, cloud-managed Wi-Fi (more info) Support: A support subscription is required to receive firmware upgrades. Enhanced support is included in all protection bundles, but you can upgrade to enhance your support experience further. Additional Support Options: Enhanced Plus Support Upgrade Upgrade your support with VIP support, hardware warranty for add-ons, TAM option (extra cost) In Active/Passive HA scenarios, Enhanced Plus support is required in the primary device to be eligible for Advanced RMA on the passive device Cloud, virtual, and software application licensing options: If you're deploying Sophos Firewall in the cloud, in a virtual environment, or as software on your own hardware, the licensing guide below can help you find the right option. Model XGS 88(w)/87(w) Equivalent AWS instance t3.medium XGS 108(w)/107(w) c5.large XGS 118(w)/116(w) XGS 2100 c5.xlarge XGS 2300 m5.xlarge XGS 3100 c5.2xlarge XGS 4300 c5.4xlarge XGS 5500 c5.9xlarge Equivalent Azure VM - Standard_ F2s_v2 - - Standard_ F4s_v2 Standard_ F8s_v2 Standard_ F16s_v2 Standard_ F32s_v2 Software/ Virtual License* 2C4 - 4C6 - 6C8 8C16 16C24 Unlimited * Based upon CPU cores and RAM For a complete list of features included in each protection subscription, see the Sophos Firewall Feature List. 5 Deployment Options Sophos Firewall XGS Series AWS/Azure Virtual Software Purpose-built devices to provide the ultimate in performance. Protect your network infrastructure in the AWS or Azure cloud. Install on VMware, Citrix, Microsoft Hyper-V, and KVM. Install the Sophos Firewall OS image on your own Intel hardware or server. Cloud Sophos Firewall offers the best network visibility, protection, and response capabilities to secure your public, private, and hybrid cloud environments. Virtual and software Sophos Firewall supports a broad range of virtualization platforms and can also be deployed as a software appliance on your own x86 Intel hardware. As an AWS Advanced Technology Partner, Sophos is a validated AWS Security Competency vendor, AWS Marketplace seller, and AWS Public Sector Partner (PSP). Sophos Firewall is now available in the AWS Marketplace, with auto-scaling support with either a pay-as-you-go (PAYG) license model or bring your own license (BYOL) to best fit your needs. Sophos Firewall is certified and optimized for Azure and is available in the Microsoft Azure Marketplace. Take advantage of the free test drive or the flexible PAYG or BYOL licensing options. See the Licensing section for available licensing options. Sophos Firewall is Nutanix AHV and Nutanix Flow Ready, bringing the world's best next-gen firewall visibility, protection, and response to the industry's leading hyperconverged infrastructure (HCI) platform. Take advantage of a 30-day free trial using our KVM image and flexible licensing. 6 Sophos Firewall Protection Modules You can choose from a number of modules to customize the protection offered by your firewall to your individual needs and deployment scenario. Base Sophos Firewall The Sophos Firewall Base License includes the Xstream architecture, networking, wireless, SD-WAN, VPN, and reporting. Xstream architecture Enables high-performance TLS 1.3 inspection, deep packet inspection, and network flow FastPath to accelerate trusted SaaS, SD-WAN, and cloud application traffic. Note that Network and Web Protection are required to get the full benefits of the Xstream architecture. Xstream SD-WAN and networking Includes all networking, routing, and SD-WAN capabilities, including zone-based stateful firewall, NAT, VLAN, SDWAN profiles, performance-based WAN link selection and monitoring, load balancing, zero-impact WAN link transitions, and Xstream FastPath acceleration of trusted application traffic, IPsec VPN traffic, and TLS encrypted traffic flows. Secure Wireless Built-in wireless controller for Sophos APX Wi-Fi 5 access points (no longer sold). Plug-and-play access point discovery makes setup easy. Support for multiple SSIDs, hotspots, guest networks, and diverse encryption and security standards. Wi-Fi 6/6E support is available using our separate, cloudmanaged Wi-Fi solution. VPN Provides standards-based site-to-site and remote access VPN (free up to the capacity of the firewall), with support for IPsec and SSL. Sophos Connect remote access VPN client for Windows and Macs offers seamless and easy deployment and configuration options. SD-RED layer 2 siteto-site tunnels offer a lightweight robust VPN alternative. Reporting Extensive on-box reporting provides valuable insights into threats, users, applications, web activity, and much more. Note that specific reporting functionality may be dependent on other protection modules to get the full benefits (for example, web protection or web and app reports). The Base Firewall is included with every appliance. Network Protection All the protection you need to stop sophisticated attacks and advanced threats while providing secure network access to those you trust. Next-Gen intrusion prevention system Provides advanced protection from all types of modern attacks. It goes beyond traditional server and network resources to protect users and apps on the network as well. Security Heartbeat Creates a link between your Sophos Central protected endpoints and your firewall to identify threats faster, simplify investigation, and minimize the impact of attacks. Easily incorporate the Security Heartbeat status into firewall policies to automatically isolate compromised systems. Advanced Threat Protection Instant identification and immediate response to today's most sophisticated attacks. Multi-layered protection identifies threats instantly, and Security Heartbeat provides an emergency response. Advanced VPN technologies Adds unique and simple VPN technologies, including our clientless HTML5 self-service portal that makes remote access incredibly simple, plus management for our exclusive lightweight and secure SD-RED VPN technology. Network Protection is included in the Xstream and Standard Protection bundles and is also available for separate purchase. 7 Sophos Firewall Web Protection Unmatched visibility and control over all of your users web and application activity. Powerful user and group web policy Provides enterprise-level Secure Web Gateway policy controls to easily manage sophisticated user and group web controls. Apply policies based on uploaded web keywords indicating inappropriate use or behavior. Application control and QoS Enables user-aware visibility and control over thousands of applications with granular policy and traffic-shaping (QoS) options based on application category, risk, and other characteristics. Synchronized Application Control automatically identifies all unknown, evasive, and custom applications on your network. Advanced web threat protection Backed by SophosLabs, our advanced engine provides the ultimate protection from today's polymorphic and obfuscated web threats. Innovative techniques like JavaScript emulation, behavioral analysis, and origin reputation help keep your network safe. High-performance traffic scanning Optimized for top performance, our Xstream SSL inspection provides ultra-low latency inspection and HTTPS scanning while maintaining performance. Web Protection is included in the Xstream and Standard Protection bundles and is also available for separate purchase. DNS Protection Cloud-based DNS service for added web security and compliance. High-performance domain-level protection Sophos DNS Protection is a cloud-based service providing DNS resolution and an added layer of web security to your networks. It works instantly to block access to unsafe and unwanted domains across all ports, protocols, and applications from both managed and unmanaged devices. Integrated Compliance Controls Easily add an additional layer of compliance controls to your network to block access to common unwanted site categories across your entire network. Powered by AI Sophos DNS Protection is continually updated by SophosLabs using the latest in AI analysis to identify malicious and unwanted sites which are shared across all customers in real-time as soon as they are discovered. DNS Protection is included in the Xstream Protection bundle and is not available for separate purchase. Zero-Day Protection AI-driven static and dynamic file analysis techniques combine to bring unprecedented threat intelligence to your firewall and effectively identify and block ransomware and other known and unknown threats. Powered by SophosLabs Powered by the industry-leading SophosLabs, the Zero-Day Protection subscription includes a fully cloud-based threat intelligence and threat analysis platform. This provides deep learning-based file analysis, detailed analysis reporting, and a threat meter to show the risk summary for a file. We use layers of analytics to identify known and potential threats, reduce unknowns, and derive verdicts and intelligence reports for the most commonly used file types. Static file analysis By harnessing the power of multiple machine learning models, global reputation, deep file scanning, and more, you can quickly identify threats without the need to execute files in real time. Dynamic file analysis Execute a file in a secure cloud-based sandbox to observe its behavior and intent. Screenshots provide added insights into any key events during the analysis. Threat intelligence analysis reporting Rich intelligence reports provide you with more than just a "good," "bad," or "unknown" verdict. Full insight into the nature and capabilities of a threat is delivered through the use of data science and SophosLabs research. Zero-Day Protection is included in the Xstream Protection bundle and is also available for separate purchase. 8 Sophos Firewall Central Orchestration Sophos Central cloud-managed VPN orchestration, firewall reporting, and MDR/XDR integration. Sophos Central SD-WAN orchestration Makes VPN orchestration easy. Wizard-based tunnel configuration helps create full mesh networks, hub-andspoke models, or complex tunnel setups between multiple firewalls a quick point-and-click exercise. Seamlessly integrates multiple WAN link and SD-WAN functionality and routing optimizations to improve resilience performance. Also integrates with user authentication and Security Heartbeat to control access. Central Firewall Reporting Advanced (30 Days) Cloud-based reporting with several pre-packaged common reports for threats, compliance, and user activity. Includes advanced options for creating custom reports and views with the option to save, schedule, or export your custom reports. Includes 30 days of log data retention with the option to add additional storage for more comprehensive historical reporting requirements. MDR/XDR connector Sophos MDR provides optional 24/7 threat hunting, detection, and response delivered by an expert team as a fully managed service. Sophos XDR offers extended detection and response managed by your team. Regardless of whether you manage it yourself or Sophos manages it for you, your Sophos Firewall is ready to share the necessary threat intelligence and data to the cloud. Central Orchestration is included in the Xstream Protection bundle and is available for separate purchase. Zero Trust Network Access Provide secure remote access to applications and systems behind your firewall. Integrated ZTNA gateway Sophos Firewall provides an integrated Sophos ZTNA gateway at no extra cost. This simplifies ZTNA deployments by eliminating the need for a separate VM gateway, making deployments faster and easier. Sophos ZTNA is the ultimate remote access VPN replacement, providing better security, easier management, and a transparent user experience. ZTNA gateways are available at no extra cost. User-based client licenses for ZTNA are sold separately. Email Protection Consolidate your email protection with anti-spam, DLP, and encryption. We recommend Sophos Central Email Advanced for the best cloud-based email protection solution. If you require on-box email protection, this module offers essential anti-spam, DLP, and encryption. Integrated message transfer agent Ensures always-on business continuity for your email, allowing the firewall to automatically queue mail in the event that servers become unavailable. Live anti-spam Provides protection from the latest spam campaigns, phishing attacks, and malicious attachments. Self-serve quarantine Gives employees direct control over their spam quarantine, saving you time and effort. SPX email encryption Unique to Sophos, SPX makes it easy to send encrypted emails to anyone, even those without any kind of trust infrastructure, using our patent-pending password-based encryption technology. Data loss prevention Policy-based DLP can automatically trigger encryption or block/notify based on the presence of sensitive data in emails leaving the organization. Email Protection is available for individual purchase only. Web Server Protection Harden your web servers and business applications against hacking attempts and provide secure access. Business application policy templates Pre-defined policy templates let you protect common applications like Microsoft Exchange Outlook Anywhere or SharePoint quickly and easily. Protection from the latest hacks and attacks Offers a variety of advanced protection technologies, including URL and form hardening, deep-linking and directory traversal prevention, SQL injection and cross-site scripting protection, cookie signing, and more. Reverse Proxy Authentication options, SSL offloading, and server load balancing ensure maximum protection and performance for your servers being accessed from the internet. Web Server Protection is available for individual purchase only. 9 Sophos Firewall Sophos XGS Series Appliances The XGS Series models offer excellent performance and connectivity at every price point to power the protection you need for today's diverse, distributed, and encrypted networks. Product Matrix Model Form Factor Tech Specs Ports/Slots (Max Ports) w-model Swappable Components XGS 88(w) 4/- (4) XGS 108(w) XGS 118(w) XGS 128(w) XGS 1381 XGS 87(w) XGS 107(w) XGS 116(w) XGS 126(w) XGS 136(w) Gen.2 Desktop2 Gen.1 Desktop 7/-(7) 10/1(10) 10/1(10) 8/1(8) 5/- (5) 9/- (9) 9/1 (9) 14/1 (14) Wi-Fi 6 n/a Wi-Fi 5 XGS 2100 XGS 2300 XGS 3100 XGS 3300 n/a 10/1 (18) n/a 1U Short n/a 12/1 (20) n/a XGS 4300 XGS 4500 n/a 1U Long 12/2 (28) n/a XGS 5500 XGS 6500 XGS 7500 XGS 8500 16/3 (48) n/a 20/4 (68) n/a 2U n/a 22/4 (70) n/a 1 Currently not available in Japan 2 All Gen.2 Desktop models include two or more 2.5 GE ports 3 Not sold in Japan 4 2nd Wi-Fi module option for XGS 116w, 126w and 136w only n/a Optional: 2nd power supply, 5G module3 n/a Optional: 2nd power supply Optional: 2nd power supply, 3G/4G module, 5G module, Wi-Fi module4 Optional: external power supply Optional: internal power supply Built in: redundant power, SSDs, fans Firewall (Mbps) 9,900 12,500 15,500 19,100 19,100 3,850 7,000 7,700 10,500 11,500 30,000 39,000 47,000 58,000 75,000 80,000 100,000 120,000 160,000 190,000 Throughput IPsec VPN (Mbps) Threat Protection (Mbps) 6,000 2,000 8,250 2,500 13,000 3,250 15,050 4,000 6,600 4,750 3,000 850 4,000 1,110 4,800 2,160 5,500 2,700 6,350 3,000 17,000 5,000 20,500 5,550 25,500 7,400 31,100 10,000 62,500 25,200 75,550 31,850 92,500 46,000 109,800 53,500 117,000 70,000 141,000 92,500 Xstream SSL/TLS (Mbps) 600 800 1,100 1,450 1,700 375 420 650 800 950 1,100 1,450 2,470 3,130 8,000 10,600 13,500 16,000 19,500 24,000 Performance test methodology General: Maximum throughput measured under ideal test conditions using industry-standard Keysight-Ixia BreakingPoint test tools. Actual performance may vary depending on network conditions and activated services Ì Firewall: Measured using HTTP traffic and 512 KB response size. Ì Firewall IMIX: UDP throughput based on a combination of 66 byte, 570 byte, and 1518 byte packet sizes. Ì IPS: Measured with IPS with HTTP traffic using default IPS ruleset and 512 KB object size. Ì IPsec VPN: HTTP throughput using multiple tunnels and 512 KB HTTP response size. Ì TLS Inspection: Performance measured with IPS with HTTPS sessions and different cipher suites. Ì Threat Protection: Measured with firewall, IPS, application control, and malware prevention enabled using Enterprise Traffic Mix. Ì NGFW: Measured with IPS and application control enabled with HTTP traffic using default IPS ruleset and 512KB object size. Need sizing help? Sophos offers free sizing assistance and a firewall sizing tool for partners via the Partner Portal. 10 Sophos Firewall Sophos XGS Series Desktop: SMB and Branch Office Our two generations of desktop appliances offer great value, performance, and efficiency for small businesses, retail outlets, and branch offices. 2nd Generation XGS Desktop The 2nd generation XGS desktop models unlock a wealth of new features and high-speed connectivity options. Product highlights Ì Accelerated performance: up to double the throughput of Gen.1 models plus Xstream virtual FastPath acceleration for IPsec VPN (XGS 88 to XGS 128) in combination with SFOS v21 and higher Ì High-speed connectivity built in: 2.5 GE interfaces on every model, two built-in 10 GE SFP+ interfaces on the XGS 138, Wi-Fi integrated models support Wi-Fi 6 (802.11ax) with concurrent use of the 2.4 and 5 GHz bands for better performance Ì Power and environment: up to 50% lower power consumption, fanless XGS 88 and 108 models for whisper-quiet operation, optimized thermal design for XGS 118 and above, redundant power option for all XGS 1xx models Ì Optional connectivity: new 5G module available exclusively for Gen.2 models for more cost-effective redundant connectivity Ì Streamlined hardware architecture: the XGS 88 to XGS 128 models boast a new single-CPU architecture while the XGS 138 has a refreshed dual-processor architecture Available models XGS 88 and XGS 88w See detailed technical specifications XGS 108, XGS 108w See detailed technical specifications XGS 118, XGS 118w See detailed technical specifications XGS 128, XGS 128w See detailed technical specifications XGS 138 See detailed technical specifications 1st Generation XGS Desktop The original XGS desktop models combine advanced hardware technology with excellent value and connectivity. Product highlights Ì Hardware acceleration: Xstream Flow Processor for hardware-level acceleration of trusted and previously verified apps and traffic Ì Extensive built-in connectivity: SFP interface on every model, all models available with optional integrated Wi-Fi 5 (802.11ac), built-in Power-over-Ethernet on all XGS 116, 126, and 136 models (2.5 GE on XGS 136) Ì Power and environment: Redundant power option for all XGS 1xx models, optimized energy consumption For highly noise-sensitive environments, we recommend the fanless XGS 88 and XGS 108 (Gen.2) models Ì Add-on connectivity options: optional 3G/4G and 5G using the expansion bay on all XGS 116/126/136 models, an optional second Wi-Fi radio module can be added to w-models with an expansion bay Ì Dual-processor architecture: all Gen.1 models include an x86 CPU plus an Xstream Flow Processor (NPU) Available models XGS 87 and XGS 87w See detailed technical specifications XGS 107, XGS 107w See detailed technical specifications XGS 116, XGS 116w See detailed technical specifications XGS 126, XGS 126w See detailed technical specifications XGS 136, XGS 136w See detailed technical specifications Note: All protection features are supported on every XGS 1xx model and most on XGS 87(w) and XGS 88(w) 11 Sophos Firewall Sophos XGS Series Desktop: SMB and Branch Office Gen.2: XGS 88 and XGS 88w Technical specifications Note: The XGS 88 and 88w do not support some advanced features like on-box reporting, dual AV scanning, WAF AV scanning, and the email message transfer agent (MTA) functionality. If you need these capabilities, the XGS 108(w) is recommended. Front View 1 x USB 2.0 Status LEDs (w-model has additional Wi-Fi LED) Back View 1 x COM Micro USB 2 x external antenna (XGS 88w only) 1 x COM (RJ45) 4 x 2.5 GE copper port Power supply 1 x USB 3.0 Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption (typical) Noise level (avg.) Operating temperature Humidity Product Certifications Certifications * XGS 88 only Rackmount kit available (to be ordered separately) 200 x 44 x 180 mm 1.4 kg/3.08 lbs (unpacked) 2 kg/4.41 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 1.7A@50-60 Hz 12VDC, 3.33A, 40W 12.5 W/42.65 BTU/hr (88 idle) 14.5 W/49.48 BTU/hr (88w idle) 18 W/61.42 BTU/hr (88 max.) 22 W/75.07 BTU/hr (88w max.) 0 dBA - fanless 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX IPS throughput Threat protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 88(w) 9,900 Mbps 6,500 Mbps 2,000 Mbps 2,000 Mbps 2,000 Mbps 1,600,000 40,500 6,000 Mbps 500 500 600 Mbps 8,192 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 88w only) No. of antennas 2 external MIMO capabilities 2 x 2:2 Wireless interface Wi-Fi 6 (802.11ax) 2.4 GHz/5 GHz concurrent Physical Interfaces Storage Ethernet interfaces (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity 16 GB eMMC 4 x 2.5 GE copper 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 0 n/a 12 Sophos XGS Series Desktop: SMB and Branch Office Gen.2: XGS 108, XGS 108w Technical specifications Sophos Firewall Front View 1 x USB 2.0 Status LEDs (w-model has additional Wi-Fi LED) 1 x COM Micro USB Back View 2 x external antenna (XGS 108w only) 1 x COM (RJ45) 6 x 2.5 GE copper port Power supply 1 x USB 3.0 Connector for optional 2nd redundant power supply 1 x GE SFP Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Noise level (avg.) Operating temperature Humidity Product Certifications Certifications * XGS 108 only Rackmount kit available (to be ordered separately) 260 x 44 x 180 mm 1.8 kg/3.97 lbs (unpacked) 2.4 kg/5.29 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 2A@50-60 Hz 12VDC, 5A, 60W Optional second redundant power supply 21.5 W/73.36 BTU/hr (108 idle) 25.5 W/87.01 BTU/hr (108w idle) 27 W/92.13 BTU/hr (108 max.) 30 W/102.36 BTU/hr (108w max.) 0 dBA - fanless 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput SSL VPN concurrent tunnels IPsec VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 108(w) 12,500 Mbps 8,100 Mbps 2,500 Mbps 2,500 Mbps 2,600 Mbps 4,190,000 53,000 8,250 Mbps 1,000 1,000 800 Mbps 12,288 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 108w only) No. of antennas 2 external MIMO capabilities 2 x 2:2 Wireless interface Wi-Fi 6 (802.11ax) 2.4 GHz/5 GHz concurrent Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity 64 GB UFS 2.1 6 x 2.5 GE copper 1 x SFP fiber 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 0 n/a 13 Sophos XGS Series Desktop: SMB and Branch Office Gen.2: XGS 118, XGS 118w Technical specifications Sophos Firewall Front View 1 x USB 2.0 1 x COM Micro USB Back View 2 x external antenna (XGS 118w only) Status LEDs (w-model has additional Wi-Fi LED) 1 x COM (RJ45) 9 x 2.5 GE copper port Optional module expansion bay Power supply 1 x USB 3.0 Connector for optional 2nd redundant power supply F1 1 x SFP fiber port Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Noise level (avg.) Typical/Max. operation Operating temperature Humidity Product Certifications Certifications * XGS 118 only Rackmount kit available (to be ordered separately) 320 x 44 x 212 mm 2.4 kg/5.29 lbs (unpacked) 3.9 kg/8.60 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 2A@50-60 Hz 12VDC, 5.42A, 65W Optional second redundant power supply 25.5 W/87.01 BTU/hr (118 idle) 29.5 W/100.66 BTU/hr (118w idle) 28 W/95.54 BTU/hr (118 max.) 34 W/116.01 BTU/hr (118w max.) XGS 118 - 17.3/26.9 dBA XGS 118(w) - 19.5/31 dBA 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 118(w) 15,500 Mbps 11,000 Mbps 3,500 Mbps 3,250 Mbps 3,950 Mbps 5,500,000 62,650 13,000 Mbps 1,500 1,250 1,100 Mbps 18,432 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 118w only) No. of antennas 2 external MIMO capabilities Wireless interface 2 x 2:2 Wi-Fi 6 (802.11ax) 2.4 GHz/5 GHz concurrent Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Power-over-Ethernet (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity * SFP transceivers sold separately 64 GB UFS 2.1 9 x 2.5 GE copper 1 x SFP fiber 0 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 1 5G module (Gen.2) 14 Sophos XGS Series Desktop: SMB and Branch Office Gen.2: XGS 128, XGS 128w Technical specifications Sophos Firewall Front View 1 x USB 2.0 1 x COM Micro USB Back View 2 x external antenna (XGS 128w only) Status LEDs (w-model has additional Wi-Fi LED) 1 x COM (RJ45) 9 x 2.5 GE copper port Optional module expansion bay Power supply 1 x USB 3.0 Connector for optional 2nd redundant power supply F1 1 x SFP fiber port Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Noise level (avg.) Typical/Max. operation Operating temperature Humidity Product Certifications Certifications * XGS 128 only Rackmount kit available (to be ordered separately) 320 x 44 x 212 mm 2.4 kg/5.29 lbs (unpacked) 3.9 kg/8.60 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 2A@50-60 Hz 12VDC, 5.42A, 65W Optional second redundant power supply 26.5 W/90.42 BTU/hr (128 idle) 30 W/102.36 BTU/hr (128w idle) 30 W/102.36 BTU/hr (128 max.) 35 W/119.42 BTU/hr (128w max.) XGS 128 - 17.3/26.9 dBA XGS 128(w) - 19.5/31 dBA 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 128(w) 19,100 Mbps 14,500 Mbps 4,650 Mbps 4,000 Mbps 4,350 Mbps 6,000,000 72,250 15,050 Mbps 2,500 1,500 1,450 Mbps 18,432 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 128w only) No. of antennas 2 external MIMO capabilities Wireless interface 2 x 2:2 Wi-Fi 6 (802.11ax) 2.4 GHz/5 GHz concurrent Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Power-over-Ethernet (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity 64 GB UFS 2.1 9 x 2.5 GE copper 1 x SFP fiber 0 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 1 5G module (Gen.2) 15 Sophos XGS Series Desktop: SMB and Branch Office Gen.2: XGS 138 Technical specifications Sophos Firewall Front View 1 x USB 2.0 Status LEDs (w-model has additional Wi-Fi LED) 1 x COM Micro USB Back View 1 x COM (RJ45) 2 x SFP+ ports 2 x 2.5 GE PoE ports Optional module expansion bay Power supply 1 x USB 3.0 Connector for optional 2nd redundant power supply 4 x GE copper ports Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Noise level (avg.) Typical/Max. operation Operating temperature Humidity Product Certifications Certifications Rackmount kit available (to be ordered separately) 320 x 44 x 212 mm 2.4 kg/5.29 lbs (unpacked) 4.4 kg/9.70 lbs (packed) External auto-ranging AC-DC 100-240VAC, 2A@50-60 Hz 12VDC, 12.5A, 150W Optional second redundant power supply 33 W/112.60 BTU/hr (idle) 51 W/174.02 BTU/hr (max.) 121 W/412.87 BTU/hr (max.) 28/43 dBA 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC, BSMI, RCM, NOM, Anatel, TEC Performance Firewall throughput Firewall IMIX IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 138 19,100 Mbps 10,500 Mbps 5,850 Mbps 4,750 Mbps 5,100 Mbps 6,550,000 105,000 6,600 Mbps 2,500 1,500 1,700 Mbps 18,432 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Power-over-Ethernet (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity 64 GB M.2 4 x GE copper 2 x 2.5 GE copper 2 x SFP+ fiber 2 x 2.5 GE (30W max. per port) 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 1 5G module (Gen.2) 16 Sophos Firewall Sophos XGS Series Desktop: SMB and Branch Office Gen.1: XGS 87 and XGS 87w Technical specifications Note: The XGS 87 and 87w do not support some advanced features like on-box reporting, dual AV scanning, WAF AV scanning, and the email message transfer agent (MTA) functionality. If you need these capabilities, the XGS 107(w) is recommended. Front View 1 x USB 2.0 Status LEDs (w-model has additional Wi-Fi LED) 1 x COM Micro USB Back View 2 x external antenna (XGS 87w only) 1 x COM (RJ45) 1 x GE SFP Power supply 1 x USB 3.0 4 x GE copper port Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Product Certifications Certifications * XGS 87 only Rackmount kit available (to be ordered separately) 230 x 44 x 205.5 mm 1.36 kg/3 lbs (unpacked) 2.75 kg/6.06 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 1.7A@50-60 Hz 12VDC, 5A, 60W 23.2 W/79.16 BTU/hr (87 idle) 27.1 W/92.13 BTU/hr (87w idle) 43.4 W/148.09 BTU/hr (87 max.) 46.8 W/159.69 BTU/hr (87w max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, CCC, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 87(w) 3,850 Mbps 3,000 Mbps 6 µs 1,200 Mbps 850 Mbps 700 Mbps 1,600,000 35,700 3,000 Mbps 500 500 375 Mbps 8,192 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 87w only) No. of antennas 2 external MIMO capabilities 2 x 2:2 Wireless interface Wi-Fi 5 (802.11ac) 2.4 GHz/5 GHz Physical Interfaces Storage Ethernet interfaces (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity * SFP transceivers sold separately 16 GB eMMC 4 x GE copper 1 x SFP fiber* 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 0 SFP DSL module (VDSL2) SFP transceivers 17 Sophos XGS Series Desktop: SMB and Branch Office Gen.1: XGS 107, XGS 107w Technical specifications Sophos Firewall Front View 1 x USB 2.0 Status LEDs (w-model has additional Wi-Fi LED) 1 x COM Micro USB Back View 2 x external antenna (XGS 107w only) Connector for optional 2nd redundant power supply 1 x COM (RJ45) 1 x GE SFP Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput SSL VPN concurrent tunnels IPsec VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 107(w) 7,000 Mbps 3,750 Mbps 6 µs 1,500 Mbps 1,110 Mbps 1,050 Mbps 1,600,000 44,400 4,000 Mbps 1,000 1,000 420 Mbps 8,192 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 107w only) No. of antennas 2 external MIMO capabilities 2 x 2:2 Wireless interface Wi-Fi 5 (802.11ac) 2.4 GHz/5 GHz Power supply 1 x USB 3.0 8 x GE copper port Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Rackmount kit available (to be ordered separately) 230 x 44 x 205.5 mm 1.4 kg/3.09 lbs (unpacked) 2.8 kg/6.17 lbs (packed) (w-model minimally more) External auto-ranging AC-DC 100-240VAC, 1.7A@50-60 Hz 12VDC, 5A, 60W Optional second redundant power supply 26.1 W/89.06 BTU/hr (107 idle) 29.8 W/101.68 BTU/hr (107w idle) 53.9 W/183.91 BTU/hr (107 max.) 57.3 W/195.52 BTU/hr (107w max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity * SFP transceivers sold separately Integrated 64 GB SSD 8 x GbE copper 1 x SFP fiber* 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 0 SFP DSL module (VDSL2) SFP transceivers Product Certifications Certifications * XGS 107 only CB, CE, UKCA, UL, FCC, ISED, VCCI, CCC, KC*, BSMI, RCM, NOM, Anatel*, TEC, SDPPI* 18 Sophos XGS Series Desktop: SMB and Branch Office Gen.1: XGS 116, XGS 116w Technical specifications Sophos Firewall Front View 1 x USB 2.0 1 x COM Micro USB Back View 2 x external antenna (XGS 116w only) Status LEDs (w-model has additional Wi-Fi LED) 1 x COM (RJ45) F1 1 x SFP fiber port 1 x GE Optional module copper port expansion bay Power supply 1 x USB 3.0 6 x GE copper port Connector for optional 2nd redundant power supply 1 x GE PoE port Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Product Certifications Certifications * XGS 116 only Rackmount kit available (to be ordered separately) 320 x 44 x 213 mm 2.2 kg/4.85 lbs (unpacked) 4.2 kg/9.26 lbs (packed) (w-model minimally higher) External auto-ranging AC-DC 100-240VAC, 2.5A@50-60 Hz 12VDC, 12.5A, 150W Optional second redundant power supply 28 W/96 BTU/hr (116 idle) 30 W/102 BTU/hr (116w idle) 57 W/195 BTU/hr (116 max.) 60 W/205 BTU/hr (116w max.) 38 W/130 BTU/hr (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, CCC, KC*, BSMI, RCM, NOM, Anatel*, TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 116(w) 7,700 Mbps 4,500 Mbps 8 µs 2,500 Mbps 2,160 Mbps 2,000 Mbps 1,600,000 61,500 4,800 Mbps 1,500 1,250 650 Mbps 8,192 Note: For performance testing methodology, see page 10 Wireless Specification (XGS 116w only) No. of antennas 2 external MIMO capabilities Wireless interface Optional second Wi-Fi module 2 x 2:2 Wi-Fi 5 (802.11a/b/g/n/ac) 2.4 GHz / 5 GHz Wi-Fi 5/802.11a/b/g/n/ac Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Power-over-Ethernet (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity * SFP transceivers sold separately Integrated 64 GB SSD 8 GE copper 1 GE SFP* 1 x GE 803.2at (30W max.) 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 1 SFP DSL module (VDSL2) 3G/4G module/5G module Second Wi-Fi radio (XGS 116w only) SFP transceivers 19 Sophos XGS Series Desktop: SMB and Branch Office Gen.1: XGS 126, XGS 126w, XGS 136, XGS 136w Technical specifications Sophos Firewall Front View 1 x USB 2.0 1 x COM Micro USB Back View 3 x external antenna (XGS 126w/136w only) Status LEDs (w-model has additional Wi-Fi LED) 1 x COM (RJ45) F1F2 2 x SFP fiber ports Optional module expansion bay Power supply 1 x USB 3.0 Connector for optional 2nd redundant power supply 10 x GE copper port 2 x 2.5 GE PoE port (136(w)) 2 x GbE PoE port (126(w)) Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Rackmount kit available (to be ordered separately) 320 x 44 x 213 mm 2.4 kg/5.29 lbs (unpacked) 4.4 kg/9.70 lbs (packed) (w-model minimally higher) External auto-ranging AC-DC 100-240VAC, 2.5A@50-60 Hz 12VDC, 12.5A, 150W Optional second redundant power supply 30 W/102 BTU/hr (126/136 idle) 32 W/109 BTU/hr (126w/136w idle) 59 W/202 BTU/hr (126 max.) 62 W/212 BTU/hr (126w/136 max.) 65 W/222 BTU/hr (136w max.) 76 W/260 BTU/hr (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 126(w) 10,500 Mbps 5,250 Mbps 8 µs 3,250 Mbps 2,700 Mbps 2,500 Mbps 5,000,000 69,900 5,500 Mbps 2,500 1,500 800 Mbps 12,288 Note: For performance testing methodology, see page 10 XGS 136(w) 11,500 Mbps 6,500 Mbps 8 µs 4,000 Mbps 3,000 Mbps 3,000 Mbps 6,400,000 74,500 6,350 Mbps 2,500 1,500 950 Mbps 18,432 Wireless Specification (XGS 126w and XGS 136w only) No. of antennas 3 external MIMO capabilities Wireless interface Optional 2nd Wi-Fi Module 3 x 3:3 Wi-Fi 5 (802.11a/b/g/n/ac) 2.4 GHz / 5 GHz Wi-Fi 5 (802.11a/b/g/n/ac) Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Power-over-Ethernet (fixed) Management ports Other I/O ports Number of expansion slots Optional add-on connectivity * SFP transceivers sold separately Integrated 64 GB SSD 12 x GE copper 2 x SFP fiber* 10 x GE copper 2 x 2.5 GE copper 2 x SFP fiber* 2 x GE 2 x 2.5 GE (30W max. per port) (30W max. per port) 1 x COM RJ45 1 x Micro-USB (cable incl.) 1 x USB 2.0 (front) 1 x USB 3.0 (rear) 1 SFP DSL module (VDSL2) 3G/4G module/5G module Second Wi-Fi radio (XGS 126w/136w only) SFP transceivers Product Certifications Certifications * XGS 126 and XGS 136 only XGS 136 only CB, CE, UKCA, UL, FCC, ISED, VCCI, CCC, KC*, BSMI, RCM, NOM, Anatel*, TEC, SDPPI 20 Sophos Firewall Sophos XGS Series 1U: Distributed Edge Mid-sized and distributed organizations that need a versatile solution to power and protect their networks will be well-served with our 1U models. These rackmount firewalls offer excellent performance, a diverse range of high-speed interfaces, and a choice of add-on connectivity modules. Whether your priority is ensuring maximum uptime for your SD-WAN links, securely connecting your remote users, or protecting your growing organization's network, you can tailor these models to your dynamic environment. All models are powered by a high-speed CPU plus a dedicated Xstream Flow Processor for hardware acceleration. Product highlights Ì Dual processor architecture supports all key protection features without compromising performance Ì Copper and fiber ports built in Ì LAN bypass ports on every model Ì Modular Flexi Port expansion bay(s) on every model to adapt connectivity Ì Second power supply option for all models Ì Centrally powered PoE Flexi Port module option to provide redundant power for PoE devices Ì Rackmount kit included Product highlights XGS 2100 See detailed technical specifications XGS 2300 See detailed technical specifications XGS 3100 See detailed technical specifications XGS 3300 See detailed technical specifications XGS 4300 See detailed technical specifications XGS 4500 See detailed technical specifications LAN and WAN edge connectivity Securely connect your branch offices or remote locations to your main office with Sophos SD-RED, Remote Ethernet Devices, and add connectivity at the LAN edge with our access layer switches and access points. Find out more at the end of this brochure and sophos.com/switch. 21 Sophos XGS Series 1U: Distributed Edge XGS 2100, XGS 2300 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port LAN 18: 8 x GE copper 1 bypass pair (ports 1/2) Back View F1F2 2 x SFP fiber ports 1 x expansion bay (shown with optional module) Power switch Power supply Mounting pins for external power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Product Certifications Certifications Connector for external redundant power supply (available as an option) USB 1U rackmount (2 rackmount ears included) 438 x 44 x 405 mm 4.7 kg/10.36 lbs (unpacked) 7 kg/15.43 lbs (packed) Internal auto-ranging AC-DC 100-240VAC, 3-6A@50-60 Hz External Redundant PSU Option 43 W/146.86 BTU/hr (2100 idle) 45 W/153.7 BTU/hr (2300 idle) 162 W/533.5 BTU/hr (2100 max.) 167 W/570.74 BTU/hr (2300 max.) 76 W/260 BTU/hr (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC, RCM, NOM, Anatel, CCC, BSMI, TEC, SDPPI Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 2100 30,000 Mbps 16,500 Mbps 6 µs 6,000 Mbps 5,000 Mbps 5,200 Mbps 6,500,000 134,700 17,000 Mbps 5,000 2,500 1,100 Mbps 18,432 Note: For performance testing methodology, see page 10 XGS 2300 39,000 Mbps 20,000 Mbps 4 µs 7,000 Mbps 5,500 Mbps 6,300 Mbps 6,500,000 148,000 20,500 Mbps 5,000 2,500 1,450 Mbps 18,432 Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Bypass port pairs Management ports Other I/O ports Integrated min. 120 GB SATA-III SSD 8 x GE copper 2 x SFP fiber* 1 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) 2 x USB 3.0 (front) 1 x USB 2.0 (rear) Number of Flexi Port slots Flexi Port modules (optional) 1 8 port GE copper 8 port GE SFP fiber 4 port 10GE SFP+ fiber 4 port GE copper bypass (2 pairs) 4 port GE copper PoE + 4 port GE copper 4 port 2.5 GE copper PoE 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber Max. total port density (incl. use of modules) Max. Power-over-Ethernet (using Flexi Port module) Optional add-on connectivity Display 18 1 module: 4 ports, 60W max. SFP DSL module (VDSL2) SFP/SFP+ Transceivers Multi-function LCD module * Transceivers (mini GBICs) sold separately 22 Sophos XGS Series 1U: Distributed Edge XGS 3100, XGS 3300 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port LAN 18: 8 x GE copper 1 bypass pair (ports 1/2) Back View F1F4 4 x SFP+ fiber ports F3F4: 2 x SFP fiber ports 1 x expansion bay (shown with optional module) Power switch Power supply Mounting pins for external power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Product Certifications Certifications Connector for external redundant power supply (available as an option) USB 1U rackmount (2 rackmount ears included) 438 x 44 x 405 mm 4.7 kg/10.36 lbs (unpacked) 7 kg/15.43 lbs (packed) Internal auto-ranging AC-DC 100-240VAC, 3-6A@50-60 Hz External Redundant PSU Option 50 W/170.77 BTU/hr (3100 idle) 50 W/170.77 BTU/hr (3300 idle) 182 W/621.97 BTU/hr (3100 max.) 201 W/686.68 BTU/hr (3300 max.) 76 W/260 BTU/hr (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC, RCM, NOM, Anatel, CCC, BSMI, TEC, SDPPI Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 3100 47,000 Mbps 23,500 Mbps 4 µs 10,500 Mbps 7,400 Mbps 9,000 Mbps 12,260,000 186,500 25,000 Mbps 6,500 5,000 2,470 Mbps 55,296 Note: For performance testing methodology, see page 10 XGS 3300 58,000 Mbps 27,000 Mbps 4 µs 14,000 Mbps 10,000 Mbps 12,500 Mbps 13,700,000 257,800 31,100 Mbps 6,500 5,000 3,130 Mbps 102,400 Physical Interfaces Storage (local quarantine/logs) Integrated min. 240 GB SATA-III SSD Ethernet interfaces (fixed) 8 x GE copper 2 x SFP fiber* 2 x SFP+ 10 GE fiber* Bypass port pairs Management ports 1 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) Other I/O ports 2 x USB 3.0 (front) 1 x USB 2.0 (rear) Number of Flexi Port slots 1 Flexi Port modules (optional) 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GE copper bypass (2 pairs) 4 port GE copper PoE + 4 port GE copper 4 port 2.5 GE copper PoE 2 port GbE Fiber (LC) bypass + 4 port GE SFP Fiber Max. total port density 20 (incl. use of modules) Max. Power-over-Ethernet (using Flexi Port module) Optional add-on connectivity 1 module: 4 ports, 60W max. SFP DSL module (VDSL2) SFP/SFP+ Transceivers Display Multi-function LCD module * Transceivers (mini GBICs) sold separately 23 Sophos XGS Series 1U: Distributed Edge XGS 4300 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port LAN 58: 4 x 2.5 GE copper F1F4 4 x SFP+ fiber ports Back View LAN 14: 4 x GE copper 2 bypass pairs (ports 1/2 and 3/4) Power switch 2 x expansion bay (shown with optional modules) Power supply Mounting pins for external power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Product Certifications Certifications Connector for external redundant power supply (available as an option) 1U rackmount (sliding rails incl.) 438 x 44 x 510 mm 8.7 kg/19.18 lbs (unpacked) 14.9 kg/32.85 lbs (packed) Internal auto-ranging AC-DC 100-240VAC, 3.7-7.4A@50-60 Hz External Redundant PSU Option 131 W/447.43 BTU/hr (idle) 268.35 W/916.56 BTU/hr (max.) 152 W/519 BTU/hr 0°C to 40°C (operating) -20 to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC, RCM, NOM, Anatel, CCC, BSMI, TEC, SDPPI Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 4300 75,000 Mbps 33,000 Mbps 3 µs 29,500 Mbps 25,200 Mbps 23,000 Mbps 16,600,000 368,000 62,500 Mbps 8,500 7,500 8,000 Mbps 276,480 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Bypass port pairs Management ports Other I/O ports Number of Flexi Port slots Flexi Port modules (optional) 1 x min. 240 GB SATA-III SSD 4 x GE copper 4 x 2.5 GE copper 4 x SFP+ 10 GE fiber* 2 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) 2 x USB 3.0 (front) 2 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GbE copper bypass (2 pairs) 4 port GE copper PoE + 4 port GE copper 4 port 2.5 GE copper PoE 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber Max. total port density (incl. use of modules) Max. Power-over-Ethernet (using Flexi Port module) Optional add-on connectivity Display 28 2 modules: 4 ports, 60W max. each SFP DSL module (VDSL2) SFP/SFP+ Transceivers Multi-function LCD module * Transceivers (mini GBICs) sold separately 24 Sophos XGS Series 1U: Distributed Edge XGS 4500 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port LAN 58: 4 x 2.5 GE copper F1F4 4 x SFP+ fiber ports Back View LAN 14: 4 x GE copper 2 bypass pairs (ports 1/2 and 3/4) Power switch 2 x expansion bay (shown with optional modules) Hot swappable power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption PoE addition enabled Operating temperature Humidity Product Certifications Certifications Slot for internal redundant power supply (available as an option) 1U rackmount (sliding rails incl.) 438 x 44 x 510 mm 9.7 kg/21.38 lbs (unpacked) 15.9 kg/35.05 lbs (packed) Internal Hot Swappable auto-ranging AC-DC 100-240VAC, 3.7-7.4A@50-60 Hz Internal Redundant PSU Option 151 W/515.74 BTU/hr (idle) 268.35 W/916.56 BTU/hr (max.) 152 W/519 BTU/hr 0°C to 40°C (operating) -20 to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, KC, RCM, NOM, Anatel, CCC, BSMI, TEC, SDPPI Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 4500 80,000 Mbps 37,000 Mbps 4 µs 36,500 Mbps 31,850 Mbps 30,000 Mbps 17,200,000 450,000 75,550 Mbps 8,500 10,000 10,600 Mbps 276,480 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) Ethernet interfaces (fixed) Bypass port pairs Management ports Other I/O ports Number of Flexi Port slots Flexi Port modules (optional) 2 x min. 240 GB SATA-III SSD (SW RAID-1) 4 x GE copper 4 x 2.5 GE copper 4 x SFP+ 10 GE fiber* 2 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) 2 x USB 3.0 (front) 2 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GE copper bypass (2 pairs) 4 port GE copper PoE + 4 port GE copper 4 port 2.5 GE copper PoE 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber Max. total port density (incl. use of modules) Max. Power-over-Ethernet (using Flexi Port module) Optional add-on connectivity Display 28 2 modules: 4 ports, 60W max. each SFP DSL module (VDSL2) SFP/SFP+ Transceivers Multi-function LCD module * Transceivers (mini GBICs) sold separately 25 Sophos Firewall Sophos XGS Series 2U: Enterprise and Campus Edge These next-gen firewalls provide no-compromise protection, performance, and business continuity to distributed and growing enterprises that require maximum throughput for even the most complex networks. The Xstream Flow Processors provide dedicated hardware acceleration to easily handle full-on protection for today's encrypted, cloud-hosted applications and traffic. These models strike the perfect balance between port density and modularity, with a range of high-speed, built-in ports, plus additional high-density Flexi Port modules available to extend connectivity even further. All models are powered by a high-speed CPU plus a dedicated Xstream Flow Processor for enterprise-grade hardware acceleration. Product highlights Ì Dual-processor architecture with dedicated co-processor for hardware acceleration Ì Built to power all key threat protection features such as TLS inspection, sandboxing, and AI-driven threat analysis Ì Excellent price-to-performance ratio Ì A range of standard 1 GE copper plus 8 to 12 SFP+ 10 GE fiber interfaces built in Ì QSPF28 ports on the XGS 7500 and 8500 provide port speeds of up to 40 Gbps (7500) and 100 Gbps (8500) Ì Optional standard and high-density Flexi Port modules available to extend and adapt connectivity Ì Maximum port density of 48 (XGS 5500), 68 (XGS 6500), or 70 (XGS 7500/8500) using optional modules Ì Redundancy features on all models ensure business continuity Product highlights XGS 5500 See detailed technical specifications XGS 6500 See detailed technical specifications XGS 7500 See detailed technical specifications XGS 8500 See detailed technical specifications 26 Sophos XGS Series 2U: Enterprise Edge XGS 5500 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port 1 x expansion bay (shown with optional module) F1F4/F5F8 fiber ports Back View LAN 18: 8 x GE copper fixed. Incl. 2 bypass pairs (ports 1/2 and 3/4) 2 x expansion bay (shown with optional modules) ESD grounding point 2 x hot swappable power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Product Certifications Certifications Power switch Chassis grounding connections 2U sliding rails (included) 438 x 88 x 645 mm 17.8 kg/39.24 lbs (unpacked) 27 kg/59.53 lbs (packed) 2 x hot-swap internal auto-ranging 100-240VAC, 50-60 Hz PSU 168.0W/573.81 BTU/h (idle) 478.01W/1117.43 BTU/h (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, BSMI, RCM, NOM, Anatel, KC, CCC, SDPPI Planned: TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 5500 100,000 Mbps 52,000 Mbps 5 µs 40,000 Mbps 46,000 Mbps 38,000 Mbps 32,400,000 468,000 92,500 Mbps 10,000 15,000 13,500 Mbps 512,000 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) 2 x min. 480 GB SATA-III SSD HW RAID built into CPU Ethernet interfaces (fixed) Bypass port pairs Management ports Other I/O ports Number of Flexi Port slots Flexi Port modules (optional) Max. total port density (incl. use of modules) Optional add-on connectivity Display 8 x GE copper 8 x SFP+ 10 GE fiber* 2 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) 2 x USB 3.0 (front) 2 + 1 for high-density module 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GbE copper bypass (2 pairs) 2 port 40 GE QSFP+ fiber 8 port 10 GE SFP+ fiber 2 port GbE Fiber (LC) bypass + 4 port GE SFP Fiber 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber High-density module (NIC): 12 port GE copper + 4 port 2.5 GE copper 48 SFP DSL module (VDSL2) SFP/SFP+ Transceivers Multi-function LCD module * Transceivers (mini GBICs) sold separately 27 Sophos XGS Series 2U: Enterprise Edge XGS 6500 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port 2 x expansion bay (shown with optional modules) F1F4/F5F8/F9F12 fiber ports Back View LAN 18: 8 x GE copper fixed. Incl. 2 bypass pairs (ports 1/2 and 3/4) 2 x expansion bay (shown with optional modules) ESD grounding point 2 x hot swappable power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Product Certifications Certifications Power switch Chassis grounding connections 2U sliding rails (included) 438 x 88 x 645 mm 17.8 kg/39.24 lbs (unpacked) 27 kg/59.53 lbs (packed) 2 x hot-swap internal auto-ranging 100-240VAC, 50-60 Hz PSU 188.00 W/642.13 BTU/h (idle) 497.09 W/1697.8 BTU/h (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, BSMI, RCM, NOM, Anatel, KC, CCC, SDPPI Planned: TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 6500 120,000 Mbps 60,000 Mbps 5 µs 50,750 Mbps 53,500 Mbps 46,500 Mbps 39,900,000 496,000 109,800 Mbps 10,000 15,000 16,000 Mbps 768,000 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) 2 x min. 480 GB SATA-III SSD HW RAID built into CPU Ethernet interfaces (fixed) Bypass port pairs Management ports Other I/O ports Number of Flexi Port slots Flexi Port modules (optional) Max. total port density (incl. use of modules) Optional add-on connectivity Display 8 x GE copper 12 x SFP+ 10 GE fiber* 2 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) 2 x USB 3.0 (front) 2 + 2 for high-density module 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GE copper bypass (2 pairs) 2 port 40 GE QSFP+ fiber 8 port 10 GE SFP+ fiber 2 port GbE Fiber (LC) bypass + 4 port GE SFP Fiber 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber High-density module (NIC): 12 port GE copper + 4 port 2.5 GE copper 68 SFP DSL module (VDSL2) SFP/SFP+ Transceivers Multi-function LCD module * Transceivers (mini GBICs) sold separately 28 Sophos XGS Series 2U: Enterprise/Campus Edge XGS 7500 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port 2 x large expansion bay (shown with optional High-Density modules) F112 SFP+ fiber/DAC ports Back View F13F14 QSFP28 LAN 18: 8 x GE copper fiber/DAC ports fixed. Incl. 2 bypass pairs (max. 40 Gbps) (ports 1/2 and 3/4) 2 x expansion bay (shown with optional modules) ESD grounding point 2 x hot swappable power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Product Certifications Certifications Power switch Chassis grounding connections 2U sliding rails (included) 438 x 88 x 645 mm 17.24 x 3.46 x 25.39 inches 18 kg/39.68 lbs (unpacked) 27.3 kg/60.19 lbs (packed) 2 x hot-swap internal auto-ranging 100-240VAC, 50-60 Hz PSU 306 W/1,044 BTU/h (idle) 635 W/2,165 BTU/h (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, BSMI, RCM, NOM, KC, SDPPI, Anatel, CCC. Planned: TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrentconnections XGS 7500 160,000 Mbps 70,500 Mbps 5.4 µs 71,500 Mbps 70,000 Mbps 58,000 Mbps 48,000,000 1,100,000 117,000 Mbps 12,500 19,000 19,500 Mbps 1,280,000 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) 2 x min. 960 GB NVMe SSD HW RAID built into CPU Ethernet interfaces (fixed) 8 x GbE copper 12 x SFP+ 10 GbE fiber* 2 x QSFP28 (up to 40 Gbps) Bypass port pairs 2 Management ports 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) Other I/O ports 2 x USB 3.0 (front) Number of Flexi Port slots Flexi Port modules (optional) 2 + 2 for high-density module 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GE copper bypass (2 pairs) 2 port 40 GE QSFP+ fiber 8 port 10 GE SFP+ fiber 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber High-density module (NIC): 12 port GE copper + 4 port 2.5 GE copper Max. total port density (incl. use of modules) Optional add-on connectivity 70 SFP DSL module (VDSL2) SFP/SFP+ Transceivers Display Multi-function LCD module * Transceivers (mini GBICs) sold separately 29 Sophos XGS Series 2U: Enterprise/Campus Edge XGS 8500 Technical specifications Sophos Firewall Front View Multi-function LCD display and navigation COM: Micro USB, RJ45, 2 x USB 3.0, MGMT port 2 x large expansion bay (shown with optional High-Density modules) F112 SFP+ fiber/DAC ports Back View F13F14 QSFP28 LAN 18: 8 x GE copper fiber/DAC ports fixed. Incl. 2 bypass pairs (max. 100 Gbps) (ports 1/2 and 3/4) 2 x expansion bay (shown with optional modules) ESD grounding point 2 x hot swappable power supply Physical Specifications Mounting Dimensions: Width X height X depth Weight Environment Power supply Power consumption Operating temperature Humidity Product Certifications Certifications Power switch Chassis grounding connections 2U sliding rails (included) 438 x 88 x 645 mm 17.24 x 3.46 x 25.39 inches 18 kg/39.68 lbs (unpacked) 27.3 kg/60.19 lbs (packed) 2 x hot-swap internal auto-ranging 100-240VAC, 50-60 Hz PSU 318 W/1,085 BTU/h (idle) 645 W/2,200 BTU/h (max.) 0°C to 40°C (operating) -20°C to +70°C (storage) 10% to 90%, non-condensing CB, CE, UKCA, UL, FCC, ISED, VCCI, BSMI, RCM, NOM, KC, SDPPI, Anatel, CCC. Planned: TEC Performance Firewall throughput Firewall IMIX Firewall Latency (64 byte UDP) IPS throughput Threat Protection throughput NGFW Concurrent connections New connections/sec IPsec VPN throughput IPsec VPN concurrent tunnels SSL VPN concurrent tunnels Xstream SSL/TLS Inspection Xstream SSL/TLS concurrent connections XGS 8500 190,000 Mbps 81,000 Mbps 5.5 µs 93,000 Mbps 92,500 Mbps 76,000 Mbps 58,000,000 1,700,000 141,000 Mbps 15,000 24,000 24,000 Mbps 2,500,000 Note: For performance testing methodology, see page 10 Physical Interfaces Storage (local quarantine/logs) 2 x min. 960 GB NVMe SSD HW RAID built into CPU Ethernet interfaces (fixed) 8 x GE copper 12 x SFP+ 10 GE fiber* 2 x QSFP28 (up to 100 Gbps) Bypass port pairs 2 Management ports 1 x RJ45 MGMT 1 x COM RJ45 1 x Micro-USB (cable incl.) Other I/O ports 2 x USB 3.0 (front) Number of Flexi Port slots Flexi Port modules (optional) 2 + 2 for high-density module 8 port GE copper 8 port GE SFP fiber 4 port 10 GE SFP+ fiber 4 port GE copper bypass (2 pairs) 2 port 40 GE QSFP+ fiber 8 port 10 GE SFP+ fiber 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber High-density module (NIC): 12 port GE copper + 4 port 2.5 GE copper Max. total port density (incl. use of modules) Optional add-on connectivity 70 SFP DSL module (VDSL2) SFP/SFP+ Transceivers Display Multi-function LCD module * Transceivers (mini GBICs) sold separately 30 Sophos Firewall Adapt Connectivity with Optional Modules Connectivity modules Add additional connectivity options to your appliances to enhance the range and performance of your network. XGS Series: Optional connectivity modules Desktop Modules Other Connectivity Options Optional Transceivers A range of optional transceivers are available, incl. SFP, SFP+ 2nd Wi-Fi 5 Module For XGS 116w, 126w, and 136w only (not compatible with XG Series) 3G/4G Module For XGS 116(w), 126(w), and 136(w) models only (not compatible with XG Series) 5G Module (Gen.1) For XGS 116(w), 126(w), and 136(w) models only (not compatible with XG Series) 5G Module (Gen.2) For XGS 118(w), XGS 128(w), XGS 138 (not compatible with Gen.1 XGS or XG Series) 31 XGS Series: Gen.2 Desktop accessory matrix by model Model XGS 88 XGS 88w XGS 108 XGS 108w XGS 118 XGS 118w XGS 128 XGS 128w XGS 138 Redundancy Power n/a Expansion Bay Connectivity 5G module n/a n/a Optional 2nd power supply 1 Optional Wi-Fi Options n/a Built in n/a Built in n/a Built in n/a Built in n/a XGS Series: Gen.1 Desktop accessory matrix by model Model XGS 87 XGS 87w XGS 107 XGS 107w XGS 116 XGS 116w XGS 126 XGS 126w XGS 136 XGS 136w Redundancy Power n/a Optional 2nd power supply Connectivity Expansion Bay 3G/4G/5G module n/a n/a 1 Optional Wi-Fi Options n/a Built in n/a Built in n/a Built in Optional 2nd module n/a Built in Optional 2nd module n/a Built in Optional 2nd module Sophos Firewall Mounting Rackmount Kit Optional Mounting Rackmount Kit Optional 32 Sophos Firewall Flexi Port modules for 1U and 2U Configure your hardware to suit your infrastructure and change it as needed. Our optional Flexi Port LAN modules give you the freedom to select the connectivity you needneed. Copper, fiber, 10 GE, and 40 GE you decide. XGS Rackmount Models For XGS 2xxx/3xxx/4xxx only For XGS 2U Rackmount Models only 8 Port 1G copper 4 Port 1G copper PoE + 4 Port 1G copper 2 Port 40G QSFP+ 8 Port 1G SFP 4 Port 2.5G copper PoE 8 Port 10G SFP+ 4 Port 10G SFP+ 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber 4 Port 1G copper bypass (2 pairs) High-Density Flexi Port Module (NIC) 12 Port 1G copper + 4 Port 2.5G copper 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber Note: XGS modules are not compatible with any previous XG Series appliances 33 Sophos Firewall XGS Series: 1U Accessory matrix by model Model XGS 2100 XGS 2300 XGS 3100 XGS 3300 XGS 4300 XGS 4500 Redundancy Modular Connectivity Mounting Power 2nd SSD VDSL SFP Modem Flexi Port Bays Flexi Port Modules Optional external n/a Optional external n/a Optional external n/a Optional external n/a Optional external n/a Optional Optional Optional Optional Optional 1 Ì 8 Port 1G copper Ì 8 Port 1G SFP 1 Ì 4 Port 10G SFP+ Ì 4 Port 1G copper bypass Ì 4 port 1G copper PoE 1 + 4 port 1G copper Ì 4 port 2.5G copper PoE Ì 2 port GE Fiber (LC) 1 bypass + 4 port GE SFP Fiber 2 Optional internal Internal redundant SSD Optional 2 Rackmount Kit Rackmount ears incl. Optional sliding rails Rackmount ears incl. Optional sliding rails Rackmount ears incl. Optional sliding rails Rackmount ears incl. Optional sliding rails Sliding rails included Sliding rails included XGS Series: 2U Accessory matrix by model Model XGS 5500 XGS 6500 XGS 7500 XGS 8500 Redundancy Power Included SSD 2nd redundant SSD included Included 2nd redundant SSD included Included 2nd redundant NVMe SSD included Included 2nd redundant NVMe SSD included Modular Connectivity Mounting VDSL SFP Modem Flexi Port Bays Flexi Port Modules Optional Optional Optional Optional 2 + 1 for High-density module 2 + 2 for High-density modules 2 + 2 for High-density modules 2 + 2 for High-density modules Ì 8 Port 1G copper Ì 8 Port 1G SFP Ì 4 Port 10G SFP+ Ì 4 Port 1G copper bypass Ì 2 port 40G QSFP+ Ì 8 port 10G SFP+ Ì 2 port GE Fiber (LC) bypass + 4 port GE SFP Fiber Ì 2 port 10 GE Fiber (LC) bypass + 4 port 10 GE SFP+ Fiber Ì High-Density Flexi Port module (NIC) 12 Port 1G copper + 4 Port 2.5G copper Rackmount Kit Sliding rails included Sliding rails included Sliding rails included Sliding rails included 34 Sophos Firewall Sophos Wireless Protection Simple. Secure. Reliable. Sophos offers three different options for wireless protection: Cloud-managed Wi-Fi (our recommendation) Sophos Wireless is our Sophos Central-managed WiFi solution. It offers the broadest feature set, the best scalability, and support for the latest generation of Wi-Fi 6/6E access points, the AP6 Series. AP6 Series models Ì AP6 420 2x2 indoor Wi-Fi 6 Ì AP6 420E 2x2 indoor Wi-Fi 6/6E Ì AP6 840 4x4 indoor Wi-Fi 6 Ì AP6 840E 4x4 indoor Wi-Fi 6/6E Ì AP6 420X 2x2 outdoor Wi-Fi 6 All models come with a limited lifetime warranty. Sophos Central management of AP6 A support subscription is required to manage an AP6 Series access point in Sophos Central which also unlocks additional benefits and features (e.g., advanced RMA, Active Threat Response). Local management of AP6 Each AP6 Series includes a local management option that does not require an additional subscription. As a single management platform for all of your Sophos security solutions, Sophos Central puts your Wi-Fi management just one click away from your firewalls and switches, endpoint and server security, email protection, and more. Learn more about our cloud-managed Wi-Fi at sophos. com/wireless Hardware appliances with integrated Wi-Fi All of our XGS Series desktop appliances are available with an integrated wireless access point. This option is ideal for small environments such as retail outlets where an all-inone solution is preferred. Firewall as a controller This option supports our end-of-sale Wi-Fi 5 APX Series access points only. Using Sophos Firewall as a wireless controller, supported Sophos access points are automatically discovered when they're connected, allowing you to configure a variety of corporate, guest, or contractor wireless networks quickly and easily. 35 Sophos Firewall SD-RED Sophos SD-RED: Empowering your SD-WAN strategy Sophos has long been a pioneer in providing an easy-to-use and secure way to connect branch offices and other remote locations. Sophos Firewall includes comprehensive SD-WAN features to help you accelerate application performance and get better visibility into network health to ensure that your remote locations enjoy the same performance as your main office. Our SD-RED devices work with your Sophos Firewall independent of whether you have a hardware, software, or public cloud deployment. Our APX Series access points are also compatible with Sophos SD-RED. To manage Sophos SD-RED, you need to have an active Network Protection subscription on your firewall. Technical specifications Model SD-RED 20 SD-RED 60 Capacity Maximum tunnel throughput Physical interfaces (Built-in) LAN interfaces WAN interfaces SFP interfaces Power-over-Ethernet ports USB ports COM ports Optional Connectivity Modular bay Optional Wi-Fi module Optional 3G/4G LTE module Physical Specifications Dimensions: Width x height x depth Weight Power supply adapter Power redundancy support Power consumption Temperature (operational) Temperature (storage) Humidity Safety Regulations Certifications (safety, EMC, radio) 250 Mbps 4 x 10/100/1000 Base-TX (1 GE copper) 1 x 10/100/1000 Base-TX (shared with SFP) 1x SFP fiber (shared port with WAN) None 2 x USB 3.0 (front and rear) 1 x micro-USB 1 (for use with optional Wi-Fi OR 4G/LTE card) Wi-Fi 5 (802.11ac) dual-band capable 2 x 2 MIMO 2 antennas MC7430/MC7455 Sierra Wireless Card 225 x 44 x 150 mm 8.86 x 1.73 x 5.91 inches 0.9 kg/1.8 kg (1.98 lbs/3.97 lbs) Unpacked/Packed AC Input: 110-240VAC @50-60 Hz DC Output: 12V +/- 10%, 3.7A, 40W Yes, optional second power supply 6.1W, 20.814 BTU (idle) 22.6W, 77.114 BTU (full load) 0°C to 40°C (32°F to 104°F) -20°C to 70°C (-4°F to 158°F) 10% to 90%, non-condensing CE/FCC/IC/RCM/VCCI/CB/UL/CCC/KC/ANATEL See sophos.com/compare-xgs for further technical details. 850 Mbps 4 x 10/100/1000 Base-TX (1 GE copper) 2 x 10/100/1000 Base-TX (WAN1 shared port with SFP) 1x SFP fiber (shared port with WAN1) 2 PoE ports (total power 30W) 2 x USB 3.0 (front and rear) 1 x micro-USB 1 (for use with optional Wi-Fi OR 4G/LTE card) Wi-Fi 5 (802.11 ac) dual-band capable 2 x 2 MIMO 2 antennas MC7430/MC7455 Sierra Wireless Card 225 x 44 x 150 mm 8.86 x 1.73 x 5.91 inches 1.0 kg/2.2 kg (2.2 lbs/4.85 lbs) Unpacked/Packed AC Input: 110-240VAC @50-60 Hz DC Output: 12V +/- 10%, 6.95A, 75W Yes, optional second power supply 11.88W, 40.536 BTU/h (idle) 25.33W, 86.429 BTU/h (full load without PoE) 62.48W, 213.190 BTU/h (full load with PoE) 0°C to 40°C (32°F to 104°F) -20°C to 70°C (-4°F to 158°F) 10% to 90%, non-condensing CE/FCC/IC/RCM/VCCI/CB/UL/CCC/KC/ANATEL 36 Sophos Firewall Sophos Switch Access layer switches The Sophos Switch Series offers a range of network access layer switches to connect and power the devices connecting to your local area network (LAN) while adding security controls and segmentation at the all-important LAN edge. Our switches can be managed from Sophos Central alongside all of your Sophos solutions. A local user interface is also available. Technical specifications 1G Models 8-Port: CS101-8, CS101-8FP 24-Port: CS110-24, CS110-24FP 48-Port: CS110-48, CS110-48P, CS110-48FP 2.5G Models 8-Port: CS210-8FP 24-Port: CS210-24FP 48-Port: CS210-48FP 8 x 1G, 2 x SFP. FP = Full PoE (110W) 24 x 1G, 4 x SFP+. FP = Full PoE (410W) 48 x 1G, 4 x SFP+. P = Partial PoE (410W). FP = Full PoE (740W) 8 x 2.5G, 4 x SFP+. FP = Full PoE (240W). This model supports 802.3bt. 16 x 1G, 8 x 2.5G, 4 x SFP+. FP = Full PoE (410W). 32 x 1G, 16 x 2.5G, 4 x SFP+. FP = Full PoE (740W) Deployment Options While most 24- and 48-port models will find their future home in a rack, our entry-level 8-port models are also suitable for wall mounting or desktop use, making them the ideal choice for deployments outside of a standard data center environment. All of our switches come with a mounting kit. Sophos Central management of Sophos Switch A support subscription is required for Sophos Central management which also unlocks additional benefits and features (e.g., advanced RMA, Active Threat Response). Local management of Sophos Switch Each Sophos Switch includes a local management option that does not require an additional subscription. See sophos.com/switch for further details. 37 Further Resources We have a broad range of resources available where you can find out more about Sophos Firewall and related products. Ì Sophos Firewall Web sophos.com/firewall Ì XGS Series hardware models sophos.com/compare-xgs Ì Sophos Firewall Ecosystem: Add-ons and accessories sophos.com/firewall-ecosystem Ì Sophos Switch - sophos.com/switch Ì Sophos Wireless sophos.com/wireless Ì Sophos Zero Trust Network Access - sophos.com/ztna Ì Sophos Managed Detection and Response - sophos.com/mdr Sophos Firewall Try It for Free for Business and Home Use If you have any questions, visit sophos.com or give us a call. Free 30-day trial - no strings attached If you'd like to take it for a test drive, you can get the full-featured product. Simply sign up for our free 30-day trial. See it in action now You can take a walkthrough of the user interface with our interactive demo or watch videos showing you just how we make network security simple. Visit sophos.com/firewall for more information. Free home use version Our Sophos Firewall Home Edition is a fully equipped software version that gives you complete network, web, mail, and web application security with VPN functionality for home-use only and limited to four virtual cores and 6 GB of RAM. Visit sophos.com/freetools for more information. United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales Toll Free: 1-866-866-2802 Email: nasales@sophos.com Australia and New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au © Copyright 2024. Sophos Ltd. All rights reserved. Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 24-10-07 BR-EN (DD) Asia Sales Tel: +65 62244168 Email: salesasia@sophos.comAdobe PDF Library 17.0 Adobe InDesign 19.5 (Macintosh)