most powerful hardware for Sophos XG home

I'll answer a bit aside your question.

If you've got 40 users, including servers, why do you stay with home edition ? It's not the target of this edition. You should go for a real hardware UTM.

Sophos is tight-lipped about the specs of their UTM/XG devices.

Look here....what CPU do these have, how much RAM do they have? 

https://www.firewalls.com/products/firewalls/sophos/xg/comparison

OK, I found the technical brief. http://dttstores.com/media/documents/sophos-xg.pdf

In this case both the i5 and i7 are dual core with hyper threading. The main difference is the base frequency. The i7 has a MUCH higher base frequency of 2.4GHz instead of 1.6GHz. And the i7 will top out at 3GHz instead of 2.6GHz.

Also the built in wifi is not compatible with Sophos XG. So get the no-wifi option. 8Gb of RAM and 128Gb SSD should be more than enough. In fact a 64Gb SSD should be fine as long as you don't keep logs saved for too long.

I am running UTM 9.5 with a 128Gb SSD and 8Gb of RAM and it is more than plenty even with web filtering and intrusion prevention running. RAM never goes above 45% and that's with a total of 6.8 Gb RAM available due to graphics memory set aside. So this should give you an idea.

They make work fine, but Qotom sacrifices build quality to keep the price down. I'm guessing they had a bad batch of the i5 units and each time I would RMA a defective one, I just got the next on the shelf from the same production run. Who knows. The actual hardware used should be just fine with XG and the only BIOS issue I'm aware of is the USB3 problem.

Personally, I would take an honest assessment of your needs and reconsider a lower-powered unit. I'm very happy with the quality of the Protectli builds and their BIOS doesn't suffer from the USB3 issue. The 4 port quad core Atom based version is serving me well right now with a boat load of IOT devices, multiple streaming platforms that seem to be entertaining empty rooms all day long, and a few servers and VPN connected work devices while averaging 10% CPU (spikes to 30%) and 45% RAM usage (out of 8GB installed, 6GB used). This is with 18 rules, most of which have AV scanning and policy applied.

Just food for thought.

Gary

alright. thanks for all the answers and recommendations. I'll investigate a little further and see what's the best option for me.

best

Pete

I bought an intel atom 3845 with 4 lan ports from

https://www.pondesk.com/product/Intel-Atom-E3845-4-LAN-AESNI-3G4G-Fanless-Firewall-Router_MNHO-048

ships from London,

I'm very happy with my home setup, consumption is under 7 W,

but I don't know if its cpu is enough for your needs

I  bought this one - fully conpatible - installation without problems - localwifi, core I7-4670K - console - 8 LAN Ports - VGA 

https://www.pondesk.com/product/8-LAN-1-COM-4-Fiber-SFP-4G-NGFW-Firewall-1U-Rackmount-Server_NSHO-001

(hope it is allowed to post a direct product link here)

 Product has  great support, my first unit was damaged by the parcel service, got a new one within a week.

sorry, just saw you are looking for a quiet one ! this one is rather noisy.

What you a really looking for is a quad core machine with a very fast CPU, it does not have to be i5 or i7 both of which are overkills.

Your e3-1265l v2 as a bare metal machine should be more than adequate - 2.5ghz to 3.5ghz.

Ian

(just to explain my choice)

have a direct switched 1 GBit connection to the internet at home, just wanted to be on the safe side, at least i can say that with my system mentioned above i have an up- and download rate of about 90 MByte per second all security features of Sophos XG enabled.

But in fact i am locking for a not so noisy gateway with enough performance for my internet connection  as backup so started following this thread.

Hey rfcat,

since the e3 is running the esxi server hosting two other vm's including a Raid NAS, I can't use it for Sophos only. That's actually the reason why I am looking for dedicated Hardware for the firewall appliance. 

QOTOM as well as Protectli could be good options for this purpose. Whereas the Protectli units are recommended more often because of quality reasons.

I did a quick spec comparison of these units:

got some questions:

1. is there a difference whether I go for a quad core or a dual core with hyperthreading? in case of Dual Core with HT, does Sophos XG Home actually use all 4 threads or is it limited to the 2 real cores? Is the CPU limitation of the Home version fixed to cores or threads?

2. Is the AES-NI feature used by Sophos XG

3. Whats better: Dual Core (with HT) and high Clockspeed or Quad Core (that would boil it down to E3845 or J1900)

Gary Parr , what is your average load on your machine? In my case CPU load is also quite low but the average load is fairly high and since both aspects are not directly connected to each other, I think average load is a good indicator for the performance of the firewall.

Best

Pete

I have somewhat of an answer regarding the cores vs. thread issue. Posted by Aditya Patel | Sophos Network and Security Engineer.

"The limit does not apply to threads, if your processor has 8 core 16 thread it would restrict the use of 4 cores but you may need to check the maximum threads the core would handle. If 4 cores are able to use all 16 threads then it will 16 threads if needed."

community.sophos.com/.../xg-home-edition-4-core-limit-apply-to-threads

And for your third question, I had almost the same question regarding core speed vs. amount of threads. The consensus is that higher core speed is more important than the amount of cores, especially in regards to the IDS.  I received two different responses. 

1. By default in the XG a snort thread is created for each core. 
2. ...you’ll get better performance with a CPU that has higher single core performance. While Sophos does run multiple instances of Snort on each CPU core, this is so it can run dedicated instances of Snort on each connection (i.e. better multi-connection performance).

community.sophos.com/.../361755

I have somewhat of an answer regarding the cores vs. thread issue. Posted by Aditya Patel | Sophos Network and Security Engineer.

"The limit does not apply to threads, if your processor has 8 core 16 thread it would restrict the use of 4 cores but you may need to check the maximum threads the core would handle. If 4 cores are able to use all 16 threads then it will 16 threads if needed."

community.sophos.com/.../xg-home-edition-4-core-limit-apply-to-threads

And for your third question, I had almost the same question regarding core speed vs. amount of threads. The consensus is that higher core speed is more important than the amount of cores, especially in regards to the IDS.  I received two different responses. 

1. By default in the XG a snort thread is created for each core. 
2. ...you’ll get better performance with a CPU that has higher single core performance. While Sophos does run multiple instances of Snort on each CPU core, this is so it can run dedicated instances of Snort on each connection (i.e. better multi-connection performance).

community.sophos.com/.../361755

that implies that the best option would be a quad core cpu with hyperthreading. Even tough it would most likely be heavily oversized. :-)

the answer you got regarding cores is not entirely clear to me. If one snort process is being generated per core I'd assume that more cores would be the better option instead of higher clock rate. I guess that heavily depended on the use cases.

After looking for a reseller for the Protectli or Qotom devices in Europe, it seems like there isn't any. Meaning, importing would add another 200 Bucks to the bill. So, maybe build a system on my own is probably the better option, in term of performance as well as budget.

Based on your post above, you already did the research for that. Have you done the build already or are you also still in researching phase?

May have missed it, but earlier in the thread someone linked to a Pondesk device that was suspiciously similar to the Protectli model I have. Free shipping to Europe (at least, they claim that on the site) and give you plenty of customization options and, what I missed the first time I looked at it, if you scroll down and click the Performance tab, they give some numbers for different FW installs including Sophos. Not sure how goosed the numbers are, but it's honestly more than I've seen on any other site trying to sell these things.

https://www.pondesk.com/product/Intel-Atom-E3845-4-LAN-AESNI-3G4G-Fanless-Firewall-Router_MNHO-048

-Gary

I have not upgraded yet. I was just giving an example of what someone could build themselves if they couldn't obtain a Qotom PC or were worried about the quality.

My UTM is running a desktop PC with AMD A6 7400K and 8Gb of DDR3 RAM. The CPU is a dual core running at 3.6Ghz and I feel it is enough to run what I need since I am the only user.

I don't see the benefits of going to a Celeron CPU other than for power savings (10 watts Celeron vs. 65 watt AMD) I would rather get myself an embedded micro ATX board and use the case, power supply, and dual port Intel LAN NIC that I already have.

 www.newegg.com/.../Product.aspx

But the reality is that this CPU even though it is a 65 watt CPU really just sits there idling 99% of the time anyway, so the the cost savings in power usage isn't even worth worrying about. 

Peter Mueller said:

the answer you got regarding cores is not entirely clear to me. If one snort process is being generated per core I'd assume that more cores would be the better option instead of higher clock rate. I guess that heavily depended on the use cases.

It depends on what you’re trying to achieve. If you want faster performance on a single connection, higher clock speeds is better (Snort does not support multi threading like Suricata). If you want better performance for multiple connections, more cores would be better.

For example, I have the Qotom Q335G4 (Intel Core i5-5250U) and with IPS enabled, my connection drops from 900Mbps down to 300Mbps down. Having more cores won’t help in this case, but faster clock speeds would (single connection performance).

Snort has a alpha or beta version in the works that supports multi threading. I’m hoping if they ever release a stable version that Sophos will implement it.

I see.

I found two boxes shipping to Germany, at least without shipping fees.

https://www.amazon.de/gp/product/B06XRJJDM9/ref=ox_sc_sfl_title_1?ie=UTF8&psc=1&smid=A3NZXFKJ0Y59OU

Core I5-5250U

https://www.amazon.de/gp/product/B0746N7Z75/ref=ox_sc_act_title_1?smid=A1UUHLG5NYJ22P&psc=1   <- this one looks very similar to the Protectli devices.

Core i3-7100U

Which one would you prefer?

Best

Pete

Peter Mueller said:

I see.

 

I found two boxes shipping to Germany, at least without shipping fees.

 

https://www.amazon.de/gp/product/B06XRJJDM9/ref=ox_sc_sfl_title_1?ie=UTF8&psc=1&smid=A3NZXFKJ0Y59OU

Core I5-5250U

https://www.amazon.de/gp/product/B0746N7Z75/ref=ox_sc_act_title_1?smid=A1UUHLG5NYJ22P&psc=1   <- this one looks very similar to the Protectli devices.

Core i3-7100U

 

Which one would you prefer?

 

Best

Pete 

I'm honestly not sure... this site has a good comparison on the two CPUs:

http://cpuboss.com/cpus/Intel-Core-i5-5250U-vs-Intel-7100U

It appears if the Core i5-5250U is slightly faster if it's running at 2.6GHz which is an overclocked speed which I don't think you'll see with these devices. For example, on my Qotom device when I look at the CPU speed in the BIOS, it shows it at 1.6GHz. It looks like the Core i3-7100U runs at 2.4GHz without being overclocked so I suspect you would see better single core performance.