Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Hardware with SG Software & License?

My business is currently using a licensed UTM hardware which will expire in about 30 days. We found that the UTM hardware is EOL and the software can be renewed for one more year before it will be EOL as well.

So, our options are to purchase a new SG appliance with SG software which will allow us to migrate to XG next year.

Now, my question is, could we also purchase a new XG appliance and install SG on it? This would allow us to get the latest hardware and upgrade to XG when the migration utility is ready. Is that possible?

Thank you!



This thread was automatically locked due to age.
Parents
  • Hello JensStraten,

    Sophos SG and XG appliances are based on the same hardware within series description (e.g. SG 230 based on the same hardware as XG 230). 

    So there is no need to worry about the need to buy an XG front up. Currently there is no official way to turn (back) a XG into a SG. 

    If you buy a SG model today, you will have the ability to take your config to the SG. With the rise of UTM 9.5 (or later) there will be the opportunity to switch via a button to

    XG SFOS and it is planned to realize the migration of most of the firewall rules and ip objects. From a license perspective, you will be able to take your SG FullGuard license to an XG one within the subscription period without additional costs. After the end of the initial subscription, you will need to renewal the license with an XG one, which might be bit more expensive than the old on.

    I hope the information given will assist you to make your decision.

     

    Br, 

    Sascha

     

     

     

      

  • Thank you Sascha!

    I am somewhat confused by your reply because when I look at the Sophos hardware descriptions, they show a throughput of 3GB for the XG105 and 1.5GB for the SG105. So, I was assuming that the hardware is somewhat "upgraded". Are you sure that they are just rebranded (sticker, logo)?

    One question on licensing: Is migration from SG to XG limited to FullGuard or can it be any valid license package?

    Best regards,

    Jens

  • Hi Luk,

    The XG is a more efficient firewall and has less overhead so therefore throughput is higher :)

    One thing to note that those are theoretical maximums and I would never advise anything less than an XG125 for a site of over 20 people with an internet connection of 50+ mbps. I've seenan XG105 and 115 struggle with 10 people and a 100mbps link!

    Emile

  • Hello Jens,

    yes, the data given by the website might be confusing when it comes to sizing.

    Indeed, we have a performance increase in scanning IPS and AV traffic by switching to SFOS. Sophos calls it 

    FastPath Packet Optimization:  https://blogs.sophos.com/2015/12/10/sophos-xg-firewall-innovations-fastpath-packet-optimization/  

    In other words, Sophos XG does not open, scan and close every packet all the time.

    I created a whiteboard screenshot on my own to illustrate. I hope you will find it useful:

     

     

     

    Regarding the sizing, I would like to recommend to use real world throughput (IMIX). For your specific demand, this

    is IPS Realworld 2 (Mbps) or at least IPS max. 1 (Mbps) : 

    http://www.infinigate.de/fileadmin/user_upload/Products/Sophos/Products/Network_Protection/sophos_xg_series_sizing_guide_sgna.pdf 

    So we come to the conclusion, that IPS takes a lot of performance in realworld environments. No matter the fact, that IPS gigabit to desktop 

    requires XG 4xx or higher, similar to other vendors in CPU and ASICS power.

     

    Migrating from SG to XG is not limited to FullGuard only, but the content of the licence modules varies in comparision to SG.

    In most cases, for example at essential (base) FW, you will get more features, e.g. WLAN and S2S VPN. From my knowledge,

    all customers shall use every functions they licenced before the migration.

    I would like to recommend to use a XG 115 or higher.

     

    Br,

    Sascha

    Business Development Mgr (Infinigate) 

     

Reply
  • Hello Jens,

    yes, the data given by the website might be confusing when it comes to sizing.

    Indeed, we have a performance increase in scanning IPS and AV traffic by switching to SFOS. Sophos calls it 

    FastPath Packet Optimization:  https://blogs.sophos.com/2015/12/10/sophos-xg-firewall-innovations-fastpath-packet-optimization/  

    In other words, Sophos XG does not open, scan and close every packet all the time.

    I created a whiteboard screenshot on my own to illustrate. I hope you will find it useful:

     

     

     

    Regarding the sizing, I would like to recommend to use real world throughput (IMIX). For your specific demand, this

    is IPS Realworld 2 (Mbps) or at least IPS max. 1 (Mbps) : 

    http://www.infinigate.de/fileadmin/user_upload/Products/Sophos/Products/Network_Protection/sophos_xg_series_sizing_guide_sgna.pdf 

    So we come to the conclusion, that IPS takes a lot of performance in realworld environments. No matter the fact, that IPS gigabit to desktop 

    requires XG 4xx or higher, similar to other vendors in CPU and ASICS power.

     

    Migrating from SG to XG is not limited to FullGuard only, but the content of the licence modules varies in comparision to SG.

    In most cases, for example at essential (base) FW, you will get more features, e.g. WLAN and S2S VPN. From my knowledge,

    all customers shall use every functions they licenced before the migration.

    I would like to recommend to use a XG 115 or higher.

     

    Br,

    Sascha

    Business Development Mgr (Infinigate) 

     

Children
No Data