Sophos XG 650
Sophos XG 650
Sophos XG Series 2U: Performance
Our 2U rackmount appliances are built for distributed enterprises looking for a firewall to handle higher traffic volumes. These models offer you the flexibility to tailor your connectivity to your environment and come with the redundancy features to keep your business running.
XG 550 and XG 650
The Sophos XG 550 and XG 650 are high-performance firewalls equipped to provide protection for larger distributed and growing organizations. They offer CPU technology to effortlessly handle use as an all-in-one solution or a powerful next-generation firewall. The models offer either 4 (XG 550) or 6 (XG 650) Flexi Port expansion bays to tailor your connectivity to your environment. An 8 port GbE copper module is supplied as a default. Hotswappable dual SSDs and power supplies are standard redundancy features in this class.
- 8 port GbE copper module supplied as default
- Multiple expansion bays to add connectivity modules incl. options for up to 40 GbE QSFP+
- Dual SSDs and power supplies
Sophos XG Firewall
Sophos XG Firewall provides comprehensive next-generation firewall protection that exposes hidden risks, blocks unknown threats, and automatically responds to incidents.
Exposes hidden risks
Sophos XG Firewall provides unprecedented visibility into top risk users, unknown apps, advanced threats, suspicious payloads and much more. You also get rich on-box reporting included at no extra charge and the option to add Sophos iView for centralized reporting across multiple firewalls.
Blocks unknown threats
Sophos XG Firewall provides all the latest advanced technology you need to protect your network from ransomware and advanced threats including top-rated IPS, Advanced Threat Protection, Cloud Sandboxing, Dual AV, Web and App Control, Email Protection and a full featured Web Application Firewall. And it’s easy to setup and manage.
Automatically responds to incidents
XG Firewall is the only network security solution that is able to fully identify the source of an infection on your network and automatically limit access to other network resources in response. This is made possible with our unique Sophos Security Heartbeat™ that shares telemetry and health status between Sophos endpoints and your firewall.
Potent, powerful... fast
We’ve engineered XG Firewall to deliver outstanding performance and security efficiency for the best return on your investment. Our appliances are built using Intel multi-core technology, solid-state drives, and accelerated in-memory content scanning. In addition, Sophos FastPath packet optimization technology ensures you’ll always get maximum throughput.
Simply manage multiple firewalls
Sophos Central is the ultimate cloud-management platform - for all your Sophos products. It makes day-to-day setup, monitoring, and management of your XG Firewall easy. It also provides helpful features such as alerting, backup management, one-click firmware updates and rapid provisioning of new firewalls. Optionally, Sophos Firewall Manager (SFM) provides powerful multi-device management tools for easy provisioning of consistent policies across your entire estate. And if you also want to consolidate reporting across multiple XG, SG, and Cyberoam appliances you can easily do that with Sophos iView.
Security features you can’t get anywhere else
XG Firewall includes a number of innovations that not only make your job a lot easier, but also ensure your network is more secure.
An industry first, Synchronized Security links your endpoints and your firewall to enable unique insights and coordination. Security Heartbeat™ relays Endpoint health status and enables your firewall to immediately identify and respond to a compromised system on your network. The firewall can isolate systems until they can be investigated and cleaned up. Another Synchronized Security feature, Synchronized App Control, also enables the firewall to query the endpoint to determine the source of unknown traffic on the network.
Unified Firewall Rules
User identity takes enforcement to a whole new layer with our identity based policy technology enabling user level controls over applications, bandwidth and other network resources regardless of IP-address, location, network or device. It literally takes firewall policy to a whole new layer.
A Firewall That Thinks Like You
Pre-defined policy templates let you protect common applications like Microsoft Exchange or SharePoint quickly and easily. Simply select them from a list, provide some basic information and the template takes care of the rest. It sets all the inbound/outbound firewall rules and security settings for you automatically – displaying the final policy in a statement in plain English.
Insights into Top Risk Users
The Sophos User Threat Quotient (UTQ) indicator is a unique feature which provides actionable intelligence on user behavior. Our firewall correlates each user’s surfing habits and activity with advanced threat triggers and history to identify users with risk-prone behavior.
Flexible deployment, no compromise
Unlike our competitors, whether you choose hardware, software, virtual or Microsoft Azure, we don’t make you compromise – every feature is available on every model and form-factor.
The Xstream Advantage
The XG Firewall Xstream architecture is engineered to deliver extreme levels of visibility, protection, and performance to help address some of the greatest challenges facing network administrators today.
Xstream SSL Inspection
According to the latest statistics, approximately 80% of web traffic is encrypted, making it invisible to most firewalls. An increasing amount of malware and potentially unwanted apps exploit the fact that organizations are simply not using SSL inspection. Network administrators' main fears are that SSL inspection will have a performance impact or cause something to break, impacting the user experience. XG Firewall removes the blind spots caused by encrypted traffic by allowing you to use SSL inspection whilst maintaining performance efficiency.
Xstream DPI Engine
We believe you should never have to decide between security and performance. XG Firewall includes a highspeed Deep Packet Inspection (DPI) engine to scan your traffic for threats without a proxy slowing down the process. The firewall stack can completely offload the processing to the DPI engine, significantly reducing latency and so improving overall efficiency. XG Firewall provides robust deep packet threat protection in a single streaming engine for AV, IPS, Web, App Control and SSL inspection.
Xstream Network Flow FastPath
Traffic which is known to be secure can be offloaded to the Xstream Network Flow FastPath. This accelerated path for trusted traffic boosts performance dramatically by freeing up resources from unnecessary traffic inspection tasks. This is particularly important for voice and video applications which are very sensitive to latency and so can quickly lead to a degradation of the user experience. XG Firewall includes automatic and policy-based intelligent offloading for trusted traffic processing at wire speed.
Sophos Central is at the heart of everything we do. Our cloud management platform provides a single pane of glass to not only manage your firewalls, but also your full portfolio of Sophos security solutions.
Simply manage multiple firewalls
Sophos Central is the ultimate cloud-management platform - for all your Sophos products. It makes day-to-day setup, monitoring, and management of your XG Firewall easy. It also provides helpful features such as alerting, backup management, one-click firmware updates and rapid provisioning of new firewalls.
- Manage all your XG Firewalls and other Sophos products from a single console
- Configure changes and apply them to a group of firewalls or manage each firewall individually
- Create a backup schedule and store up to 5 backups in the cloud
Firewall Reporting in the cloud
Sophos Central includes powerful reporting tools that enable you to visualize your network, web, application activity, and security over time. You get a flexible reporting experience that combines a variety of built-in reports with powerful tools to create your own custom reports – enabling you to report what you want, how you want.
- Increase your visibility into network activity through analytics
- Analyze data to identify security gaps, suspicious user behavior or other events requiring policy changes
- Use the pre-defined modules or customize each report for specific use cases
Sophos is pleased to introduce the new Xstream Architecture for XG Firewall, a new streaming packet processing architecture that provides extreme levels of protection and performance. The new architecture includes:
- Xstream SSL Inspection: Organizations can enable SSL inspection on their networks without compromising network performance or user experience. It delivers highperformance, high connection-capacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspection performance across all ports, protocols, and applications. It also comes equipped with enterprise-grade controls to optimize security, privacy, and performance. A new widget on the Control Center provides unprecedented visibility into SSL-encrypted traffic enabling quick troubleshooting in the event of any compatibility issues, to maintain the ultimate user experience.
- Xstream DPI Engine: Enables comprehensive threat protection in a single highperformance streaming DPI engine with proxyless scanning of all traffic for AV, IPS, and web threats as well as providing Application Control and SSL Inspection. Pattern matching on decrypted traffic makes patterns more effective and provides increased protection from hash/pattern changing applications such as Psiphon proxy.
- Xstream Network Flow FastPath: Provides the ultimate in performance by intelligently accelerating traffic processing to transfer trusted traffic at wire speeds. The FastPath offloading can be controlled through policy to accelerate important cloud application traffic, or intelligently by the DPI engine based on traffic characteristics
What’s new in XG Firewall v18
Threat Intelligence Analysis
XG Firewall gains an added layer of artificial intelligence protection. All suspicious files are now subject to threat intelligence analysis in parallel with full sandbox analysis. Files are checked against SophosLabs’ massive threat intelligence database and subjected to our industry-leading deep learning, which identifies new and unknown malware quickly and efficiently – often rendering a verdict in seconds – to stop the latest zero-day threats before they get on the network. Threat Intelligence Analysis is a new feature that is included as part of the Sandstorm Protection license (all PLUS bundles) at no extra charge.
Threat Intelligence Reporting
Threat Intelligence Reporting adds a new Control Center widget to highlight all suspicious file downloads. The widget enables one-click drill-down to detailed forensics reports on all suspicious file activity. A quick summary view for each file provides a traffic-light style (red, yellow, green) indication of the analysis after antivirus scanning, threat intelligence analysis, and sandboxing. Detailed reports provide an-depth view of the verdict, including illustrated analysis by multiple machine learning models, details and screenshots of behaviors seen during Sandstorm analysis, and an in-depth breakdown of the file’s features and attributes, together with malware scan results and insight from VirusTotal.
Sophos Central Firewall Reporting and Management
This release includes support for new firewall reporting and management capabilities being launched simultaneously on Sophos Central, including a rich, powerful new reporting suite and group firewall management tools.
NAT Enhancements – Decoupled NAT Rules and Linked NAT Rule
XG Firewall’s NAT configuration receives some major updates. NAT rules are now decoupled from firewall rules, enabling more powerful and flexible configuration options, including Source (SNAT) and Destination (DNAT) in a single rule. A new NAT rule wizard enables you to quickly and easily create complex NAT rules with just a few clicks.
In addition, a new linked NAT rule feature follows the matching criteria of the Firewall Rule. Linked NAT Rule can also be added and edited in place while creating/editing firewall rules. Only the source translation configuration needs to be selected for Linked NAT Rule.
Firewall Rules Management Improvements
Firewall rules management includes a new ‘Add Filter’ option with several fields/ conditions from which to choose. Adding a filter makes it easier to find firewall rules based on the selected filter criteria. Once selected, filters stay selected even when the administrator moves to other configuration screens. Administrators can manage multiple firewall rules at the same time (e.g. select multiple rules to delete, enable/ disable, attach to a group, etc.). Movement of rules across screens is possible, providing ease of use and management for larger rule sets. Within the firewall rule there is an exclusion feature that provides a “negate” option in the matching criteria to reduce the management and ordering overhead of multiple rules. There’s also a UI option to reset the data transfer counter for a firewall rule to improve troubleshooting.
Enhanced DDNS Support
Provides support for enhanced DDC service HTTPS-based DDNS by adding five more DDNS providers – No-IP, DNS-O-Static, Google DNS, Namecheap, and FreeDNS.
SD-WAN Application Routing and Synchronized SD-WAN
Optimized application routing and path selection is often an important objective in SD-WAN implementations – to ensure important business applications are routed over preferred WAN links. This release adds user and group application-based traffic selection criteria to XG Firewall’s SD-WAN routing configuration. Synchronized SD-WAN, a new Sophos Synchronized Security feature, offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can’t match.
Alerts and Notifications
There is a new option to choose from dozens of system- and threatrelated alerts, and have notifications sent via email or SNMP. Intelligent IPS Signature Selection XG Firewall will receive IPS signatures based on a number of intelligent filtering criteria such as age, vendor, vulnerability type, and CVSS (Common Vulnerability Scoring System) to optimize protection and performance.
DKIM and BATV Anti-Spam Protection
Anti-spam protection is improved with support for DomainKeys Identified Mail (DKIM) which detects forged sender addresses and Bounce Address Tag Validation (BATV) to determine whether the bounce address specified in the received email is valid, and reject backscatter spam.
Kerberos Authentication and NTLM
This release adds Kerberos authentication alongside the existing NTLM support for Microsoft Active Directory SSO, extending the range of authentication tools available for customers.
Radius Timeout with Two-Factor Authentication (2FA)
For customers using 2FA with Radius Server Authentication, the timeout value is now configurable, allowing additional time to finish the authentication flow when necessary.
Support for SNMPv3 is added providing more flexibility and security over SNMPv2.
Interfaces can be renamed, making networking configuration easier and more intuitive.
Improved Synchronized Application Control Verdict
In the event of a pattern-based match conflict, Synchronized Application Control Verdict will be adhered to for more accurate application control.
DHCP Relay Enhancements for Dynamic Routing
Synchronizes dynamic routing updates (learned routes from OSPF) to DHCP relay, eliminating the need for manual reconfiguration.
Secure Syslog and Logs in the Standard Syslog Format
Provides the option to fetch logs in the standard syslog format using secure TLS.
Dynamic GeoIP (IP to Country Mapping) Database
The GeoIP database is now updated dynamically in real time from Up2Date. Be sure to always use the appropriate country-specific filters and policies.
VMware Tools Upgrade and Integration with VMware Site Recovery Manager (SRM)
Supports virtual device integration of the latest VMware Tools version (v10.3.10) with reboot, shutdown, and clone-like functionalities. The release also supports integration with Site Recovery Manager (SRM), the disaster recovery and business continuity solution from VMware which automates the transfer of virtual machines to a local or remote recovery site.
Jumbo Frame Support
Jumbo frames with more than 1500 byte payloads are now supported for added networking flexibility in high-bandwidth environments.
Wildcard Domain Support in WAF
XG Firewall now supports wildcard domains for WAF (Web Application Firewall). Administrators can configure wildcard subdomains, (e.g. *.example.com) for both HTTP and HTTPS.
Log Viewer Enhancements
The log viewer gets several enhancements with one-click actions available right from the logs to narrow search results, filter log entries, or create or modify policies on the fly. Options include the choice to disable signatures, block a source IP address, edit interfaces, and modify IPS, App Control, or web filtering policies.
Web Policy Enhancements
Browsing quotas have been added to web policies, allowing administrators to set time quotas for browsing selected website categories. Users can choose how and when to consume their daily time quota.
High Availability (HA) Enhancements
New enhancements enable plug-and-play high availability deployments with greater flexibility and business redundancy. A preconfigured HA port on every device enables quick and easy HA deployments by simply connecting the two ports together and then acknowledging and activating HA. HA configurations also include a configurable failback strategy, ideal for remote-site HA deployments, with options for manual synchronization and time out tuning. It is now possible to perform firmware updates, rollbacks, and other tasks such as port monitoring lists and assigning multiple IP addresses to primary and auxiliary appliances while HA is active. In addition, deploying more than one HA pair in a single network is easier due to the elimination of conflicts arising from any dependency on a virtual MAC address HA architecture.
All the protection you need to stop sophisticated attacks and advanced threats while providing secure network access to those you trust.
Next-gen Intrusion Prevention System
Provides advanced protection from all types of modern attacks. It goes beyond traditional server and network resources to protect users and apps on the network as well.
Advanced Threat Protection
Instant identification and immediate response to today’s most sophisticated attacks. Multi-layered protection identifies threats instantly and Security Heartbeat™ provides an emergency response.
Creates a link between your Sophos Central protected endpoints and your firewall to identify threats faster, simplify investigation and minimize impact from attacks. Easily incorporate Heartbeat status into firewall policies to automatically isolate compromised systems.
Advanced VPN technologies
Adds unique and simple VPN technologies including our clientless HTML5 self-service portal that makes remote access incredibly simple or utilize our exclusive light-weight secure RED (Remote Ethernet Device) VPN technology.
Unmatched visibility and control over all your user’s web and application activity.
Powerful user and group web policy
Provides enterprise-level Secure Web Gateway policy controls to easily manage sophisticated user and group web controls. Apply policies based upon uploaded web keywords indicating inappropriate use or behavior.
Advanced Web Threat Protection
High performance transparent proxy
Optimized for top performance, our transparent proxy technology provides ultra-low latency inspection and HTTPS scanning of all traffic for threats and compliance.
Application Control and QoS
Enables user-aware visibility and control over thousands of applications with granular policy and traffic-shaping (QoS) options based on application category, risk, and other characteristics. Synchronized Application Control automatically identifies all the unknown, evasive, and custom application on your network.
Consolidate your email protection with anti-spam, DLP, and encryption.
Integrated Message Transfer Agent
Ensures always-on business continuity for your email, allowing the firewall to automatically queue mail in the event servers become unavailable.
Provides protection from the latest spam campaigns, phishing attacks, and malicious attachments.
Gives employees direct control over their spam quarantine, saving you time and effort.
SPX Email Encryption
Unique to Sophos, SPX makes it easy to send encrypted email to anyone, even those without any kind of trust infrastructure using our patent-pending password-based encryption technology.
Data Loss Prevention
Policy-based DLP can automatically trigger encryption or block/notify based on the presence of sensitive data in emails leaving the organization.
Web Server Protection
Harden your web servers and business applications against hacking attempts while providing secure access.
Business Application Policy Templates
Pre-defined policy templates let you protect common applications like Microsoft Exchange Outlook Anywhere or SharePoint quickly and easily.
Protection from the latest hacks and attacks
With a variety of advanced protection technologies including URL and form hardening, deep-linking and directory traversal prevention, SQL injection and cross-site scripting protection, cookie signing and more.
With authentication options, SSL offloading, and server load balancing ensure maximum protection and performance for your servers being accessed from the internet.
AI-driven static and dynamic file analysis techniques combine to bring unprecedented threat intelligence to your firewall and so effectively identify and block ransomware, known and unknown threats.
Powered by SophosLabs
Powered by the industry-leading SophosLabs, the Sandstorm Protection subscription includes a fully cloudbased threat intelligence and threat analysis platform. This provides deep learning-based file analysis, detailed analysis reporting and a threat meter to show the risk summary for a file.
They use layers of analytics to identify known and potential threats, reduce unknowns and derive verdicts and intelligence reports for the most commonly used file types.
Static File Analysis
By harnessing the power of multiple machine learning models, global reputation, deep file scanning, and more, you can quickly identify threats without the need to execute the files in real time.
Dynamic File Analysis
Execute a file in a secure cloud-based sandbox to observe its behavior and intent. Screenshots provide added insight into any key events during the analysis.
Threat Intelligence Analysis Reporting
Rich intelligence reports provide you with much more than just a ‘good’, ‘bad’, or ‘unknown’ verdict. Full insight into the nature and capabilities of a threat are delivered through the use of data science and SophosLabs research.
How to Buy:
Every XG Firewall comes equipped with Base Firewall functionality including IPSec, SSL VPN, and Wireless Protection. You can extend protection with our bundles or by adding protection modules individually.
Sophos XG Firewall Value Bundles
For the ultimate in protection, value, and peace-of-mind, get one of our convenient Value Bundles.
|What you get||EnterpriseProtect Plus Bundle||TotalProtect Plus Bundle|
|Base Firewall Firewall, IPsec and SSL VPN, Wireless Protection (APs sold separately)|
|Network Protection IPS, RED, HTML5 VPN, ATP, Security Heartbeat|
|Web Protection Anti-malware, Web and App visibility, control, and protection|
|Email Protection Anti-spam, SPX Email Encryption, and DLP|
|Web Server Protection Web Application Firewall and reverse proxy|
|Sandstorm Protection next-gen cloud-sandbox technology|
|Enhanced Support 24x7 support, security and software updates, adv. exchange warranty|
|XG Series Hardware Appliance Multi-core Intel processor, solid-state storage, flexible connectivity|
Sophos XG Series Appliances – at a glance:
Our XG Series hardware appliances are purpose-built with the latest multi-core Intel technology, generous RAM provisioning, and solid-state storage. Whether you’re protecting a small business or a large datacenter, you’re getting industry leading performance.
|Revision #||Form Factor||Ports/Slots (Max Ports)||w-model*||Swappable Components||Firewall (Mbps)||VPN (Mbps)||NGFW (Mbps)||Threat Protection (Mbps)||Xstream SSL (Mbps)|
|XG 86(w)||1||desktop||4||Wi-Fi 5||n/a||3,100||225||350||145||75|
|XG 106(w)||1||desktop||4||Wi-Fi 5||opt. ext. Power||3,550||330||400||150||75|
|XG 115(w)||3||desktop||4||Wi-Fi 5||opt. ext. Power||4,000||560||1,000||375||130|
|XG 125(w)||3||desktop||9/1 (9)||Wi-Fi 5||opt. ext. Power, 3G/4G||7,000||1,500||1,275||400||170|
|XG 135(w)||3||desktop||9/1 (9)||Wi-Fi 5||opt. ext. Power, 3G/4G, Wi-Fi**||7,500||1,700||1,800||600||210|
|XG 210||3||1U||8/1 (16)||n/a||opt. ext. Power||29,000||1,920||3,200||800||230|
|XG 230||2||1U||8/1 (16)||n/a||opt. ext. Power||32,000||2,100||4,500||1,000||280|
|XG 310||2||1U||12/1 (20)||n/a||opt. ext. Power||35,000||3,050||5,300||1,550||370|
|XG 330||2||1U||12/1 (20)||n/a||opt. ext. Power||38,000||3,940||9,300||2,100||560|
|XG 430||2||1U||10/2 (26)||n/a||opt. ext. Power||55,000||5,000||10,000||2,200||600|
|XG 450||2||1U||10/2 (26)||n/a||opt. int. Power||65,000||6,100||13,900||3,400||770|
|XG 550||2||2U||8/4 (32)||n/a||Power, SSD, Fan||75,000||8,500||15,300||6,000||1,000|
|XG 650||2||2U||8/6 (48)||n/a||Power, SSD, Fan||85,000||9,000||18,000||7,700||1,350|
|XG 750||2||2U||8/8 (64)||n/a||Power, SSD, Fan||100,000||12,500||19,200||9,400||1,400|
* 802.11ac Wave 2
** 2nd Wi-Fi module option on 135w only (requires XG v17 MR6 or higher)
What you get with every XG Series appliance
- Full Wireless Protection included in the Base License
- On-box reporting or reporting for 7 days via Sophos Central
- Free management via Sophos Central
- The flexibility to add optional connectivity modules to adapt your firewall to changes in your environment
A simple approach to comprehensive support
We build products that are simple yet comprehensive. And, we take the same approach with our support. With options ranging from basic technical support to those including direct access to senior support engineers and customized delivery.
Included with purchase
Included in all bundles
Via telephone and email
|For 90 days
(business hours only)
Security Updates & Patches
For the life of the product
|Included with an active software subscription||Included with an active software subscription||Included with an active software subscription|
|Software Feature Updates & Upgrades||Included 90-days||Included||Included|
Remote consultation on your firewall configuration and security with a Sophos Senior Technical Support Engineer
(up to 4 hours)
Warranty and RMA
For all hardware appliances
|1 year (return / replace)||Advance Exchange
(max. 5 years)
(max. 5 years)
Technical Account Manager
Dedicated named technical account manager