TSR – The Server Room Show – Episode 44 – Sophos XG Firewall and Intercept X Endpoint Management

What is a Next Gen Firewall?

A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third-party identity management integration (i.e. LDAP, RADIUS, Active Directory).

Next-generation firewall vs. traditional firewall

NGFWs include the typical functions of traditional firewalls such as packet filtering, network- and port-address translation (NAT), stateful inspection, and virtual private network (VPN) support. The goal of next-generation firewalls is to include more layers of the OSI model, improving filtering of network traffic that is dependent on the packet contents.

NGFWs perform deeper inspection compared to stateful inspection performed by the first- and second-generation firewalls. NGFWs use a more thorough inspection style, checking packet payloads and matching signatures for harmful activities such as exploitable attacks and malware.

Evolution of next-generation firewalls

Improved detection of encrypted applications and intrusion prevention service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services.

Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols. But blocking a web application that uses port 80 by closing the port would also mean complications with the entire HTTP protocol.

Protection based on ports, protocols, IP addresses is no more reliable and viable. This has led to the development of identity-based security approach, which takes organizations a step ahead of conventional security appliances which bind security to IP-addresses.

NGFWs offer administrators a deeper awareness of and control over individual applications, along with deeper inspection capabilities by the firewall. Administrators can create very granular “allow/deny” rules for controlling use of websites and applications in the network.

Sophos XG Firewall

Sophos firewall offering / product exists both as a software and hardware offering.
You can run the engine on a VM or a hardware of Your choice but You can also choose to go with their own hardware firewalls which uses tried and tested components to make sure You get the most out of their firewall engine.

Sophos claims the XG Firewall to be the world’s best visibility , protection and response.

Their product is NSS Brand Recommended , what NSS Labs does they test security products from around the world pretty much security products as I saw on their website

Also Gartner and SC Awards spoke highly of Sophos products.Sophos offers it as an ultimate firewall solution

Enterprise protection where Visibility , Protection and Response is key
The Best Protection to Stop Unknown Threats Dead

IPS – Intrusion Prevention System with high performance to try and stop unknown threats. With SophosLab Threat Intelligence Integration Sophos is analyzing and trying to stop zero day threats before they get on Your network.

Performance to fully protect Your network

Extreme TLS inspection

Extremely Fast, Effective, and Transparent.

80% of the traffic passing through your firewall is encrypted. Most organizations are completely blind to this traffic. Why? Because TLS Inspection kills their firewall performance. But not anymore.

XG Firewall’s Xstream TLS Inspection solves this problem once and for all. You can now fully enable TLS Inspection without compromising on performance, protection, privacy, and the end user experience.

  • Native support for TLS 1.3 and all modern cipher suites
  • Powerful policy tools to balance privacy, protection, and performance
  • Unique at-a-glance visibility and one-click error handling via the Control Center

SD-WAN Evolved

Unprecedented clarity, connectivity, and control.

XG Firewall evolves SD-WAN with unique capabilities that provide unprecedented clarity and control over your connectivity needs.

Synchronized SD-WAN

Leverages the 100% application visibility and control that Synchronized Security provides to make reliable SD-WAN path selection and routing decisions.

SD-RED Branch Office Connectivity

Our zero-touch branch office edge devices make SD-WAN deployments simple, easy, and secure.

Flexible Connectivity Options

No other firewall offers as many modular and flexible connectivity solutions as XG Firewall, with a full range of wireless, cellular, copper, and fiber options.

Powerful Management and Seamless Scalability

Group Firewall Management
Central Firewall Reporting
Plug and Play High Availability

Designed to Fit Your Network

XG Firewall offers a powerful and modular line of hardware appliance models as well as software, virtual, and cloud deployment options to fit any network.

XG Series Appliances

XG Series Appliances

XG Firewall offers a full range of top-performing hardware appliances with modular connectivity options for all your LAN, WAN, and wireless needs including Wi-Fi, cellular, copper, and fiber interfaces.

Software, Virtual, Cloud

Software, Virtual, Cloud

XG Firewall is also available as a software appliance, supports all the popular virtualization platforms, and is available on both Azure and Amazon Web Services to protect and connect your public, private, and hybrid cloud networks.



Our unique zero-touch SD-RED edge devices make extending your secure network to remote and branch locations and industrial control system (ICS) devices simple and easy. Flexible SD-WAN and VPN connectivity options ensure you meet your WAN reliability and quality goals.

Hardware Offerings:

Sophos offers a divers portfolio of Hardware Appliances running Sophos XG Firewall product.
Depending on Your budget and needs You can go from a small 500 euro appliance which is one of the smallest to bigger but still desktop size modular units or go up to rack equipment of 1U or 2U units.

XG86 and XG 86w with wireless module the cheapest and smallest of the firewall hardware Sophos offers.
XG125 and XG125w with wireless is a model I could imagine in my homelab or the whole home network itself to be in charge of protection and be my No.1 firewall appliance. Prices for Appliance only unit I saw around 900 – 1000 U.S Dollars
XG 230 Rev 2 If Money is not a problem 🙂 around 2000 euros appliance only I would put this in my server rack without a doubt. Gigabit and beyond performance nearly for all applications *firewall, ngfwn ipsec vpnm ips, threat protection* except XSTREAM SSL Decryption

A brief comparison table

Product Highlights of Hardware Appliances

  • All features supported on every XG 1xx model and most on XG 86
  • Every model available with optional integrated 802.11ac Wi-Fi
  • 2nd power supply option for all XG 1xx models
  • Expansion bay on all XG 125/135 models for 3G/4G module
  • Optional 2nd Wi-Fi radio module on 135w model
  • SFP port, e.g. for optional DSL modem, on all XG 1xx appliances

Endpoint Management Product:
Intercept X Endpoint protection features:

Endpoint Detection and Response:

This image has an empty alt attribute; its file name is EDR-screenshot-2.jpg

Intercept X detects and investigates suspicious activity with AI-driven analysis. Unlike other EDR tools, it adds expertise, not headcount by replicating the skills of hard-to-find analysts.|


Today’s ransomware attacks often combine multiple advanced techniques with real-time hacking. To minimize your risk of falling victim you need advanced protection that monitors and secures the whole attack chain. Sophos Intercept X gives you advanced protection technologies that disrupt the whole attack chain including deep learning that predictively prevents attacks, and CryptoGuard which rolls back the unauthorized encryption of files in seconds.

Deep Learning Technology

By integrating deep learning, an advanced form of machine learning, Intercept X is changing endpoint security from a reactive to a predictive approach to protect against both known and never-seen-before threats. While many products claim to use machine learning, not all machine learning is created equally. Deep learning has consistently outperformed other machine learning models for malware detection.

Exploit Prevention

Exploit prevention stops the techniques used in file-less, malware-less, and exploit-based attacks. While there are millions of pieces of malware in existence, and thousands of software vulnerabilities waiting to be exploited, there are only handful of exploit techniques attackers rely on as part of the attack chain – and by taking away the key tools hackers love to use, Intercept X stops zero-day attacks before they can get started.

Managed Threat Response

Sophos Managed Threat Response (MTR) provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service. Sophos MTR fuses machine learning technology and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision. Unlike other services, the Sophos MTR team goes beyond simply notifying you of attacks or suspicious behaviors, and takes targeted actions on your behalf to neutralize even the most sophisticated and complex threats.

Active Adversary Mitigations

Intercept X utilizes a range of techniques, including credential theft prevention, code cave utilization detection, and APC protection that attackers use to gain a presence and remain undetected on victim networks. As attackers have increasingly focused on techniques beyond malware in order to move around systems and networks as a legitimate user, Intercept X detects and prevents this behavior in order to prevent attackers from completing their mission.

Sophos’s Synchronized Security Product

Synchronized Security is the cybersecurity system where Sophos endpoint, network, mobile, Wi-Fi, email, and encryption products work together, sharing information in real time and responding automatically to incidents:

  • Isolate infected endpoints, blocking lateral movement
  • Restrict Wi-Fi for non-compliant mobile devices
  • Scan endpoints on detection of compromised mailboxes
  • Revoke encryption keys if a threat is detected
  • Identify all apps on the network

Everything is managed through a single, web-based management console, so you can see and control all your security in one place.






Author: viktormadarasz

IT OnSite Analyst for a big multinational company