XG Firewall Features
Sophos XG Firewall
Base Firewall
Product Highlights
General Management
ÌÌ Innovative next-gen firewall user experience with
interactive control center and streamlined workflows
ÌÌ Rich graphical interactive control center with
traffic-light style indicators for important alerts
ÌÌ Optimized 2-clicks-to-anywhere navigation*
ÌÌ 2-clicks-to-anywhere navigation*
ÌÌ Firewall rule Control Center widget monitors firewall
rule activity for business, user and network policies and
tracks unused, disabled, changed and new policies
ÌÌ Advanced trouble-shooting tools in
GUI (e.g. Packet Capture)
ÌÌ New unified policy model enabling all business,
user and network rules to be managed on a single
screen with powerful filtering and search options
ÌÌ Firewall rule templates for common business
applications like Microsoft Exchange,
SharePoint, Lync, and much more defined in
XML enabling customization and sharing.
ÌÌ Policy natural language descriptions and ata-glance policy enforcement indicators
ÌÌ Custom IPS, Web, App, and Traffic Shapping (QoS)
settings per user or network rule on a single screen
ÌÌ Layer-8 user identity awareness
across key areas of the firewall
ÌÌ Sophos Security HeartbeatTM connecting Sophos
Central managed endpoints with the Firewall
to share health status and telemetry
ÌÌ Policy support for Sophos Security Heartbeat
to automatically isolate or limit network
access to compromised systems
ÌÌ User Threat Quotient for identifying risky users based
on recent browsing behavior and ATP triggers
ÌÌ Application Risk Meter provides and overall risk factor
based on the risk level of applications on the network
ÌÌ Discover Mode (TAP mode) for seamless
integration for trials and PoCs
ÌÌ Full-featured centralized management with
Sophos Firewall Manager available as a
hardware, software, or virtual appliance
ÌÌ High Availability (HA) support clustering 2 devices
in active-active or active-passive mode.
ÌÌ HA Support for dynamic addresses on WAN interfaces*
ÌÌ Full command-line-interface (CLI) accessible from GUI
ÌÌ Role-based administration
ÌÌ Automated firmware update notification with easy
automated update process and roll-back features
ÌÌ Reusable system object definitions for
networks, services, hosts, time periods,
users and groups, clients and servers
ÌÌ Self-service user portal
ÌÌ Configuration change tracking
ÌÌ Flexible device access control for services by zones
ÌÌ Email or SNMP trap notification options
ÌÌ SNMP and Netflow support
ÌÌ Central managment support from Sophos Firewall
Manager or Sophos Cloud Firewall Manager
ÌÌ Backup and restore configurations: locally, via FTP
or email; on-demand, daily, weekly or monthly
ÌÌ API for 3rd party integration
ÌÌ Remote access option for Sophos Support
ÌÌ Cloud-based license management via MySophos
ÌÌ Deployment options include XG Series hardware
appliances, Software or Virtual, and Microsoft Azure*
XG Firewall Features
Firewall, Networking & Routing
ÌÌ Stateful deep packet inspection firewall
ÌÌ FastPath Packet Optimization
ÌÌ User, network, or business application
based firewall rules
ÌÌ Access time polices per user/group
Base Traffic Shaping & Quotas
ÌÌ Flexible network or user based traffic shaping (QoS)
(enhanced Web and App traffic shaping options are
included with the Web Protection Subscription)
ÌÌ Set user-based traffic quotas on upload/download
or total traffic and cyclical or non-cyclical
ÌÌ Real-time VoiP optimization
ÌÌ Enforce policy across zones, networks, or by service type
ÌÌ Zone isolation and zone-based policy support.
ÌÌ Default zones for LAN, WAN, DMZ, LOCAL, VPN and WiFi
ÌÌ Custom zones on LAN or DMZ
ÌÌ Customizable NAT policies with IP masquerading
ÌÌ Flood protection: DoS, DDoS and portscan blocking
ÌÌ Country blocking by geo-IP with simple
country and continent selections*
ÌÌ Routing: static, multicast (PIM-SM)
and dynamic (RIP, BGP, OSPF)
ÌÌ Per-rule and policy based routing by source,
destination, user/group or layer-4 servce*
ÌÌ Upstream proxy support
ÌÌ Protocol independent multicast
routing with IGMP snooping
ÌÌ Bridging with STP support and
ARP broadcast forwarding
ÌÌ VLAN DHCP support and tagging
ÌÌ Simultaneous DHCP Server and Relay support*
ÌÌ Multiple bridge support
ÌÌ WAN link balancing: multiple Internet connections,
auto-link health check, automatic failover, automatic
and weighted balancing and granular multipath rules
ÌÌ Wireless WAN support (n/a in virtual deployments)
ÌÌ 802.3ad interface link aggregation
ÌÌ Full configuration of DNS, DHCP and NTP
Secure Wireless
ÌÌ Simple plug-and-play deployment of Sophos
wireless access points (APs) - automatically
appear on the firewall control center
ÌÌ Central monitor and manage all APs and wireless
clients through the built-in wireless controller
ÌÌ Bridge APs to LAN, VLAN, or a separate
zone with client isolation options
ÌÌ Multiple SSID support per radio including hidden SSIDs
ÌÌ Support for the latest security and encryption
including WPA2 Personal and Enterprise
ÌÌ Support for IEEE 802.1X (RADIUS authentication)
ÌÌ Support for 802.11r (fast transition)
ÌÌ Hotspot support for (custom) vouchers,
password of the day, or T&C acceptance
ÌÌ Wireless guest Internet access with
walled garden options
ÌÌ Time-based wireless network access
ÌÌ Wireless repeating and bridging meshed
network mode with supported APs
ÌÌ Automatic channel selection background optimization
ÌÌ Support for HTTPS login
ÌÌ Rogue AP detection
ÌÌ Transparent, proxy authentication
(NTLM) or client authentication
ÌÌ Dynamic DNS
ÌÌ Authentication via: Active Directory,
eDirectory, RADIUS, LDAP and TACACS+
ÌÌ IPv6 support with tunnelling support
including 6in4, 6to4, 4in6, and IPv6 rapid
deployment (6rd) through IPSec
ÌÌ Sophos Transparent Authentication Suite (STAS)
server authentication agents for Active Directory SSO
ÌÌ Client authentication agents for
Windows, Mac OS X, Linux 32/64
XG Firewall Features
ÌÌ Authentication certificates for iOS and Android
Network Protection Subscription
ÌÌ Single sign-on: Active directory, eDirectory
Intrusion Prevention (IPS)
ÌÌ Authentication services for IPSec, L2TP, PPTP, SSL
ÌÌ Captive Portal
ÌÌ Two factor authentication (one-time password support)
for IPSec and SSL VPN, user portal, and Webadmin*
User Self-Serve Portal
ÌÌ Download the Sophos Authentication Client
ÌÌ Download SSL remote access client (Windows)
and configuration files (other OS)
ÌÌ Hotspot access information
ÌÌ Change user name and password
ÌÌ View personal internet usage
ÌÌ Access quarantined messages
(requires Email Protection)
ÌÌ Setup two-factor authentication with QR Code*
Base VPN Options
ÌÌ Site-to-site VPN: SSL, IPSec, 256- bit AES/3DES,
PFS, RSA, X.509 certificates, pre-shared key
ÌÌ Remote access: SSL, IPsec, iPhone/iPad/
Cisco/Andriod VPN client support
ÌÌ SSL client for Windows & configuration
download via user portal
IPSec Client (sold separately)
ÌÌ Authentication: Pre-Shared Key (PSK), PKI
(X.509), Smartcards, Token and XAUTH
ÌÌ Encryption: AES (128/192/256), DES, 3DES
(112/168), Blowfish, RSA (up to 2048 Bit), DH
groups 1/2/5/14, MD5 and SHA-256/384/512
ÌÌ Intelligent split-tunneling for optimum traffic routing
ÌÌ NAT-traversal support
ÌÌ Client-monitor for graphical overview
of connection status
ÌÌ Multilingual: German, English and French
ÌÌ High-performance, next-gen IPS deep packet
inspection engine with selective IPS patterns
for maximum performance and protection
ÌÌ Thousands of signatures
ÌÌ Support for custom IPS signatures
ÌÌ Flexible IPS policy deployment as part of any
network or user policy with full customization
ATP and Security Heartbeat™
ÌÌ Advanced Threat Protection (Detect and block network
traffic attempting to contact command and control
servers using multi-layered DNS, AFC, and firewall)
ÌÌ Sophos Security Heartbeat™ instantly identifies
compromised endpoints including the host, user,
process, incident count, and time of compromise
ÌÌ Sophos Security Heartbeat™ policies can limit
access to network resources or completely isolate
compromised systems until they are cleaned up
ÌÌ Destination Security Heartbeat™ automatically
protects healthy systems from connecting to
compromised endpoints and servers*
ÌÌ Block all traffic to or from non-managed devices and
endpoints without a Sophos Security Heartbeat™*
Clientless VPN
ÌÌ Sophos unique encrypted HTML5 self-service portal
with support for RDP, HTTP, HTTPS, SSH, Telnet and VNC
Remote Ethernet Device (RED) VPN
ÌÌ Central Management of all RED devices
ÌÌ No configuration: Automatically connects
through a cloud-based provisioning service
ÌÌ Secure encrypted tunnel using digital X.509
certificates and AES256- encryption
ÌÌ Virtual Ethernet for reliable transfer of
all traffic between locations
ÌÌ IP address management with centrally defined
DHCP and DNS Server configuration
ÌÌ Remotely de-authorize RED devices
after a select period of inactivity
ÌÌ Compression of tunnel traffic
ÌÌ VLAN port configuration options (RED 50)
ÌÌ Firewall-to-Firewall RED Tunnels*
XG Firewall Features
Web Protection Subscription
Web Protection and Control
ÌÌ Enterprise-grade Secure Web Gateway web policy
engine with top-down execution and inheritence
with flexible user/group policy definitions,
customizable activities, block/warn/allow actions,
and time-of-day and day-of-week constraints*
ÌÌ High-performance fully transparent proxy
for anti-malware and web-filtering
ÌÌ Enhanced Advanced Threat Protection
ÌÌ URL Filter database with millions of sites across
92 categories backed by SophosLabs
ÌÌ Surfing quota time policies per user/group
ÌÌ Access time polices per user/group
ÌÌ Malware scanning: block all forms of viruses,
web malware, trojans and spyware on
HTTP/S, FTP and web-based email
ÌÌ Advanced web malware protection
with JavaScript emulation
ÌÌ Live Protection real-time in-the-cloud
lookups for the latest threat intelligence
ÌÌ Second independent malware detection
engine (Avira) for dual-scanning
ÌÌ Real-time or batch mode scanning
ÌÌ Pharming Protection
ÌÌ HTTP and HTTPS scanning and enforcement
on any network and user policy with fully
customizable rules and exceptions
ÌÌ SSL protocol tunnelling detection and enforcment
ÌÌ Certificate validation
ÌÌ High performance web content caching
ÌÌ Forced caching for Sophos Endpoint updates
ÌÌ File type filtering by mime-type, extension and active
content types (e.g. Activex, applets, cookies, etc.)
Application Protection and Control
ÌÌ Enhanced application control with signatures and
Layer 7 patterns for thousands of applications
ÌÌ Dynamic application identification utilizes the
Synchronized Security Heartbeat™ link with
the endpoint to determine apps responsible for
generating unknown traffic on the network*
ÌÌ Micro app discovery and control
ÌÌ Application control based on category,
characteristics (e.g. bandwidth and productivity
consuming), technology (e.g. P2P) and risk level
ÌÌ Per-user or network rule application
control policy enforcement
Web & App Traffic Shaping
ÌÌ Enhanced traffic shaping (QoS) options by web category
or application to limit or guarantee upload/download or
total traffic priority and bitrate individually or shared
Email Protection Subscription
Email Protection and Control
ÌÌ Per-domain mail routing*
ÌÌ Integrated MTA (Message Transfer Agent) to storeand-forward mail in the event servers are unavilable*
ÌÌ E-mail scanning with SMTP, POP3, and IMAP support
ÌÌ Reputation service with spam outbreak
monitoring based on patented RecurrentPattern-Detection technology
ÌÌ Block spam and malware during the SMTP transaction
ÌÌ Second independent malware detection
engine (Avira) for dual-scanning
ÌÌ Live Protection real-time in-the-cloud
lookups for the latest threat intelligence
ÌÌ Automatic signature and pattern updates
ÌÌ File-Type detection/blocking/scanning of attachments
ÌÌ Accept, reject or drop over-sized messages
ÌÌ YouTube for Schools enforcement
ÌÌ Detects phishing URLs within e-mails
ÌÌ SafeSearch enforcement
ÌÌ Use pre-defined content scanning rules or create
your own custom rules based on a variety of criteria
ÌÌ Creative commons image search enforcement*
ÌÌ Google Apps domain enforcement*
ÌÌ Unscannable content handling options*
ÌÌ Support for adding custom 3rd party URL databases*
ÌÌ TLS Encryption support for SMTP, POP and IMAP
ÌÌ Append signature automatically to
all outbound messages
ÌÌ Email archiver
XG Firewall Features
Email Quarantine Management
ÌÌ Spam quarantine digest and notifications options
ÌÌ Malware and spam quarantines with search and
filter options by date, sender, recipient, subject, and
reason with option to release and delete messages
ÌÌ Self-serve user portal for viewing and
releasing quarantined messages
ÌÌ Skip individual checks in a granular fashion as required
ÌÌ Match requests from source networks
or specified target URLs
ÌÌ Support for logical and/or operators
ÌÌ Assists compatibility with various configurations
and non-standard deployments
ÌÌ Options to change WAF performance parameters
Email Encryption and DLP
ÌÌ Patent-pending SPX encryption for
one-way message encryption
ÌÌ Scan size limit option
ÌÌ Allow/Block IP ranges
ÌÌ Recipient self-registration SPX password management
ÌÌ Wildcard support for server paths
ÌÌ SPX Reply Portal for recipients to reply
to encrypted messages securely*
ÌÌ Automatically append a prefix/suffix for authentication
ÌÌ Add attachments to SPX secure replies
ÌÌ Completely transparent, no additional
software or client required
ÌÌ DLP engine with automatic scanning of emails
and attachments for sensitive data
ÌÌ Pre-packaged sensitive data type content
control lists (CCLs) for PII, PCI, HIPAA, and
more, maintained by SophosLabs
Web Server Protection Subscription
Web Application Firewall Protection
Logging and Reporting
NOTE: individual log, report and widget availability depends
on enabled software subcriptions.
ÌÌ Hundreds of on-box reports with custom report options:
Dashboards (Traffic, Security, and User Threat Quotient),
Applications (App Risk, Blocked Apps, Search Engines,
Web Servers, FTP), Network & Threats (IPS, ATP,
Wireless, Security Heartbeat), VPN, Email, Compliance
ÌÌ Current Activity Monitoring: system health, live users,
IPsec connections, remote users, live connections,
wireless clients, quarantine, and DoS attacks
ÌÌ Reverse proxy
ÌÌ Report anonymization
ÌÌ URL hardening engine with deep-linking
and directory traversal prevention
ÌÌ Report scheduling to multiple recipients by
report group with flexible frequency options
ÌÌ Form hardening engine
ÌÌ Export reports as HTML, PDF, Excel (XLS)
ÌÌ SQL injection protection
ÌÌ Report bookmarks
ÌÌ Cross-site scripting protection
ÌÌ Full log viewer available from every screen
that pops-open in a new window*
ÌÌ Dual-antivirus engines (Sophos & Avira)
ÌÌ HTTPS (SSL) encryption offloading
ÌÌ Cookie signing with digital signatures
ÌÌ Path-based routing
ÌÌ Outlook anywhere protocol support
ÌÌ Reverse authentication (offloading) for form-based
and basic authentication for server access
ÌÌ Virtual server and physical server abstraction
ÌÌ Integrated load balancer spreads
visitors across multiple servers
ÌÌ Customized log viewer refresh period and color
coded log lines for easy trouble-shooting*
ÌÌ Log retention customization by category
XG Firewall Features
XG Firewall Features by Subscription Summary
FullGuard (including Enhanced Support)
(as listed above)
EnterpriseGuard (incl. Enhanced Support)
Base Firewall
General Management (incl. HA)
Firewall, Networking & Routing
Base Traffic Shaping & Quotas
Secure Wireless
Self-Serve User Portal
Base VPN Options
IPSec Client
Network Protection
Web Protection
Email Protection
Sold seperately
Intrusion Prevention (IPS)
ATP & Security Heartbeat™
Remote Ethernet Device (RED) VPN
Clientless VPN
Web Protection and Control
Application Protection and Control
Web and App Traffic Shaping
Email Protection and Control
Email Quarantine Management
Email Encryption and DLP
Web Application Firewall Protection
Logging and Reporting
Web Server Protection
* New in XG Firewall v16
United Kingdom and Worldwide Sales
Tel: +44 (0)8447 671131
Email: sales@sophos.com
North American Sales
Toll Free: 1-866-866-2802
Email: nasales@sophos.com
© Copyright 2016. Sophos Ltd. All rights reserved.
Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.
16-07-18 FLNA (DD-2390)
Australia and New Zealand Sales
Tel: +61 2 9409 9100
Email: sales@sophos.com.au
Asia Sales
Tel: +65 62244168
Email: salesasia@sophos.com