XGS Series next-gen firewall appliances
Enterprise and campus edge: 2U models
Distributed and growing enterprises in need of maximum throughput for the most complex networks get the ultimate in protection, performance, and business continuity with these next-gen firewalls. Sophos Xstream Flow processors in XGS 2U appliances provide dedicated hardware acceleration to easily handle full-on protection for today’s encrypted, cloud-hosted applications and traffic.
XGS 2U firewalls strike the perfect balance between port density and modularity, with a range of high-speed, built-in ports. Additional high-density Flexi Port modules are available to extend connectivity even further. All 2U rackmount models are powered by a high-speed CPU plus an Xstream Flow processor for traffic acceleration.
Compare XGS 2U models
Scroll
XGS 5500
Performance
FIREWALL100,000 Mbps
TLS INSPECTION13,500 Mbps
FIREWALL IMIX52,000 Mbps
IPS40,000 Mbps
IPSEC VPN92,500 Mbps
NGFW38,000 Mbps
THREAT PROTECTION46,000 Mbps
LATENCY (64 BYTE UDP)5 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
8 x SFP+ 10 GE fiber*
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
BYPASS PORT PAIRS (FIXED) 2
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. PORT DENSITY (INCL. MODULES) 48
Modularity
FLEXI PORT SLOTS 2 + 1 for high-density module
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
2-port 40 GE QSFP+ fiber*
8-port 10 GE SFP+ fiber*
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
2-port 10 GE fiber (LC) bypass + 4-port 10 GE SFP+ fiber
High-density module: 12-port GE copper + 4-port 2.5 GE copper
OTHER OPTIONAL ADD-ON MODULES Transceivers
Redundancy
POWER SUPPLY 2 x hot-swap internal
DUAL SSD Included
HW RAID Built into CPU
* Transceivers sold separately
XGS 5500
Front
Back
XGS 6500
Performance
FIREWALL120,000 Mbps
TLS INSPECTION16,000 Mbps
FIREWALL IMIX60,000 Mbps
IPS50,750 Mbps
IPSEC VPN109,800 Mbps
NGFW46,500 Mbps
THREAT PROTECTION53,500 Mbps
LATENCY (64 BYTE UDP)5 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
12 x SFP+ 10 GE fiber*
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
BYPASS PORT PAIRS (FIXED) 2
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. PORT DENSITY (INCL. MODULES) 68
Modularity
FLEXI PORT SLOTS 2 + 2 for high-density modules
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
2-port 40 GE QSFP+ fiber*
8-port 10 GE SFP+ fiber*
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
2-port 10 GE fiber (LC) bypass + 4-port 10 GE SFP+ fiber
High-density module: 12-port GE copper + 4-port 2.5 GE copper
OTHER OPTIONAL ADD-ON MODULES Transceivers
Redundancy
POWER SUPPLY 2 x hot-swap internal
DUAL SSD Included
HW RAID built into CPU
* Transceivers sold separately
XGS 6500
Front
Back
XGS 7500
Performance
FIREWALL160,000 Mbps
TLS INSPECTION19,500 Mbps
FIREWALL IMIX70,500 Mbps
IPS71,500 Mbps
IPSEC VPN117,000 Mbps
NGFW58,000 Mbps
THREAT PROTECTION70,000 Mbps
LATENCY (64 BYTE UDP)5.4 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
12 x SFP+ 10 GE fiber*
2 x QSFP28 10/25/40 Gbps
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
BYPASS PORT PAIRS (FIXED) 2
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. PORT DENSITY (INCL. MODULES) 70
Modularity
FLEXI PORT SLOTS 2 + 2 for high-density modules
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
2-port 40 GE QSFP+ fiber*
8-port 10 GE SFP+ fiber*
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
2-port 10 GE fiber (LC) bypass + 4-port 10 GE SFP+ fiber
High-density module: 12-port GE copper + 4-port 2.5 GE copper
OTHER OPTIONAL ADD-ON MODULES Transceivers
Redundancy
POWER SUPPLY 2 x hot-swap internal
DUAL SSD Included
HW RAID built into CPU
NOTES: * Transceivers sold separately
XGS 7500
Front
Back
XGS 8500
Performance
FIREWALL190,000 Mbps
TLS INSPECTION24,000 Mbps
FIREWALL IMIX81,000 Mbps
IPS93,000 Mbps
IPSEC VPN141,000 Mbps
NGFW76,000 Mbps
THREAT PROTECTION92,500 Mbps
LATENCY (64 BYTE UDP)5.5 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
12 x SFP+ 10 GE fiber*
2 x QSFP28 10/25/40/50/100 GE
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
BYPASS PORT PAIRS (FIXED) 2
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. PORT DENSITY (INCL. MODULES) 70
Modularity
FLEXI PORT SLOTS 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
2-port 40 GE QSFP+ fiber*
8-port 10 GE SFP+ fiber*
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
2-port 10 GE fiber (LC) bypass + 4-port 10 GE SFP+ fiber
High-density module: 12-port GE copper + 4-port 2.5 GE copper
OTHER OPTIONAL ADD-ON MODULES Transceivers
Redundancy
POWER SUPPLY 2 x hot-swap internal
DUAL SSD Included
HW RAID built into CPU
* Transceivers sold separately
XGS 8500
Front
Back
Performance test methodology
General | Maximum throughput measured under ideal test conditions using industry-standard Keysight-Ixia BreakingPoint test tools. Actual performance may vary depending on network conditions and activated services |
Firewall | Measured using HTTP traffic and 512 KB response size |
Firewall IMIX | UDP throughput based on a combination of 66 byte, 570 byte, and 1518 byte packet sizes |
IPS | Measured using HTTP traffic, default IPS ruleset, and 512 KB object size |
IPsec VPN | HTTP throughput measured using multiple tunnels and 512 KB HTTP response size |
TLS inspection | Measured with IPS enabled on HTTPS sessions and different cipher suites |
Threat protection | Measured with firewall, IPS, application control, and malware prevention enabled using Enterprise Mix traffic |
Product highlights
- Engineered for no-compromise performance
- Dual-processor architecture with dedicated co-processor for enterprise-grade hardware acceleration
- High-performance Non-Volatile Memory Express (NVMe) SSDs for better compatibility and storage (XGS 7500/8500 only)
- Sufficient headroom to power all key threat protection features, such as TLS inspection, sandboxing, and AI-driven threat analysis
- Extremely competitive ROI per protected Mbps
- A range of standard 1 GE copper interfaces plus 8 to 12 SFP+ 10 GE fiber interfaces on every model
- QSFP28 interfaces on high-end models support port speeds of up to 40 Gbps (XGS 7500) and 100 Gbps (XGS 8500)
- Maximum port density of 48 (XGS 5500), 68 (XGS 6500), or 70 (XGS 7500/8500) using optional modules
- Redundancy features on all models to ensure business continuity
Accessories
Flexi Port modules
For all XGS 2U models
All 2U appliances come with two standard Flexi Port expansion bays plus one or two bays for the larger, high-density modules. These allow you to flexibly adapt your appliance to changes in your environment, workforce, or edge infrastructure that may require additional fiber ports or other connectivity adjustments. Flexi Port modules offer a cost-effective way to adapt your appliance rather than having to purchase new hardware mid-term, guaranteeing the best value over the lifetime of your firewall.
Transceivers
A list of compatible third-party transceivers can be found in our knowledge base article.
Redundancy
All of our 2U appliances come equipped with hot-swappable components to ensure maximum uptime:
- Dual SSDs
- Dual power supplies
Rackmount kits
All 2U rackmount appliances are supplied with rackmount sliding rails.
XGS Series 2U accessories matrix
Model | Redundant power | Redundant SSD | Flexi Port bays | Flexi Port modules | Rackmount kit |
|---|---|---|---|---|---|
XGS 5500 | Included | Included | 2 + 1 for | 8-port 1 GE copper | Sliding rails included |
XGS 6500 | Included | Included | 2 + 2 for | Sliding rails included | |
XGS 7500 | Included | Included | 2 + 2 for | Sliding rails included | |
XGS 8500 | Included | Included | 2 + 2 for | Sliding rails included |
Related products
XGS 2U Rackmount
No-compromise performance for the enterprise and campus edge
PERFORMANCE AND REDUNDANCY
- Enterprise-grade performance and hardware acceleration
- High-speed connectivity on board and via optional modules
- Built-in redundancy
Now viewing
XGS 1U Rackmount
Performance and versatile connectivity for midsize distributed organizations
POWER FOR THE DISTRIBUTED EDGE
- Dual-processor performance to accelerate traffic and apps
- Diverse range of high-speed interfaces built in plus flexible, add-on modules
- Redundant power options
XGS Desktop (Gen.2)
Best-in-class performance, protection, and power efficiency for SMBs and branch offices
THE ULTIMATE SMB FIREWALLS
- Industry-leading price-performance
- Power-saving operation
- Optional Wi-Fi 6 and 5G support on select models
- 2.5 GE and 10 GE SFP+ interfaces
- Redundant power options
XGS Desktop (Gen.1)
Our first-gen SMB and branch office firewalls with great connectivity at a great price
FLEXIBLE SMB FIREWALLS
- All-in-one security
- Optional Wi-Fi 5 on all models
- Modular, add-on connectivity options for Wi-Fi and 4G/5G
- Redundant power options
Sophos SD-RED
Plug-and-play security for smaller branch offices and remote sites
CLICK-AND-CONNECT EDGE DEVICES
- Extend security to branch offices and remote locations
- Simple, plug-and-play connectivity
- No technical staff required on site
- Managed via your Sophos Firewall
Sophos Wireless
Our scalable, cloud-managed Wi-Fi solution with support for the Wi-Fi 6/6E AP6 Series
SIMPLE, SECURE WIRELESS LAN
- Easy setup and management via Sophos Central
- Diverse options for guest access
- Integration with Sophos MDR/XDR or third-party solutions via API to block compromised hosts
Sophos Switch
Network access-layer switches to connect, power, and control at the LAN edge
CONNECT, POWER, AND CONTROL
- Sophos Central or local user interface management
- Power-over-Ethernet
- Integration with Sophos MDR/XDR or third-party solutions via API to block compromised hosts
Sophos ZTNA
Zero Trust Network Access to securely connect users to applications
SECURELY CONNECT YOUR USERS
- Micro-segmentation for better security
- Device-health-based policy control
- Single console management via Sophos Central
- Single agent with Sophos Endpoint