XGS Series next-gen firewall appliances
Distributed edge: 1U rackmount models
Midsize and distributed organizations needing a versatile solution to power and protect their networks will be well-served with our 1U models. These rackmount firewalls offer excellent performance, a diverse range of high-speed built-in interfaces, and a choice of add-on connectivity modules. Whether your priority is ensuring maximum uptime for your SD-WAN links, securely connecting your remote users, or protecting the network in a growing organization, you can tailor them to your dynamic environment. All models are powered by a high-speed CPU plus a dedicated Xstream Flow processor for hardware acceleration.
Compare XGS 1U models
Scroll
XGS 2100
Performance
FIREWALL30,000 Mbps
TLS INSPECTION1,100 Mbps
FIREWALL IMIX16,500 Mbps
IPS6,000 Mbps
IPSEC VPN17,000 Mbps
NGFW5,200 Mbps
THREAT PROTECTION5,000 Mbps
LATENCY (64 BYTE UDP)6 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE coppe
2 x SFP fiber*
BYPASS PORT PAIRS (FIXED) 1
MAX. PORT DENSITY (INCL. MODULES) 18
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
1 x USB 2.0 (rear)
MAX. POE (USING FLEXI PORT MODULE) 1 module: 4 ports, 60W max.
Modularity
FLEXI PORT SLOTS 1
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional external
DUAL SSD / RAID N/A
* Transceivers sold separately
XGS 2100
Front
Back
XGS 2300
Performance
FIREWALL39,000 Mbps
TLS INSPECTION1,450 Mbps
FIREWALL IMIX20,000 Mbps
IPS7,000 Mbps
IPSEC VPN20,500 Mbps
NGFW6,300 Mbps
THREAT PROTECTION5,500 Mbps
LATENCY (64 BYTE UDP)4 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
2 x SFP fiber*
BYPASS PORT PAIRS (FIXED) 1
MAX. PORT DENSITY (INCL. MODULES) 18
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
1 x USB 2.0 (rear)
MAX. POE (USING FLEXI PORT MODULE) 1 module: 4 ports, 60W max.
Modularity
FLEXI PORT SLOTS 1
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional external
DUAL SSD / RAID N/A
* Transceivers sold separately
XGS 2300
Front
Back
XGS 3100
Performance
FIREWALL47,000 Mbps
TLS INSPECTION2,470 Mbps
FIREWALL IMIX23,500 Mbps
IPS10,500 Mbps
IPSEC VPN25,000 Mbps
NGFW9,000 Mbps
THREAT PROTECTION7,400 Mbps
LATENCY (64 BYTE UDP)4 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
2 x SFP fiber*
2 x SFP+ 10 GE fiber*
BYPASS PORT PAIRS (FIXED) 1
MAX. PORT DENSITY (INCL. MODULES) 20
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
1 x USB 2.0 (rear)
MAX. POE (USING FLEXI PORT MODULE) 1 module: 4 ports, 60W max.
Modularity
FLEXI PORT SLOTS 1
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional external
DUAL SSD / RAID N/A
* Transceivers sold separately
XGS 3100
Front
Back
XGS 3300
Performance
FIREWALL58,000 Mbps
TLS INSPECTION3,130 Mbps
FIREWALL IMIX27,000 Mbps
IPS14,000 Mbps
IPSEC VPN31,100 Mbps
NGFW12,500 Mbps
THREAT PROTECTION10,000 Mbps
LATENCY (64 BYTE UDP)4 µs
Connectivity
ETHERNET INTERFACES (FIXED) 8 x GE copper
2 x SFP fiber*
2 x SFP+ 10 GE fiber*
BYPASS PORT PAIRS (FIXED) 1
MAX. PORT DENSITY (INCL. MODULES) 20
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
1 x USB 2.0 (rear)
MAX. POE (USING FLEXI PORT MODULE) 1 module: 4 ports, 60W max.
Modularity
FLEXI PORT SLOTS 1
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional external
DUAL SSD / RAID N/A
* Transceivers sold separately
XGS 3300
Front
Back
XGS 4300
Performance
FIREWALL75,000 Mbps
TLS INSPECTION8,000 Mbps
FIREWALL IMIX33,000 Mbps
IPS29,500 Mbps
IPSEC VPN62,500 Mbps
NGFW23,000 Mbps
THREAT PROTECTION25,200 Mbps
LATENCY (64 BYTE UDP)3 µs
Connectivity
ETHERNET INTERFACES (FIXED) 4 x GE copper
4 x 2.5 GE copper
4 x SFP+ 10 GE fiber*
BYPASS PORT PAIRS (FIXED) 2
MAX. PORT DENSITY (INCL. MODULES) 28
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. POE (USING FLEXI PORT MODULE) 2 modules: 4 ports, 60W max. per module
Modularity
FLEXI PORT SLOTS 2
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4-port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional external
DUAL SSD / RAID N/A
* Transceivers sold separately
XGS 4300
Front
Back
XGS 4500
Performance
FIREWALL80,000 Mbps
TLS INSPECTION10,600 Mbps
FIREWALL IMIX37,000 Mbps
IPS36,500 Mbps
IPSEC VPN75,550 Mbps
NGFW30,000 Mbps
THREAT PROTECTION31,850 Mbps
LATENCY (64 BYTE UDP)4 µs
Connectivity
ETHERNET INTERFACES (FIXED) 4 x GE copper
4 x 2.5 GE copper
4 x SFP+ 10 GE fiber*
BYPASS PORT PAIRS (FIXED) 2
MAX. PORT DENSITY (INCL. MODULES) 28
MANAGEMENT INTERFACES 1 x RJ45 MGMT
1 x COM RJ45
1 x COM Micro-USB
OTHER I/O INTERFACES 2 x USB 3.0 (front)
MAX. POE (USING FLEXI PORT MODULE) 2 modules: 4 ports, 60W max. per module
Modularity
FLEXI PORT SLOTS 2
OTHER OPTIONAL ADD-ON MODULES Transceivers
FLEXI PORT MODULES (OPTIONAL) 8-port GE copper
8-port GE SFP fiber*
4 port 10 GE SFP+ fiber*
4-port GE copper bypass (2 pairs)
4-port GE copper PoE + 4-port GE copper
4-port 2.5 GE copper PoE
2-port GE fiber (LC) bypass + 4-port GE SFP fiber
Redundancy
2ND POWER SUPPLY Optional internal
DUAL SSD / RAID Included
SW RAID-1 support
* Transceivers sold separately
XGS 4500
Front
Back
Performance test methodology
|
General |
Maximum throughput measured under ideal test conditions using industry-standard Keysight-Ixia BreakingPoint test tools. Actual performance may vary depending on network conditions and activated services |
|
Firewall |
Measured using HTTP traffic and 512 KB response size |
|
Firewall IMIX |
UDP throughput based on a combination of 66 byte, 570 byte, and 1518 byte packet sizes |
|
IPS |
UDP throughput based on a combination of 66 byte, 570 byte, and 1518 byte packet sizes |
|
IPsec VPN |
HTTP throughput measured using multiple tunnels and 512 KB HTTP response size |
|
TLS inspection |
Measured with IPS enabled on HTTPS sessions and different cipher suites |
|
Threat Protection |
Measured with firewall, IPS, application control, and malware prevention enabled using Enterprise Mix traffic |
Product highlights
- Dual-processor architecture supports all key protection features without compromising performance
- A wide selection of copper and fiber ports plus various management interfaces are built into every model
- Fixed LAN bypass ports are on every model to support diverse deployment scenarios
- Modular Flexi Port expansion bay(s) on every model allow you to adapt connectivity
- A second power supply is optional for all models
- Optional PoE Flexi Port modules are centrally powered and benefit from power redundancy when using the second power option
- Rackmount kit is included
Accessories
Flexi Port modules
For all XGS 1U models
Our 1U models come with one or more expansion bays to flexibly add to the diverse range of built-in interfaces on every box. Changes in your environment, workforce, or edge infrastructure may require additional fiber ports or a change in your connectivity. With Flexi Port modules, you have a cost-effective way to adapt your appliance, rather than having to purchase new hardware mid-term.
Transceivers
Sophos offers a range of transceivers to use in the SFP and SFP+ interfaces on your appliance or Flexi port module.
A list of compatible third-party transceivers can be found in our knowledge base article.
External redundant power supply
For XGS 2xxx, 3xxx, 4300
All of our 1U models offer an optional second power supply for redundancy. The external power supply can be connected to the rear of the appliance.
When using this power supply with either the XGS 2100 or 2300, we suggest that you purchase rackmount rails (rather than using the rackmount ears supplied) for a more stable deployment in your data center.
Internal redundant power supply
For XGS 4500 only
The second power supply for the XGS 4500 provides a simple way to add redundancy to our most powerful 1U unit.
For added reliability, the XGS 4500 also offers a second integrated SSD (RAID).
Showing model XGS 4300
XGS Series 1U accessories matrix
| Model | Redundant power | Redundant SSD | Flexi Port bays | Flexi Port modules | Rackmount kit |
|---|---|---|---|---|---|
| XGS 2100 | Optional external | N/A | 1 |
8-port 1 GE copper 8-port 1 GE SFP 4-port 10 GE SFP+ 4-port 1 GE copper bypass 4-port 1 GE copper PoE + 4-port 1G copper 4-port 2.5 GE copper PoE 2-port GE fiber (LC) bypass + 4-port GE SFP fiber |
Rackmount ears incl. Optional sliding rails |
| XGS 2300 | Optional external | N/A | 1 | Rackmount ears incl. Optional sliding rails |
|
| XGS 3100 | Optional external | N/A | 1 | Rackmount ears incl. Optional sliding rails |
|
| XGS 3300 | Optional external | N/A | 1 | Rackmount ears incl. Optional sliding rails |
|
| XGS 4300 | Optional external | N/A | 2 | Sliding rails included | |
| XGS 4500 | Optional internal | Included | 2 | Sliding rails included |
Related products
XGS 1U Rackmount
Performance and versatile connectivity for midsize distributed organizations
POWER FOR THE DISTRIBUTED EDGE
- Dual-processor performance to accelerate traffic and apps
- Diverse range of high-speed interfaces built in plus flexible, add-on modules
- Redundant power options
Now viewing
XGS 2U Rackmount
No-compromise performance for the enterprise and campus edge
PERFORMANCE AND REDUNDANCY
- Enterprise-grade performance and hardware acceleration
- High-speed connectivity on board and via optional modules
- Built-in redundancy
XGS Desktop (Gen.2)
Best-in-class performance, protection, and power efficiency for SMBs and branch offices
THE ULTIMATE SMB FIREWALLS
- Industry-leading price-performance
- Power-saving operation
- Optional Wi-Fi 6 and 5G support on select models
- 2.5 GE and 10 GE SFP+ interfaces
- Redundant power options
XGS Desktop (Gen.1)
Our first-gen SMB and branch office firewalls with great connectivity at a great price
FLEXIBLE SMB FIREWALLS
- All-in-one security
- Optional Wi-Fi 5 on all models
- Modular, add-on connectivity options for Wi-Fi and 4G/5G
- Redundant power options
Sophos SD-RED
Plug-and-play security for smaller branch offices and remote sites
CLICK-AND-CONNECT EDGE DEVICES
- Extend security to branch offices and remote locations
- Simple, plug-and-play connectivity
- No technical staff required on site
- Managed via your Sophos Firewall
Sophos Wireless
Our scalable, cloud-managed Wi-Fi solution with support for the Wi-Fi 6/6E AP6 Series
SIMPLE, SECURE WIRELESS LAN
- Easy setup and management via Sophos Central
- Diverse options for guest access
- Integration with Sophos MDR/XDR or third-party solutions via API to block compromised hosts
Sophos Switch
Network access-layer switches to connect, power, and control at the LAN edge
CONNECT, POWER, AND CONTROL
- Sophos Central or local user interface management
- Power-over-Ethernet
- Integration with Sophos MDR/XDR or third-party solutions via API to block compromised hosts
Sophos ZTNA
Zero Trust Network Access to securely connect users to applications
SECURELY CONNECT YOUR USERS
- Micro-segmentation for better security
- Device-health-based policy control
- Single console management via Sophos Central
- Single agent with Sophos Endpoint