Sophos XGS 3300 review: Xstream firewall performance

The XGS family of security appliances represent a radical shift in direction for Sophos as they take over from the older XG models and deliver a new dual processor architecture. Built around Xstream flow processors, they provide a hardware acceleration layer which Sophos reckons can realise a minimum two-fold performance boost over equivalent XG models by removing much of the workload from the main CPU.

This is no idle claim: the XGS 3300 we have on review boasts a massive firewall IMIX (internet mix) throughput of 24.5Gbits/sec, dropping to 13.4Gbits/sec with IPS enabled. By contrast, the XG 330 it replaces could only muster equivalent throughputs of 12.5Gbits/sec and 8.5Gbits/sec respectively.

Intel gets the elbow too, as the Xeon E3 v5 CPUs in the XG range have been replaced by AMD’s Ryzen Embedded V1000 series, sporting a 3.35GHz quad-core V1780B SoC (System on Chip). This is partnered by 16GB of DDR4 memory while firmware, log and report storage is handled by an internal 240GB SATA SSD.

Sophos XGS 3300 review: Licensing and deployment

Aimed at distributed edge deployments in large SMBs and mid-sized organisations, this 1U rack appliance presents eight copper and two SFP fibre Gigabit, plus dual SFP+ fibre 10GbE ports. It offers one Flexi expansion slot which accepts two-, four- and eight-port Gigabit and 10GbE modules, but be aware that it doesn’t support those from the older XG range.

Licensing has changed quite a bit too and you can customize features by choosing which protection modules you want. The Xstream bundle enables base firewall features including Xstream Network Flow FastPath along with TLS 1.3 and deep packet inspection, and adds the network, web and zero-day protection modules, central orchestration and enhanced 24/7 support. This doesn’t include the email and web server protection modules though, which are available as optional extras.

A dedicated management port is provided and we found initial deployment via the browser-based quick-start wizard swift. After insisting we secured administrative access, it helped set up LAN and WAN port address assignments plus DHCP services and provide an email address for alerting.

We chose routed mode, as we wanted the appliance to provide all security functions including firewalling. Protection starts immediately, with a base set of firewall security policies created for you which enable web filtering and anti-malware.

Sophos XGS 3300 review: Management services

The local web console opens with a very informative Control Center dashboard presenting a detailed overview of network activity, security issues, web traffic, detected network attacks plus blocked and allowed applications and web categories. The User and device Insights section is particularly useful as it provides active icons for functions such as zero-day protection. Clicking on these shows downloaded files that have been sent to the Sophos cloud sandbox for detonation and analysis to see whether they are safe to release.

If you have a Sophos Central account, you can manage the firewall remotely as well. It’s dead easy, too; after registering the XGS 3300 with our cloud account, we were able to view live reports from the portal and configure it using exactly the same console as the local one.

Sophos Central has another trick up its sleeve, and its endpoint agents can be brought under the firewall’s control with the Synchronized Security feature. This uses a heartbeat service to monitor endpoints running the Intercept X agent and if any are compromised, a firewall policy with a minimum heartbeat setting isolates all systems in the same zone.

The SAC (synchronized application control) feature also works with this service, as it detects unknown applications and pushes out firewall policies to control them. Cloud apps get the same tough love: the dashboard insights section lists all those detected and you can classify each one as sanctioned or unsanctioned and apply a traffic shaping policy to control their use.

Sophos XGS 3300 review: Security and reporting

The XGS 3300 is highly versatile, and you can place its ports in different zones and apply custom security policies to each one. Policies contain firewall rules for sources and destinations, service filters, blocking actions and time schedules and you can apply custom policies for web filtering, IPS and application controls.

The new filtering option makes it easy to find a specific rule in the list and firewall rule traffic counters for selected policies can now be reset back to zero from the web console without having to reboot the appliance. You don’t need to change rule priorities in policies with drag and drop either, as they can be reordered directly from the policy drop down menu.

There are plenty more security features to play with; web filtering offers 86 URL categories to block or allow while application controls currently provide 3,532 predefined apps. If you want Facebook gone from the workplace, you’ll be pleased to know Sophos provides 73 app categories covering every possible social activity.

Reporting is a standard feature on all XGS models with the web console providing a wealth of information on all things security related. The reports option in the web console’s side menu loads a variety of dashboards and graphs showing detected threats, malware and web content filtering activities, offers reports for key compliance standards, and all their content can be exported in PDF, HTML and CSV formats.

Sophos XGS 3300 review: Verdict

The XGS 3300 is easy to deploy, although the sheer range of security features may present new users with a steep learning curve for ongoing configuration. Sophos does provide copious online documentation and videos but it’s a lot to wade through and it still refers to the XG firewalls.

Overall though, the XGS 3300 is clearly a very powerful and well-endowed firewall appliance. The network ports and zones make it very versatile, the latest SFOS 18.5 software adds many features designed to ease management, and integration with Sophos Central allows it to extend its protection umbrella to remote workers.

Sophos XGS 3300 specifications