The following sections are covered:
Applies to the following Sophos products and versions Sophos Web Appliance
Please note Sophos highly recommends speaking with our Professional Services team to understand how they’re able to assist and guarantee a successful migration leveraging the team’s trained experts. We also strongly recommend following industry-standard migration best practices principles.
The following information covers key areas to consider when planning a migration to XG Firewall Web Protection.
Information on how to implement Web Protection on XG Firewall can be found here:
Sophos XG Firewall: How to implement Web Protection
Demonstration videos can be found here:
Web and App Control
XG Firewall comes in a wider range of device sizes that Sophos Web Appliance. Methods of filtering or traffic interception may also require different numbers of devices or locations. Discuss your requirements with Sophos or with your partner to determine the best alternative.
Customers using virtual Web appliances will have to purchase appropriate XG Firewall virtual appliance licenses. XG Firewall is licensed based on the quantity of memory or CPUs supported. Subscriptions for Web Protection and Network Protection are based on the number and size of virtual appliances licensed. Discuss your requirements with Sophos or with your partner to determine the best alternative.
XG Firewall virtual appliances support a wider range of hypervisor platforms and can be run on Amazon AWS or Microsoft Azure IaaS platforms.
Sophos Web Appliance is licensed by the number of users, regardless of how many physical or virtual appliances are required to protect them. XG Firewall is licensed based on a subscription for each device required.
To replicate the functionality of SWA, customers should at least purchase a Web Protection subscription for their XG Firewall devices. Customers using Sandstorm should also purchase an XG Firewall Sandstorm subscription. A Network Protection subscription is also recommended, particularly if you want to us App Control policies or if you are using Sophos Central endpoint products and want to take advantage of synchronized security features.
For most customers, the best way to acquire the correct subscriptions would be to purchase an EnterpriseGuard Plus license package. Customers who don’t wish to benefit from Sandstorm could buy the regular EnterpriseGuard subscription.
Purchasing an EnterpriseProtect package includes the hardware and subscription.
As a special offer to Web Appliance customers upgrading to XG Firewall, Sophos is offering free hardware for customers who purchase a three-year EnterpriseProtect package. (TBC)
Sophos Management Appliance, either a physical SM2000 or SM5000 device, or a virtual appliance, provides centralized management and reporting functionality for multiple Sophos Web Appliances.
Equivalent functionality for XG Firewall is delivered in Sophos Central. Firewall Management in Central allows you to remotely manage and share configuration between multiple firewalls. Central Firewall Reporting provides the ability to view web traffic reports across all your XG Firewall estate.
Sophos Management Appliance also provides load balancing capabilities to allow multiple Sophos Web Appliances to be used together to share the load of scanning a network’s traffic. For situations where capacity or fault tolerance demands it, XG Firewall offers high availability operation where two firewalls can operate side-by-side in an Active-Passive or Active-Active configuration.
In general, XG Firewall provides better and more flexible protection than the Web Appliance. As web protocols and threats develop, XG Firewall will be better able to continue protecting users. However, some features supported by Sophos Web Appliance are not available in XG Firewall at this time.
WCCP is a protocol supported by Cisco to enable their network-edge devices to redirect outbound web traffic to a web proxy. Because the Sophos Web Appliance is not a network-edge device, this protocol is relied on by some customers. It also provides load-balancing capabilities to allow multiple Web Appliances to be used for high-volume connections.
We recommend that customers using WCCP consider using XG Firewall inline with their network-edge devices. XG Firewall offers models with higher capacity than SWA and provides its own H-A functionality to ensure continued network traffic service.
Sophos Web Appliance can integrate with the legacy Sophos Endpoint product (managed by Sophos Enterprise Console) to allow Endpoint devices to enforce web policies and continue reporting on web usage when outside the corporate network.
Sophos Endpoint products all provide protection for malicious content in web traffic, so users will continue to be protected.
Sophos Central Endpoint provides a built-in Web Control capability that has some basic Web category policy features and raises alerts in the event of policy violations.
There are currently no features available on XG Firewall or Central Endpoint to synchronize policies or to generate full web traffic reports on endpoint-filtered browsing. Sophos plans to continue enhancing the Web Control functionality in Central Endpoint and to provide further integration with XG Firewall as part of the Synchronized Security feature set.
Customers who depend on synchronized endpoint web filtering and reporting should consider delaying migration until more of this functionality is available.
Sophos Web Appliance can currently authenticate individual proxy connections, so that traffic from multi-user systems like Windows Terminal Services or DirectAccess can be identified to the appropriate user.
XG Firewall uses a different mechanism for supporting Terminal Services – Sophos Authentication for Thin Clients (SATC) is a software agent that runs on the Terminal Services server and transparently provides user identity information to the XG Firewall.
XG Firewall cannot currently support other multi-user systems. This functionality is planned for an upcoming release.
Sophos Web Appliance can add an X-forwarded-for header to outbound HTTP traffic to let downstream devices such as load balancers or traffic shaping know the original IP address from which the web request originated. XG Firewall does not currently have this capability but we do plan to add it in a future release. However, as it can only be applied to HTTP traffic and not to encrypted HTTPS, the value of this header as an indicator is perhaps limited with modern traffic patterns. Alternative solutions, such as the ability for XG Firewall to preserve the original source IP address on transparently-filtered traffic, or using the XG Firewall’s own traffic shaping capabilities, should be considered.
At present, XG Firewall only supports a single upstream proxy configuration that is used for all traffic.
XG Firewall does not offer a direct equivalent to the device-based authentication profiles that allow you to configure different authentication methods for different end-user device types. XG does offer some different options for SSO-style user authentication, such as Sophos Transparent Authentication Suite that monitors AD logs and queries Windows endpoints directly for logged-on user information. Support for authentication methods in devices and browsers is also more advanced and many of the differences that made this feature necessary may no longer apply.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.