what are the possibilities of xg home firewall with limited hardware [THREAT PROTECTION, TLS INSPECTION]

Hi Mike,

Thank you for reaching out to Sophos Community.

Sophos Firewall Home will be able to handle the IPS.

For the Traffic,  you may refer to IPS Signature categories and documentation.

https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/IPSPolicies/IPSCategoryDescriptions/index.html

The answer: it depends. I can only give you an example of ram usage in a particular scenario. In a simple home network (Read: home usage) with about 5-8 devices and all IPS rules enabled for all firewall rules, with TLS inspection on 3 devices, it uses around 4Gb of RAM. This is with most features enabled (app/web/IPS/TLS). Download speeds of 300 Gbps sustainable with no slow down.

As far as CPU, it depends even more.... In my performance history, the CPU usage never hovered above 25% which is very good for what I have, a quad core Xeon (a 2.5GHz variant)

What hardware do you have? What CPU? With a regular household there should be no issue, especially since Android/iOS devices will not be using TLS inspection anyways so you would only be using that for Windows/Linux devices mostly.

Also, with the IPS, which uses most of the CPU, it can be tuned by selecting only the IPS rules that you need, such as a LAN to WAN, or WAN to LAN policy. Ect. I hope this helps.

In summary from my experience you will not run out of processing power ot memory. I am currently using and XG 115W which has 4gb of ram and usage never goes much above 80% before dropping to low 70s. The CPU is a little on the weaker side and cannot proceed my old 1000/50 internet  link.

I run dual stack with 40+ rules using a mix of proxy and SSL/TLS, though as Alan advises my Apple devices do not use SSL decrypt and scan. The devices are mix of Apple, IoT and printers.

If you are using Xeon based chip with about +3ghz speed you will not have any real issues.

Ian

The original poster did not say what hardware he has in mind, whether an SG/XG appliance, or otherwise. Hopefully he won't give up. The biggest drawback so far for the newest hardware is the lack of UEFI support from sophos. So, the need to virtualize with a hypervisor is becoming greater all the time as the CPU in these firewall appliances becomes a bottleneck with the rise of faster and faster internet connections.

 I am currently using and XG 115W which has 4gb of ram

Have you considered upgrading your memory to 8 GB? There were a few posts about upgrading the RAM in the XG units. 

The XG115w is under a 3 year support licence, so upgrading memory is not an option. The box does not have sufficient processing power for a high performance link.

The is a post that provides details on how to get around the UEFI issue without using a VM. The process is messy for a home user unless very experienced.

Ian