IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sophos XGS 3300 review: Xstream firewall performance

A powerful firewall appliance combining hardware acceleration with a vast array of security measures

Editor's Choice
A photograph of the Sophos XGS 3300
Price
£16,385 exc VAT (Appliance with 3-year Xstream Protection Bundle)
  • Easy to deploy
  • Dual CPU Xstream architecture
  • Superb range of security features
  • Smart Sophos Central integration
  • Online support could be more helpful

The XGS family of security appliances represent a radical shift in direction for Sophos as they take over from the older XG models and deliver a new dual processor architecture. Built around Xstream flow processors, they provide a hardware acceleration layer which Sophos reckons can realise a minimum two-fold performance boost over equivalent XG models by removing much of the workload from the main CPU.

This is no idle claim: the XGS 3300 we have on review boasts a massive firewall IMIX (internet mix) throughput of 24.5Gbits/sec, dropping to 13.4Gbits/sec with IPS enabled. By contrast, the XG 330 it replaces could only muster equivalent throughputs of 12.5Gbits/sec and 8.5Gbits/sec respectively.

Intel gets the elbow too, as the Xeon E3 v5 CPUs in the XG range have been replaced by AMD’s Ryzen Embedded V1000 series, sporting a 3.35GHz quad-core V1780B SoC (System on Chip). This is partnered by 16GB of DDR4 memory while firmware, log and report storage is handled by an internal 240GB SATA SSD.

Sophos XGS 3300 review: Licensing and deployment

Aimed at distributed edge deployments in large SMBs and mid-sized organisations, this 1U rack appliance presents eight copper and two SFP fibre Gigabit, plus dual SFP+ fibre 10GbE ports. It offers one Flexi expansion slot which accepts two-, four- and eight-port Gigabit and 10GbE modules, but be aware that it doesn’t support those from the older XG range.

Licensing has changed quite a bit too and you can customize features by choosing which protection modules you want. The Xstream bundle enables base firewall features including Xstream Network Flow FastPath along with TLS 1.3 and deep packet inspection, and adds the network, web and zero-day protection modules, central orchestration and enhanced 24/7 support. This doesn’t include the email and web server protection modules though, which are available as optional extras.

A screenshot of the Sophos XGS 3300 firewall reporting console

A dedicated management port is provided and we found initial deployment via the browser-based quick-start wizard swift. After insisting we secured administrative access, it helped set up LAN and WAN port address assignments plus DHCP services and provide an email address for alerting.

We chose routed mode, as we wanted the appliance to provide all security functions including firewalling. Protection starts immediately, with a base set of firewall security policies created for you which enable web filtering and anti-malware.

Sophos XGS 3300 review: Management services

The local web console opens with a very informative Control Center dashboard presenting a detailed overview of network activity, security issues, web traffic, detected network attacks plus blocked and allowed applications and web categories. The User and device Insights section is particularly useful as it provides active icons for functions such as zero-day protection. Clicking on these shows downloaded files that have been sent to the Sophos cloud sandbox for detonation and analysis to see whether they are safe to release.

If you have a Sophos Central account, you can manage the firewall remotely as well. It’s dead easy, too; after registering the XGS 3300 with our cloud account, we were able to view live reports from the portal and configure it using exactly the same console as the local one.

Sophos Central has another trick up its sleeve, and its endpoint agents can be brought under the firewall’s control with the Synchronized Security feature. This uses a heartbeat service to monitor endpoints running the Intercept X agent and if any are compromised, a firewall policy with a minimum heartbeat setting isolates all systems in the same zone. 

The SAC (synchronized application control) feature also works with this service, as it detects unknown applications and pushes out firewall policies to control them. Cloud apps get the same tough love: the dashboard insights section lists all those detected and you can classify each one as sanctioned or unsanctioned and apply a traffic shaping policy to control their use.

A screenshot of the Sophos XGS 3300 Control Centre

Sophos XGS 3300 review: Security and reporting

The XGS 3300 is highly versatile, and you can place its ports in different zones and apply custom security policies to each one. Policies contain firewall rules for sources and destinations, service filters, blocking actions and time schedules and you can apply custom policies for web filtering, IPS and application controls.

The new filtering option makes it easy to find a specific rule in the list and firewall rule traffic counters for selected policies can now be reset back to zero from the web console without having to reboot the appliance. You don’t need to change rule priorities in policies with drag and drop either, as they can be reordered directly from the policy drop down menu.

There are plenty more security features to play with; web filtering offers 86 URL categories to block or allow while application controls currently provide 3,532 predefined apps. If you want Facebook gone from the workplace, you’ll be pleased to know Sophos provides 73 app categories covering every possible social activity. 

Reporting is a standard feature on all XGS models with the web console providing a wealth of information on all things security related. The reports option in the web console’s side menu loads a variety of dashboards and graphs showing detected threats, malware and web content filtering activities, offers reports for key compliance standards, and all their content can be exported in PDF, HTML and CSV formats.

Sophos XGS 3300 review: Verdict

The XGS 3300 is easy to deploy, although the sheer range of security features may present new users with a steep learning curve for ongoing configuration. Sophos does provide copious online documentation and videos but it’s a lot to wade through and it still refers to the XG firewalls.

Overall though, the XGS 3300 is clearly a very powerful and well-endowed firewall appliance. The network ports and zones make it very versatile, the latest SFOS 18.5 software adds many features designed to ease management, and integration with Sophos Central allows it to extend its protection umbrella to remote workers.

Sophos XGS 3300 specifications

Chassis

1U rack

CPU

3.35GHz quad-core AMD Ryzen Embedded V1780B

Memory

16GB DDR4

Storage

240GB SATA SSD

Network

8 x Gigabit copper, 2 x Gigabit SFP, 2 x 10GbE SFP+

Expansion

1 x Flexi module slot

Other ports

2 x USB 3, 1 x USB 2, RJ45 MGMT, COM, micro-USB

Power

Internal PSU, optional external redundant PSU

Management

Web browser, Sophos Central

Warranty

Included in subscription

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

WatchGuard Firebox M290 review: Stiff security at a great price
unified threat management (UTM)

WatchGuard Firebox M290 review: Stiff security at a great price

23 Feb 2022
Ubiquiti Networks UniFi Dream Machine Pro review: All the security you need in one handy box
Security

Ubiquiti Networks UniFi Dream Machine Pro review: All the security you need in one handy box

18 Nov 2021
Big zero-day flaw found in Palo Alto security appliance
internet security

Big zero-day flaw found in Palo Alto security appliance

11 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022