Sizing Guidelines

Sophos XG Firewall - XG Series Appliances

Sophos
! Firewall OS 15.01.1 Sizing Guide for XG Series appliances
 Three steps to specifying the right appliance model
This document provides a guideline for choosing the right Sophos XG Series appliance for your customer.
Specifying the right appliance is dependent on a number of factors and involves developing a usage profile for the
users and the network environment.
For best results we recommend using the following step-by-step procedure:

1.! Identify the “Total weighted User” Number

Understand the customer’s environment like browsing behavior, application usage, network and server
infrastructure to get an accurate understanding of the actual usage an XG Series appliance will see at peak
times.
2.! Make a first estimate
Based on the Total weighted User number.
3.! Check specific throughput requirements
Understand if any local factors like the maximum available internet uplink capacity will impact performance –
check this against Sophos XG Firewall throughput numbers and adjust the recommendation accordingly.

Of course, the best way to understand if an appliance will meet a customer’s needs is to test it in the customer
environment and with Sophos XG Firewall you can offer a free on-site evaluation of the selected unit.

1.!Identify the “Total Weighted User” number

Use the following table to first calculate the Total weighted User number that the appliance will need to handle.
a.! Calculate the Weighted User Count number. Identify the user category (Average/Advanced/Power) that best
fits the average user behavior of the users, or estimate how many users
fit each category. Use the criteria in table 1.2 to classify the type of users.
•! Enter the User Counts in table 1.1, multiply them with the indicated factor, enter the results into the
"Weighted User Count" boxes and sum it into the "Total Weighted User Count" box.
b.! Identify the System Load Number. Use the criteria using table 1.3 to classify the load.
•! Enter the System Load Number in the box "multiplied by System Load" in table 1.1, multiply it with the "Total
Weighted User Count" and enter the result into the "Total weighted Users" box.

Table 1.1

! User Count Multiplied by Weighted User Count

Standard user ! 1 !
Advanced Users ! 1.2 !
Power Users ! 1.5 !
Total User Count ! Total Weighted User Count !
! multiplied by System Load !
Total weighted Users !

Sophos
! Firewall OS 15.01.1 Sizing Guide for XG Series appliances
 1.2!User Category Criteria
Use the criteria described below to classify the type of users.

! Average user Advanced user (*1.2) Power user (*1.5)

Email usage (per 10h working day)

Number of received < 50 50 to 100 >100

emails in inbox
Data volume Few MBytes Multiple MBytes Numerous MBytes
Web usage (per 10h working day)
Data volume Few MBytes Multiple MBytes Numerous MBytes

Usage pattern Equally spread throughout Various peaks Many peaks

the day
Web applications used Mostly webmail / Heavy surfing, moderate Intensive surfing and
Google / news media transfer, business media transfers (schools,
applications universities)

VPN usage
VPN remote access usage Rarely – sporadically Several times per week – Every day – connected most
connected connected at regular times of the time

1.3!System Load Criteria

Identify any specific requirements that might increase the overall system load and hence the performance
requirements for the system.

! Average system usage Advanced system usage (*1.2) High system usage (*1.5)

Authentication
Active Directory in use No Yes Yes
FW/IPS/VPN usage

Variety of systems to No IPS protection required Mostly Windows PCs, Various Client Operating
be protected by IPS 1-2 servers systems, browsers and
multimedia apps, >2 servers
Email
Percentage of Spam <50% 50-90% >90%
Reporting

Report storage time Up to 1 month Up to 3 months >3 months (per URL)

and granularity web report only (per Up to 5 reports
requirement Domain) (per Domain)
Accounting storage No Up to 1 month >1 month
time on appliance

Sophos
! Firewall OS 15.01.1 Sizing Guide for XG Series appliances
 2.!Make a first estimate — using the calculated
“Total weighted User” number
Take the “Total weighted User” and make a first estimate for the required XG Series hardware appliance within the
following diagram:
!! Each line shows the range of users recommended when only using this single subscription.
!! Please ensure all numbers include users connected via VPN, RED and wireless APs.

Subscription Profile

Rule of thumb:
!! Estimate that using Wireless Protection or Webserver Protection with any of the profiles mentioned
above will decrease range by 5-10% each.

3.!Check for specific throughput requirements

Depending on the customer’s environment there might be specific throughput requirements driving an adjustment
of your first estimate to a higher (or even lower) unit.
These requirements are typically based on the following two factors:

The maximum available internet uplink capacity

The capacity of the customer’s internet connection (up- and downlink) should match the average throughput rate
that the selected unit is able to forward (depending on the subscriptions in use).
For instance if the download or upload limit is only 20 Mbps then there is no great benefit in using an XG 230
instead of an XG 210, even though the calculated total number of users is around 100. In that case even an XG 210
might be sufficient because it can perfectly fill the complete internet link even with all UTM features enabled.
However, data might not only be filtered on its way to the internet but also between internal network segments.
Hence consider internal traffic that traverses the firewall as well in this assessment.

Specific performance requirements based on customer experience or knowledge

If the customer knows their overall throughput requirements among all connected internal and external interfaces
(e.g. based on their past experience) then check whether the selected unit is able to meet these numbers.
For instance the customer might have several servers located within a DMZ and want to get all traffic to those
servers from all segments to be inspected by the IPS. Or the customer may have many different network
segments that should be protected against each other (by using the FW packet filter and/or
the Application Control feature). In this case consider that the unit must scan the complete internal traffic
between all segments.

!Sophos Firewall OS 15.01.1 Sizing Guide for XG Series appliances

 Further questions to ask in order to find out if there are any other performance requirements:

!! How many site-to-site VPN tunnels are required?

!! How many emails are being transferred per hour - on average/at peak times?
!! How much web traffic (Mbps and requests/s) is being generated - on average/at peak times?
!! How many web servers should be protected and how much traffic is expected - on average/at peak
times?

The following section provides detailed performance numbers to help determine whether the selected appliance
meets all individual requirements.

Sophos XG Series Hardware performance numbers

The following table provides performance numbers by traffic type measured within Sophos testing labs.
“Realworld” numbers represent throughput values achievable with a typical/real life traffic and protocol mix as
defined by NSS Labs. All “Realworld” numbers have been measured under a 50% CPU load only in order to leave
enough resources available for the system to process other tasks like GUI rendering, report generation and
viewing, pattern updates, etc.
These numbers might be more conservative than numbers measured for other systems or by
other testing labs & methods. Allocating 100% CPU resources to network traffic processing would
typically double the numbers provided – this is how NSS Labs performs testing and this is also
how SG Series we’re tested under UTM 9 for comparison.
Maximum numbers represent best throughput achievable under perfect conditions, e.g. using large packet sizes
with UDP traffic only at full CPU load.
Please note that none of these numbers are guaranteed as performance may vary in a real life customer scenario
based on user characteristics, application usage, security configurations and other factors. Hence these numbers
should only be used as a rough sizing guideline.

Small - Desktop

XG 85/w XG 105/w XG 115/w XG 125/w XG 135/w

Model rev.1 rev.2 rev.2 rev.2 rev.2

Performance Numbers

Firewall max. 1 (Mbps) 2,000 3,000 3,500 5,000 7,000

IPS max. 1 (Mbps) 510 700 900 1,040 1,750

IPS Realworld (Mbps)

2
75 86 103 180 232

Web Proxy – AV (Mbps) 330 430 520 590 1,400

Web Proxy – AV Realworld 2 (Mbps) 75 187 234 307 427

IPS + Web Proxy – AV Realworld (Mbps) 2

31 36 42 58 95

IPS + App Ctrl + WebFilter Realworld 2 (Mbps) 25 27 30 75 133

VPN AES max. 3 (Mbps) 200 300 350 410 950

VPN AES Realworld 2 (Mbps) 50 75 90 105 240

Maximum recommended connections

New TCP connections/sec 12,000 27,500 27,500 35,000 82,000

Concurrent TCP connections 2,000,000 3,200,000 6,000,000 6,200,000 8,200,000

Concurrent IPsec VPN tunnels 200 300 500 750 1000

Concurrent Access Points 5 10 20 30 40

Concurrent REDs (UTM/FW) 3 5/10 10/30 15/60 20/80 25/100

1.! 1518 byte packet size (UDP), default rule set
2.! Avg. of Data Center, Enterprise Perimeter,
Higher Education, European Mobile,
Financial Network protocol mixes at 50%
CPU Usage
3.! HTTP traffic
4.! UTM=Full content scanning of RED traffic on XG
appliance, FW=packet filtering only

Sophos
! Firewall OS 15.01.1 Sizing Guide for XG Series appliances
 Medium - 1U
XG 210 XG 230 XG 310 XG 330 XG 430 XG 450
Model rev.2 rev.1 rev.1 rev.1 rev.1 rev.1
Performance Numbers
Firewall max. 1 (Mbps) 14,000 25,000 30,000 37,000 45,000
IPS max. 1 (Mbps) 2,700 4,200 5,500 8,500 9,000 10,000
IPS Realworld 2 (Mbps) 309 361 539 733 893 1159
Web Proxy – AV (Mbps) 2,300 2,800 3,260 6,000 6,500 7,000
Web Proxy – AV Realworld 2 (Mbps) 538 670 1140 1220 1440 1690
IPS + Web Proxy – AV Realworld 2 102 107 207 242 372 463
(Mbps) 176 226 340 425 538 693
IPS + App Ctrl + WebFilter Realworld
2
(Mbps) 1,350 1,500 2,500 3,200 4,800 5,500
VPN AES max. 3 (Mbps)
VPN AES Realworld 2 (Mbps) 340 375 625 800 1200 1375
Maximum recommended connections
New TCP connections/sec 135,000 140,000 200,000 200,000 200,000 200,000
Concurrent TCP connections 8,200,000 8,200,000 17,500,000 17,500,000 20,000,000 20,000,000
Concurrent IPsec VPN tunnels 1300 1420 2488 3200 4800 5200
Concurrent Access Points 75 100 125 150 230
Concurrent REDs (UTM/FW) 4 30/125 40/150 50/200 60/230 70/250 80/300
!

Large - 2U
XG 550 XG 650 XG 750
Model rev.1 rev.1 rev.1
Performance Numbers
Firewall max. 1 (Mbps) 60,000 80,000 140,000
IPS max. 1 (Mbps) 17,000
IPS Realworld 2 (Mbps) 2160 3310 3970
Web Proxy – AV (Mbps) 10,000 13,000 17,000
Web Proxy – AV Realworld 2 (Mbps) 2480 3220 3870
IPS + Web Proxy – AV Realworld 2 808 1109 1330
IPS + App Ctrl + WebFilter Realworld 1190 1730 2070
VPN AES max. 3 (Mbps) 8,400 9,000 11,250
VPN AES Realworld 2 (Mbps) 2100 2250 2800
Maximum recommended connections
New TCP connections/sec 200,000 200,000 300,000
Concurrent TCP connections 20,000,000 20,000,000 30,000,000
Concurrent IPsec VPN tunnels 4000 4500 5400
Concurrent Access Points 300 400 500
Concurrent REDs (UTM/FW) 4 150/600 200/800
!

1.! 1518 byte packet size (UDP), default rule set
2.! Avg. of Data Center, Enterprise Perimeter,
Higher Education, European Mobile,
Financial Network traffic profiles at 50%
CPU Usage
3.! HTTP traffic
4.! UTM=Full content scanning of RED traffic on XG
appliance, FW=packet filtering only

Sophos
! Firewall OS 15.01.1 Sizing Guide for XG Series appliances
 Sophos XG Firewall Software/Virtual Appliances

Sophos XG Firewall Software/Virtual Appliances are licenses by numbers of (virtual) cores and (virtual) RAM size.
Licenses do not have to match exactly the number of available cores/RAM but will only activate the licensed
cores/RAM to be used in the Software.
While the Software/Virtual Appliances might be used on various CPU types with various speeds the performance
might vary significantly even if using the same number of cores/RAM size.
The following diagram provides a rough guidance of total weighted user ranges (according to the calculation in
chapter 1) recommended for each Software model.
Numbers are based on the following assumptions:
!! CPU speed = 2.5 GHz (higher speed can significantly increase throughput for most applications)
!! CPU Type = Core I (up to 6C8), Xeon (8C16 and above)

Rule of thumb:
!! Using Sophos XG Firewall in a virtual environment has an estimated ~10% performance / user number
decrease caused by the Hypervisor framework.

On-site evaluations
While the procedure explained above is a good foundation for selecting the most appropriate model, it is only
based on information received from the customer. There are many factors determining the behavior and
performance of an appliance which can only be evaluated in a real life scenario. Therefore, an on-site evaluation
within the customer’s environment is always the best way to determine whether the selected appliance meets the
actual performance requirements of the customer. For further assistance, staff within the Sophos pre-sales teams
are ready to assist you with sizing and in selecting the right platform.

United Kingdom and Worldwide Sales North American Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

Oxford, UK | Boston, USA

© Copyright 2015. Sophos Ltd. All rights reserved.
Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos
is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or
registered trademarks of their respective owners.

03.15.GH-RP.sgna.simple