Substituting XG Firewall for Sophos RED Devices

ProductsProduct NewsXG Firewall

With the tremendous interest in VPN connectivity and RED supply shortages, we have put together some important information here to help you respond to inquiries and enable customers to achieve their networking needs.

With the tremendous interest in VPN connectivity and RED supply shortages, we have put together some important information here for you to help you respond to inquiries and enable customers to achieve their networking needs.

RED Device inventory shortage:

As you may know, Sophos RED Devices are in low supply.  But the good news is that XG 86 and 106 models can be even better solutions, and in the case of the XG 86, it’s about the same price as a RED 15.

Substituting XG for RED:

  • While RED devices are in short supply, position an XG 86(w)/106(w) as a better replacement, especially if a split-tunnel is required. The price is about the same
  • The base license includes RED site-to-site VPN tunnel functionality and offers the same benefit of no recurring licensing fees in the future
  • Suggest Network Protection for Central Management, Zero-Touch Deployment, and Synchronized Security
  • Suggest Web Protection (or EnterpriseProtect Plus) for split tunnel deployments, which will offload security scanning from the main head-office firewall for all internet bound traffic – improving performance for both the remote site and the central firewall


XG 86 RED 15
RED Tunnels Yes Yes
Split Tunnels Yes with Security Yes – Not secured
Zero-Touch Yes via Sophos Central Yes via the Central XG Firewall
Base Price Very similar
EnterpriseProtect Small incremental cost/month Not Available

Key Advantages of XG vs RED:

In general, XG Firewall is better in split-tunnel applications like SOHO deployments. RED is ideal for industrial control systems and remote device monitoring and control.

  • Split Tunnel Protection – traffic routed directly to the internet can be secured
  • Central Management from Sophos Central – easy zero-touch deployment, status monitoring in Central, and group policy management
  • More flexible VPN options – in addition to RED tunnels, XG also supports standards-based VPN options including IPSec and SSL

Additional Details on Substituting XG for RED:

Sophos entry-level XG Series devices can work perfectly well as a RED device. RED site-to-site tunnels between XG Firewall devices work identically to the RED device tunnel.

XG Firewalls also support zero-touch deployment from Sophos Central (with the Network Protection License).  Although not quite as simple as a RED device, it is still possible to deploy an XG 86 or other model remotely without having to touch it from the head office.

For complete instructions click here.

And as you may know, an entry-level XG Firewall is a better solution than RED for split-tunnel deployments, where some portion of the traffic is routed directly to the internet. This is most often the case in small office or home office situations (SOHO). Unlike RED, XG Firewall can add protection subscriptions to secure and control the internet traffic – providing better protection in split-tunnel deployments. Where RED shines is with industrial control systems (ICS) or remote device monitoring and control, where a device needs to be securely connected back to a central monitoring, control, or processing center.

It is highly recommended that customers take advantage of the EnterpriseProtect Plus subscription on XG Firewall remote site deployments to get both Central Management (which requires Network Protection) and Web Protection for securing the split tunnel. The added cost is literally a few dollars per month. In this configuration, the remote site XG Firewalls will help improve performance of the central Firewall by providing much of the security scanning locally.  However, if the customer intends to backhaul all traffic through the RED tunnel and do all scanning on their Central Firewall, the base license is all they need.

XG Licenses and RED Functionality:

  • Customers do not need additional XG Firewall licenses for site-to-site RED tunnels between XG Firewall appliances – only the base license is required
  • Management of RED Devices from XG Firewall does require the Network Protection license
  • XG Firewalls can also use IPSec or SSL site-to-site tunnels which are also included in the base license if the customer prefers a standard-based VPN protocol
  • Network Protection is required on XG Firewalls to be managed from Sophos Central, including zero-touch deployment, and for Synchronized Security
  • Web Protection on an XG Firewall operating as a RED device is a wise choice to secure any split tunnel traffic

Remote access VPN:

There’s tremendous interest in using remote access VPN for employees working from home. XG Firewall supports two types of remote access VPN, both included as part of the Base License so all XG Firewall customers have access.

The Sophos Connect client provides an elegant and simple IPSec VPN client that is free. Customers can also opt to use SSL VPN for remote access with any commercial OpenVPN client of their choice.


There’s a recent article covering these VPN options on providing an excellent overview of the pros and cons of each as well as a variety of resources for customers to take advantage of to get up and running quickly.

This is a great resource for configuring the different VPN options on XG Firewall.

The XG Series Product Matrix has been updated to reflect the latest VPN metrics for each model you can use to set expectations for customers.