FAQs for Sophos SG UTM customers about the XG Firewall

CorporateNetworkSupportFAQUTMXG Firewall

Sophos XG FirewallMany of you may have questions about the XG Firewall and what it means for you. Rest assured, we’ve been thinking a lot about our Sophos SG UTM customers, and we’ve put together this FAQ to help answer any questions you might have.

What is the difference between SG and XG?

The Sophos SG Series appliances with UTM 9 firmware is our leading and award-winning Unified Threat Management (UTM) platform. Sophos UTM has a long and successful history that extends back several years. We will continue to develop and support this platform. You can learn more about Sophos UTM 9 and the SG Series and what makes it so great here.

Sophos XG Firewall, is our new firewall platform, that combines some of the great technology from UTM 9 with a variety of new technology including support for the new Sophos Security Heartbeat™, a new user interface, improved user-based policies and reporting, and much more. It comes pre-installed on XG Series appliances but you can also upgrade your SG Series appliances (more on that below).

You can learn more about Sophos XG Firewall here.

What’s the difference between the SG Series and XG Series hardware appliances?

They are identical except that SG Series appliances come pre-installed with UTM 9 firmware while XG Series appliances come pre-installed with XG Firewall firmware.

Can I migrate from SG UTM to the new XG Firewall?

Yes. As a Sophos SG UTM customer with a valid license, you are entitled to migrate to XG Firewall when the timing is right for you. We strongly urge customers to be patient and wait for the automated migration tools for the best migration experience.

As an existing SG UTM customer wishing to upgrade, what should I do?

We suggest all SG UTM customers spend some time familiarizing themselves with the new XG Firewall using the free trial option while patiently awaiting the migration tools to make the transition as seamless as possible.

Do I have to migrate from SG UTM to XG Firewall?

No. While we are confident that most Sophos SG UTM customers will want to take advantage of many of the great new features and benefits of XG Firewall over time, there is certainly no rush, and you don’t have to migrate if you don’t want to.

Will you continue to develop and support UTM 9?

Yes. You are probably already enjoying the great new features of UTM Elevated 9.4 and the Sophos UTM 9 platform will see continued development and support with a couple of new releases already in the planning stages.

Will the new XG Firewall firmware run on my existing hardware or virtual environment?

Sophos XG Firewall runs perfectly on all Sophos SG Series hardware appliances, as well as the same Intel compatible hardware and the same virtual environments as UTM 9. XG Firewall is not currently compatible with Amazon Web Services, but we plan to add support for AWS and Azure cloud deployments soon.

Customers with UTM Series or ASG Series hardware (prior to the SG Series) interested in migrating to XG Firewall should talk to their Sophos Partner about doing a hardware refresh to one of the XG Series that come pre-installed with XG Firewall.

When can I migrate from SG UTM to XG Firewall?

We strongly recommend that customers wait until the migration tools are available for a smooth migration. We recommend working with your preferred Sophos Partner to plan your migration when the time is right.

Is there a license fee associated with migrating?

No. Sophos is pleased to switch your license from SG UTM to XG Firewall at no extra charge. Your license will be changed over automatically when you choose to migrate.

What are the various migration options and timelines?

In order to make migration as smooth as possible, we are developing a series of migration tools that will simplify and automate much of the migration process. Keep and eye on this site for migration news, tools and help, or contact your Sophos Partner.

Here are the migration options and timelines:

Manual Migration: While we strongly encourage existing customers to wait until the automated migration tools are available, early adopters who wish to migrate to XG Firewall sooner can do a manual migration. There will be no migration tools available during this phase so you will be setting up and configuring your XG Firewall from a fresh install.

Automated Migration: This is in planning and we anticipate being able to offer beta migration tools in early 2017 to enable automated migration. We’ll update this site with the latest news on the availability of automated migration tools.

Are there SG UTM features I need that are not in XG Firewall?

There are currently a few feature gaps you should be aware of but some of these will be addressed in the upcoming release of XG Firewall v16 (noted below).

Here are the most significant initial feature gaps today:

  • Multi-node clustering of three or more appliances is not supported initially
    (two appliance clustering for Active-Active or Active-Passive is supported)
  • Clustering of “w” (integrated wireless) models is not supported initially
  • Site-to-Site RED Tunnels are not supported initially (addressed in v16)
    (RED devices are fully supported in XG Firewall, but RED tunnels between firewalls are not yet supported)
  • A couple of Advanced Web Protection features are not supported initially, including block page override using a password and category-based quota time policies (global quotas are supported)
  • Two-Factor Authentication is not supported initially (addressed in v16)
  • Sophos Mobile Control integration is not supported initially
  • Sophos Endpoint Deployment and Management from within the UTM is not supported (customers are encouraged to switch to Sophos Cloud Endpoint to take advantage of Security Heartbeat™)

Can I centrally manage both SG UTM and XG Firewall with the new Sophos Firewall Manager?

Sophos UTM Manager (SUM) is the centralized management platform for SG UTM and is still supported for managing multiple UTM 9 devices. It cannot manage XG Firewall devices.

Sophos Firewall Manager (SFM) is the new centralized management platform for XG Firewall. It cannot manage UTM 9 devices, so if you plan to run a mix of UTM 9 and XG Firewall devices, you will need both SUM and SFM for centralized management.

Can I centrally report on both SG UTM and XG Firewall with the new Sophos iView?

Yes. The new version of Sophos iView provides consolidated report for UTM 9, XG Firewall, and CyberoamOS devices.

How can I take advantage of the new Security Heartbeat™?

Sophos Security Heartbeat™ requires both Sophos XG Firewall and Sophos Cloud Endpoint. Learn more about Security Heartbeat and SG UTM.

Where can I get further information?

Please contact your Sophos Partner should you have any further questions and follow the Sophos Blog for ongoing news and updates related to your Sophos products. You can sign up for the Sophos Blog newsletter by entering your email address in the sign-up field in the upper right corner of the blog homepage. You can also sign up for our RSS feed.

XG Firewall


It seems to me that the XG platform is missing a lot of features. And in my opinion doesn’t make it a good decision where network customization and detailed configuration is needed. I’ve played around with the demo UTM 9 software and appears to be a lot more configurable than XG. Hopefully it catches up as it looks like a promising platform…Just not yet.


Thank you for turning my fully working cyberoam devices into something useless and unusable. Good work on destroying another product


Hi, sorry to hear you’re not happy. If you could email your details and the country you live in over to socialmedia@sophos.com then we’ll get someone to contact you to see if they can help. Thanks, Anna


XG. Yuk! UTM9 has a nice, logical user interface. Why on earth did you go and break it with XG? Now I have to go to three places to set up network devices, can define services but can’t use those in port forwarding rules, and can’t even work out how to get one of my rules that redirects internally working at all.


This FAQ is since 2015. We are in 2017 so here are my questions:
1.There are still no migration tools from UTM9 to XG?
2. XG Firewall is still not stable?
3. XG FIrewall user interface is not as easy as UTM9?

These questions are not merely for curiosity. The SOPHOS partner I am dealing with is recommending UTM9 as he has a stock for it. Meanwhile I believe that XG-Firewall should be more stable in 2017, and I really am confused to the point that I may switch to another solution entirely. W*guard has been consistent for a long time with their firmwares and they do not have these problems. So I need clear answers to estimate price for value benefit from SOPHOS.


Hello, thanks for your questions.

The product team has been hard at work on the latest releases for XG Firewall (v16 and v16.5) which were released late last year and bring a ton of new features and bug fixes.

It is very stable. We have thousands of customers running XG Firewall now in a variety of different types of organizations from small business to large enterprises.

The reason migration tools have been slower to be developed than we would like, is because our focus has been on developing feature parity and even differentiated features for XG Firewall to make the migration desirable. Now that is done, the first phase of migration tools are entering beta with partners to begin migrating early adopter UTM 9 customers that want to switch to XG.

Whether you find XG Firewall’s user experience easier or not than UTM 9, is clearly subjective, and there’s no doubt that UTM 9 has a very elegant and simple interface. Having said that, we have a lot of wisdom that is being applied in developing the user interface and experience in XG Firewall. As a result, it has a number of innovations in how policies and firewall rules are managed that many will find easier.


My comment was deleted. Not a good beginning to buy your product.


Hi, sorry about this. We’ve had a look for your original comment on this post and couldn’t find it. If you’d like to post again we’d love to hear your thoughts or answer your questions about the post.


I’m still baffled as to why Sophos created a competing and, at least right now, inferior product to their well known and award winning UTM product line in the first place.
In my opinion, all they’ve achieved so far is create fear and uncertainty amongst their loyal customer base because the introduction of a new security platform can only mean one thing: UTM 9 is on the way out, at least in the distant future…which would be a shame.


Hi Dominik, thanks for sharing your thoughts. XG Firewall provides many requested features that were just not feasible to develop on the UTM 9 platform which is why we have both products and will continue to have both for the foreseeable future. Thanks for your support and stay tuned for some exciting news on UTM 9 coming soon.


Please finally make the VPN compatible with OpenVPN file types (ovpn)! dont wanna see the apc crap anymore…


Hello, unfortunately, providing generic support for ovpn files would make for an unsupportable number of possible options that we would need to integrate with the firewall, and test for quality and security.


In using both the Sophos UTM 9, and the XG, I have not been able to justify recommending anyone to the XG. Static DHCP entries are more difficult to assign, as you have to modify your DHCP scope to assign them, not just make a reservation. From the activity monitor, you don’t have the BLOCK or SHAPE traffic options. DDNS option for namecheap has vanished, although I was able to make a workaround using the sophos DDNS options, which weren’t very clear on how to setup. This is only the surface of the annoyances I’ve run across. I like the look of the interface, but until the feature set starts to have more parity with the UTM 9, I can’t recommend the XG. I had been ACE certified back several years, and had no issues on the UTM (other than XBOX live didn’t work through it). I had been touting the UTM to everyone as an awesome solution previously. As long as the UTM remains as a platform, and gets love with updates and keeping at least some parity with new advances, then I’ll still recommend the UTM. Just my $0.02…


Hi Matt, appreciate your comments. There are obviously a few differences in the way you do things or how things work on UTM 9 vs XG and of course we continue to close feature gaps between the two products. UTM 9 is a very mature product and isn’t going anywhere while XG Firewall is really just getting started and has an exciting future. As you may have seen, we’ve just launched the Beta for UTM 9.5 with a bunch of new features, please be sure to check it out and help us make that release the best it can be. And keep your eye on XG Firewall and continue to provide us feedback, there’s tons of exciting developments coming for XG Firewall later this year.


i have a cyberoam ING200 can i upgrade the firmware to XG and migrate my current configurations?


Hi Jackson… YES! You can migrate your license from Cyberoam to XG Firewall in the customer portal and then download and apply the XG Firmware to your ING appliance and you’ll be up and running. There’s no need to migrate configurations. Just backup and apply the firmware update to XG and your configuration should work just as before. There’s a Cyberoam to XG migration guide available at Sophos.com/get-started-xg


It is nice having a way to change from UTM to XG – but is there a supported way the other way ’round? What about the licensing with the actual XG-license? Can I also just use it for UTM? How would I have to do this?
-> As some of my fore-speakers, I am not happy with the XG interface and also not with the funktionality (for example: Policy does not allow to negotiate an object, no adjustment of the UI to larger screens (!!!), objects have to be defined at several places, and, and, and: Looking half a day brings dozends of lacks compared to UTM… And honestly: I have an IT to run and not time, bringing all the lacks to any suggestion pages at Sophos, if there is an existing platform – UTM – which would just fit my requirements…


There is currently no way to transfer an XG license to UTM. However, if you recently purchased it you could contact your partner about a return/replacement. However, we hope that’s not needed – the user interface in XG Firewall continues to evolve with every release and will continue to get improvements as we get your feedback and integrate it into the product. There’s a major new release coming soon. Stay tuned for more on that in the weeks ahead.


We are using UTM at the business. Got a XG 115 to teste it out and see when XG is ready for us. I was hoping to run the XG on a home license. But that dosent seem to be posible. Dont you think that would be a good thing to give the people testing this product? Im even running the XG 115 at home so the license would not be “invalid”


Hello, any news regarding XG evolution? Is there anybody with real experience with latest XG vs. latest UTM? Is it still worth buing UTM over XG?


Hey Ivan, XG has evolved immensely over the last few months. Check out this story for the latest news on XG v17…

If you’re looking for folks to share their experience, I would suggest you head over to the Sophos Community Forums… https://community.sophos.com/products/xg-firewall/

Compared to Sophos UTM, XG Firewall has a number of compelling new features and capabilities and we’re getting a lot more demand for migration tools from Sophos UTM to XG Firewall. We’ll be announcing something on that front soon. However, Sophos UTM is still a great product also. Talk to your preferred Sophos partner to find out what’s best for you.


I’m always too busy to dedicate enough time to testing a new product in 30 days. I note in some of the comments above that there’s a free home use license (not compatible with your own hardware – fair enough). Can I assume this license will work if I download the XG Software to install on my own hardware or into a virtual machine and are there any feature restrictions that would limit my testing?


Hi Paul, you can simply talk to your Sophos Partner about extending the trial. No need to use the Home Edition. In fact, the Home Edition license terms strictly forbid use of it in any business environment.


Hi Paul, you can simply talk to your Sophos Partner about extending the trial. No need to use the Home Edition. In fact, the Home Edition license terms strictly forbid use of it in any business environment.


Hi, is there any news on the Migration tool yet? thanks


A migration assistant is in testing now, and we expect to announce something very soon. Thanks for your patience.


How soon is very soon? Just received my two XG 230’s and not looking forward to manually migrating from UTM


Hi, it’s expected to be available next month. It will help with migrating many objects, but security policies and firewall rules will still need to be recreated as there are fundamental ways in which these differ between the two platforms. It’s a good idea to start fresh in some areas like this anyway to review your security posture. But the migration assistant will definitely save you some time.


It’s next month! Is this still on track? I’ve been hearing the migration tool is “coming soon” for quite some time now…..hoping it’ll be here be very soon!


Hi Glenn, the SG to XG Migration Assistant is now available as part of an early access program for Sophos Partners. Contact your preferred Sophos Partner and they can help you with your migration.


Lots of talk from Sophos about “XG Firewall has a number of compelling new features and capabilities” BUT i cant find a feature comparison sheet anywhere! I’m very reluctant to migrate, or even consider migrating, until i can find out what features are missing, better or different. Looks like long term the XG is going to be the way to go, and I’m not afraid of change but i can’t be in a situation where a feature is missing, and my setup suffers. Either my existing users can’t do ‘something’ or i can’t report, enable, disable or control something i can now!!

Sophos being honest about the differences and asking for feedback would also allow them to focus on the UTM features we REALLY need in the XG so we can migrate. Spending DEV time trying to get features installed most of us will never use is pointless!!. I understand Sophos need feature parity with other vendors to keep winning deals BUT if they focused on getting people off UTM and onto XG, and they then committed ALL the UTM and XG DEV teams to work on one product line, the product would surely evolve and mature much quicker..

This from a Sophos Fanboy. Imagine what someone looking at the UTM and XG for the first time will make of it. Oh, and I’ve got a VERY good relationship with my partner, and even they are struggling to help with the information they’ve been provided with from Sophos….


Hi Paul, we are working on a new feature comparison guide that will outline the remaining feature gaps, which are decreasing all the time, along with when we expect those to close so you can plan your migration accordingly. Stay tuned for that. And of course the product team is working not only on features you need to make the migration from your UTM smooth and seamless but also features you and others require to get the visibility, control and protection required to get ahead of the latest IT challenges and threats.


Any update on a new comparison sheet? It’s almost July and I can’t find any suitable. Thx Peter


Hi Peter, I expect to publish a new FAQ and feature comparison list later this month.


Hi Chris, wonderful articles you’ve been writing the last years. I was wondering if you got to publish that update?


I too am curious if you ended posting the comparison list and if you have a current one for the latest versions today. If so where can I find those comparisons? Thanks


Hi, any news on when home users might be able to use this tool? I’m anxious to migrate but can’t bear the thought of re-creating everything manually. Thanks.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.