FAQs for Sophos SG UTM customers about the XG Firewall

CorporateNetworkSupportFAQSophos UTMXG Firewall

Sophos XG FirewallMany of you may have questions about the XG Firewall and what it means for you. Rest assured, we’ve been thinking a lot about our Sophos SG UTM customers, and we’ve put together this FAQ to help answer any questions you might have.

What is the difference between SG and XG?

The Sophos SG Series appliances with UTM 9 firmware is our leading and award-winning Unified Threat Management (UTM) platform. Sophos UTM has a long and successful history that extends back several years. We will continue to develop and support this platform. You can learn more about Sophos UTM 9 and the SG Series and what makes it so great here.

Sophos XG Firewall, is our new firewall platform, that combines some of the great technology from UTM 9 with a variety of new technology including support for the new Sophos Security Heartbeat™, a new user interface, improved user-based policies and reporting, and much more. It comes pre-installed on XG Series appliances but you can also upgrade your SG Series appliances (more on that below).

You can learn more about Sophos XG Firewall here.

What’s the difference between the SG Series and XG Series hardware appliances?

They are identical except that SG Series appliances come pre-installed with UTM 9 firmware while XG Series appliances come pre-installed with XG Firewall firmware.

Can I migrate from SG UTM to the new XG Firewall?

Yes. As a Sophos SG UTM customer with a valid license, you are entitled to migrate to XG Firewall when the timing is right for you. We strongly urge customers to be patient and wait for the automated migration tools for the best migration experience.

As an existing SG UTM customer wishing to upgrade, what should I do?

We suggest all SG UTM customers spend some time familiarizing themselves with the new XG Firewall using the free trial option while patiently awaiting the migration tools to make the transition as seamless as possible.

Do I have to migrate from SG UTM to XG Firewall?

No. While we are confident that most Sophos SG UTM customers will want to take advantage of many of the great new features and benefits of XG Firewall over time, there is certainly no rush, and you don’t have to migrate if you don’t want to.

Will you continue to develop and support UTM 9?

Yes. You are probably already enjoying the great new features of UTM Elevated 9.4 and the Sophos UTM 9 platform will see continued development and support with a couple of new releases already in the planning stages.

Will the new XG Firewall firmware run on my existing hardware or virtual environment?

Sophos XG Firewall runs perfectly on all Sophos SG Series hardware appliances, as well as the same Intel compatible hardware and the same virtual environments as UTM 9. XG Firewall is not currently compatible with Amazon Web Services, but we plan to add support for AWS and Azure cloud deployments soon.

Customers with UTM Series or ASG Series hardware (prior to the SG Series) interested in migrating to XG Firewall should talk to their Sophos Partner about doing a hardware refresh to one of the XG Series that come pre-installed with XG Firewall.

When can I migrate from SG UTM to XG Firewall?

We strongly recommend that customers wait until the migration tools are available for a smooth migration. We recommend working with your preferred Sophos Partner to plan your migration when the time is right.

Is there a license fee associated with migrating?

No. Sophos is pleased to switch your license from SG UTM to XG Firewall at no extra charge. Your license will be changed over automatically when you choose to migrate.

What are the various migration options and timelines?

In order to make migration as smooth as possible, we are developing a series of migration tools that will simplify and automate much of the migration process. Keep and eye on this site for migration news, tools and help, or contact your Sophos Partner.

Here are the migration options and timelines:

Manual Migration: While we strongly encourage existing customers to wait until the automated migration tools are available, early adopters who wish to migrate to XG Firewall sooner can do a manual migration. There will be no migration tools available during this phase so you will be setting up and configuring your XG Firewall from a fresh install.

Automated Migration: This is in planning and we anticipate being able to offer beta migration tools in early 2017 to enable automated migration. We’ll update this site with the latest news on the availability of automated migration tools.

Are there SG UTM features I need that are not in XG Firewall?

There are currently a few feature gaps you should be aware of but some of these will be addressed in the upcoming release of XG Firewall v16 (noted below).

Here are the most significant initial feature gaps today:

  • Multi-node clustering of three or more appliances is not supported initially
    (two appliance clustering for Active-Active or Active-Passive is supported)
  • Clustering of “w” (integrated wireless) models is not supported initially
  • Site-to-Site RED Tunnels are not supported initially (addressed in v16)
    (RED devices are fully supported in XG Firewall, but RED tunnels between firewalls are not yet supported)
  • A couple of Advanced Web Protection features are not supported initially, including block page override using a password and category-based quota time policies (global quotas are supported)
  • Two-Factor Authentication is not supported initially (addressed in v16)
  • Sophos Mobile Control integration is not supported initially
  • Sophos Endpoint Deployment and Management from within the UTM is not supported (customers are encouraged to switch to Sophos Cloud Endpoint to take advantage of Security Heartbeat™)

Can I centrally manage both SG UTM and XG Firewall with the new Sophos Firewall Manager?

Sophos UTM Manager (SUM) is the centralized management platform for SG UTM and is still supported for managing multiple UTM 9 devices. It cannot manage XG Firewall devices.

Sophos Firewall Manager (SFM) is the new centralized management platform for XG Firewall. It cannot manage UTM 9 devices, so if you plan to run a mix of UTM 9 and XG Firewall devices, you will need both SUM and SFM for centralized management.

Can I centrally report on both SG UTM and XG Firewall with the new Sophos iView?

Yes. The new version of Sophos iView provides consolidated report for UTM 9, XG Firewall, and CyberoamOS devices.

How can I take advantage of the new Security Heartbeat™?

Sophos Security Heartbeat™ requires both Sophos XG Firewall and Sophos Cloud Endpoint. Learn more about Security Heartbeat and SG UTM.

Where can I get further information?

Please contact your Sophos Partner should you have any further questions and follow the Sophos Blog for ongoing news and updates related to your Sophos products. You can sign up for the Sophos Blog newsletter by entering your email address in the sign-up field in the upper right corner of the blog homepage. You can also sign up for our RSS feed.

XG Firewall


It seems to me that the XG platform is missing a lot of features. And in my opinion doesn’t make it a good decision where network customization and detailed configuration is needed. I’ve played around with the demo UTM 9 software and appears to be a lot more configurable than XG. Hopefully it catches up as it looks like a promising platform…Just not yet.


Thank you for turning my fully working cyberoam devices into something useless and unusable. Good work on destroying another product


Hi, sorry to hear you’re not happy. If you could email your details and the country you live in over to socialmedia@sophos.com then we’ll get someone to contact you to see if they can help. Thanks, Anna


XG. Yuk! UTM9 has a nice, logical user interface. Why on earth did you go and break it with XG? Now I have to go to three places to set up network devices, can define services but can’t use those in port forwarding rules, and can’t even work out how to get one of my rules that redirects internally working at all.


This FAQ is since 2015. We are in 2017 so here are my questions:
1.There are still no migration tools from UTM9 to XG?
2. XG Firewall is still not stable?
3. XG FIrewall user interface is not as easy as UTM9?

These questions are not merely for curiosity. The SOPHOS partner I am dealing with is recommending UTM9 as he has a stock for it. Meanwhile I believe that XG-Firewall should be more stable in 2017, and I really am confused to the point that I may switch to another solution entirely. W*guard has been consistent for a long time with their firmwares and they do not have these problems. So I need clear answers to estimate price for value benefit from SOPHOS.


Hello, thanks for your questions.

The product team has been hard at work on the latest releases for XG Firewall (v16 and v16.5) which were released late last year and bring a ton of new features and bug fixes.

It is very stable. We have thousands of customers running XG Firewall now in a variety of different types of organizations from small business to large enterprises.

The reason migration tools have been slower to be developed than we would like, is because our focus has been on developing feature parity and even differentiated features for XG Firewall to make the migration desirable. Now that is done, the first phase of migration tools are entering beta with partners to begin migrating early adopter UTM 9 customers that want to switch to XG.

Whether you find XG Firewall’s user experience easier or not than UTM 9, is clearly subjective, and there’s no doubt that UTM 9 has a very elegant and simple interface. Having said that, we have a lot of wisdom that is being applied in developing the user interface and experience in XG Firewall. As a result, it has a number of innovations in how policies and firewall rules are managed that many will find easier.


My comment was deleted. Not a good beginning to buy your product.


Hi, sorry about this. We’ve had a look for your original comment on this post and couldn’t find it. If you’d like to post again we’d love to hear your thoughts or answer your questions about the post.


I’m still baffled as to why Sophos created a competing and, at least right now, inferior product to their well known and award winning UTM product line in the first place.
In my opinion, all they’ve achieved so far is create fear and uncertainty amongst their loyal customer base because the introduction of a new security platform can only mean one thing: UTM 9 is on the way out, at least in the distant future…which would be a shame.


Hi Dominik, thanks for sharing your thoughts. XG Firewall provides many requested features that were just not feasible to develop on the UTM 9 platform which is why we have both products and will continue to have both for the foreseeable future. Thanks for your support and stay tuned for some exciting news on UTM 9 coming soon.


Please finally make the VPN compatible with OpenVPN file types (ovpn)! dont wanna see the apc crap anymore…


Hello, unfortunately, providing generic support for ovpn files would make for an unsupportable number of possible options that we would need to integrate with the firewall, and test for quality and security.


In using both the Sophos UTM 9, and the XG, I have not been able to justify recommending anyone to the XG. Static DHCP entries are more difficult to assign, as you have to modify your DHCP scope to assign them, not just make a reservation. From the activity monitor, you don’t have the BLOCK or SHAPE traffic options. DDNS option for namecheap has vanished, although I was able to make a workaround using the sophos DDNS options, which weren’t very clear on how to setup. This is only the surface of the annoyances I’ve run across. I like the look of the interface, but until the feature set starts to have more parity with the UTM 9, I can’t recommend the XG. I had been ACE certified back several years, and had no issues on the UTM (other than XBOX live didn’t work through it). I had been touting the UTM to everyone as an awesome solution previously. As long as the UTM remains as a platform, and gets love with updates and keeping at least some parity with new advances, then I’ll still recommend the UTM. Just my $0.02…


Hi Matt, appreciate your comments. There are obviously a few differences in the way you do things or how things work on UTM 9 vs XG and of course we continue to close feature gaps between the two products. UTM 9 is a very mature product and isn’t going anywhere while XG Firewall is really just getting started and has an exciting future. As you may have seen, we’ve just launched the Beta for UTM 9.5 with a bunch of new features, please be sure to check it out and help us make that release the best it can be. And keep your eye on XG Firewall and continue to provide us feedback, there’s tons of exciting developments coming for XG Firewall later this year.


i have a cyberoam ING200 can i upgrade the firmware to XG and migrate my current configurations?


Hi Jackson… YES! You can migrate your license from Cyberoam to XG Firewall in the customer portal and then download and apply the XG Firmware to your ING appliance and you’ll be up and running. There’s no need to migrate configurations. Just backup and apply the firmware update to XG and your configuration should work just as before. There’s a Cyberoam to XG migration guide available at Sophos.com/get-started-xg


It is nice having a way to change from UTM to XG – but is there a supported way the other way ’round? What about the licensing with the actual XG-license? Can I also just use it for UTM? How would I have to do this?
-> As some of my fore-speakers, I am not happy with the XG interface and also not with the funktionality (for example: Policy does not allow to negotiate an object, no adjustment of the UI to larger screens (!!!), objects have to be defined at several places, and, and, and: Looking half a day brings dozends of lacks compared to UTM… And honestly: I have an IT to run and not time, bringing all the lacks to any suggestion pages at Sophos, if there is an existing platform – UTM – which would just fit my requirements…


There is currently no way to transfer an XG license to UTM. However, if you recently purchased it you could contact your partner about a return/replacement. However, we hope that’s not needed – the user interface in XG Firewall continues to evolve with every release and will continue to get improvements as we get your feedback and integrate it into the product. There’s a major new release coming soon. Stay tuned for more on that in the weeks ahead.


We are using UTM at the business. Got a XG 115 to teste it out and see when XG is ready for us. I was hoping to run the XG on a home license. But that dosent seem to be posible. Dont you think that would be a good thing to give the people testing this product? Im even running the XG 115 at home so the license would not be “invalid”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s