"Which Sophos XGS model do we need?" It is the question our engineers get asked on almost every client call. It sounds straightforward. It is not — and getting it wrong costs real money, either in a firewall that chokes under load or a device that is three times more powerful than your network will ever need.
This guide gives you a complete, model-by-model answer. We cover every current XGS appliance, the throughput numbers that actually matter, how many users each model is designed for, and the factors that shift your sizing up or down. By the end, you will know exactly which device to quote — or at least know the right questions to ask before you do.
Why Sizing Matters More Than You Think
A firewall that is too small does not just run slowly — it becomes a bottleneck that undermines every other investment in your network. When the processor is overwhelmed, threat protection degrades first. The very features that justify a next-generation firewall — deep packet inspection, SSL/TLS decryption, intrusion prevention — are the first things the device throttles when it runs hot.
A firewall that is too large is a different kind of waste. The device sits at 10% utilisation, you paid for capacity you will never use, and the annual licensing cost scales with the hardware tier.
Sophos publishes two sets of throughput figures for every XGS model: Firewall throughput (raw packet forwarding with no inspection) and Threat Protection throughput (full IPS, web filtering, and application control running simultaneously). The gap between those two numbers is where most businesses miscalculate. Always size on Threat Protection throughput — not Firewall throughput — because that is what your device will actually do all day.
The Rule That Changes Everything
Size on Threat Protection throughput, not raw Firewall throughput. On most XGS desktop models, enabling full threat inspection reduces throughput by 60–80%. A device rated at 12,500 Mbps firewall may deliver only 450–900 Mbps under full inspection load.
The Five Factors That Determine Your Model
Before you look at a single spec sheet, answer these five questions. They determine which tier of XGS hardware you belong in.
1. How many concurrent users?
Count everyone who will be behind the firewall at the same time — staff, contractors, BYOD devices, IP phones, and any servers or cloud workloads routing through it. Then add 30% for growth over the next three years. That is your sizing number, not your headcount today.
2. What is your internet bandwidth?
If you have a 100 Mbps leased line, a firewall rated for 500 Mbps Threat Protection is more than enough. If you are running a 1 Gbps fibre connection with plans to upgrade, you need a device whose Threat Protection throughput comfortably exceeds 1 Gbps — which rules out most desktop models. In Kenya, many businesses are now on 200–500 Mbps enterprise fibre. Size for your bandwidth, not just your headcount.
3. Which features will you enable?
Each feature layer consumes CPU cycles. The combination that hits hardest is: IPS + Web Filtering + Application Control + SSL/TLS Inspection. If you plan to inspect encrypted HTTPS traffic (and you should — over 90% of threats now travel over HTTPS), budget for the SSL throughput figure, which is significantly lower than the headline NGFW number.
4. How many VPN tunnels?
Remote workers connecting over IPsec or SSL VPN, branch office tunnels, and SD-WAN overlays all consume firewall resources. If more than 20% of your users connect remotely, or you are linking three or more branch offices, size up by one model tier.
5. What is the environment?
A desktop XGS on a shelf in a reception area needs different hardware considerations than a rackmounted appliance in a proper server room. High-density office environments, 24/7 operation, and high-availability (HA) clustering all push you toward rackmount models with enterprise-grade power supplies and redundant components.
The XGS Family: Three Tiers
The Sophos XGS series divides cleanly into three hardware tiers. Understanding the tier before you look at individual models saves a lot of time.
DESKTOP XGS 88 → XGS 138 1 – 150 users Up to 19,100 Mbps FW Small office / branch No rack required Gen 2 models recommended 1U RACKMOUNT XGS 2100 → XGS 4500 150 – 2,000 users Up to 58,000 Mbps FW Midsize / large business Xstream Flow processor Rack or server room required 2U ENTERPRISE XGS 5500 → XGS 8500 2,000+ users Up to 100 Gbps FW Campus / data center 34 Gbps threat prevention Enterprise / governmentDesktop Models — XGS 88 to XGS 138 (Gen 2, Current)
Sophos launched the second-generation desktop XGS lineup in late 2024. Gen 2 delivers roughly double the throughput of Gen 1 at half the power consumption. If you are buying new today, always specify Gen 2. Gen 1 models (XGS 87, 107, 116, 126, 136) are available while stock lasts and can still be considered for budget-constrained deployments, but they are end-of-life hardware.
All Gen 2 desktop models include 2.5 GE copper interfaces (a significant upgrade from Gen 1's 1 GE ports), Wi-Fi 6 on the "w" wireless variants, and Xstream virtual FastPath acceleration for IPsec VPN when running SFOS v21 or higher. The XGS 88 and XGS 108 are fully fanless — silent operation that makes them ideal for open-plan offices, reception areas, or any noise-sensitive environment.
| Model | Recommended Users | FW Throughput | Threat Protection | Concurrent Connections | Best For |
|---|---|---|---|---|---|
| XGS 88 / 88w | Up to 10 | 9,000 Mbps | ~450 Mbps | 1.6 million | Home office, micro-business, retail outlet. Fanless — silent operation. |
| XGS 108 / 108w | 10 – 30 | 12,500 Mbps | ~600 Mbps | 4.19 million | Small office, branch office. Fanless. Most popular entry model. |
| XGS 118 / 118w | 30 – 60 | 15,500 Mbps | ~750 Mbps | 5.5 million | Growing SMB, medium branch. Good balance of price and performance. |
| XGS 128 / 128w | 60 – 100 | ~17,000 Mbps | ~850 Mbps | ~6 million | SMB with heavy VPN use or SSL inspection enabled. Replaces XGS 126. |
| XGS 138 | 100 – 150 | 19,100 Mbps | ~950 Mbps | 6.55 million | Larger SMB or busy branch. Dual CPU + dual 10 GE SFP+ for fibre uplinks. |
Throughput figures sourced from Sophos XGS Gen 2 product page. Threat Protection throughput is an estimate based on documented Gen 1 ratios and official Gen 2 performance announcements — actual figures depend on specific feature mix enabled.
Important: SSL Inspection Halves Your Effective Throughput
Enabling TLS/SSL inspection — which you must do to catch modern threats — roughly halves the Threat Protection throughput on desktop models. If you have 50 users on a 200 Mbps internet connection with SSL inspection on, the XGS 118 is the minimum. The XGS 108 will struggle during peak hours.
1U Rackmount Models — XGS 2100 to XGS 4500
When your user count exceeds 150, your internet connection is 500 Mbps or above, or you need the redundancy of a proper rackmounted appliance, you move into the 1U tier. These models include a dedicated Xstream Flow processor that offloads trusted and pre-verified traffic in hardware — meaning SSL-inspected traffic, VPN tunnels, and SD-WAN flows no longer compete with your inspection engine for CPU time.
The 1U models also support proper high-availability clustering, redundant power supplies (on higher models), and expansion modules for 10 GE or 40 GE uplinks. These are the right choice for any business with a server room, a proper network infrastructure team, or uptime requirements that cannot tolerate a desktop appliance being knocked off a shelf.
| Model | Recommended Users | FW Throughput | NGFW Throughput | RAM | Best For |
|---|---|---|---|---|---|
| XGS 2100 | 150 – 300 | 30,000 Mbps | ~4,700 Mbps | 8 GB | Entry rackmount. Mid-sized business, headquarters with 200–300 staff. |
| XGS 2300 | 250 – 450 | 39,000 Mbps | ~7,500 Mbps | 8 GB | Growing business, high VPN load, multiple branch tunnels. |
| XGS 3100 | 400 – 700 | ~46,000 Mbps | ~9,000 Mbps | 12 GB | Large business, 10 GE uplinks, SD-WAN across multiple sites. |
| XGS 3300 | 600 – 1,000 | 58,000 Mbps | 12,500 Mbps | 16 GB | Large enterprise edge, 1 Gbps+ internet, heavy SSL inspection. |
| XGS 4300 | 800 – 1,500 | ~70,000 Mbps | 23,000 Mbps | 32 GB ECC | High-density enterprise, 10 GE + 2.5 GE ports, ECC RAM for reliability. |
| XGS 4500 | 1,000 – 2,000 | ~80,000 Mbps | 30,000 Mbps | 32 GB ECC | Upper enterprise edge, multi-gigabit internet, data center ingress. |
Specifications sourced from Sophos XGS 1U product page and Sophos XGS 2100–3300 operating instructions.
2U Enterprise Models — XGS 5500 to XGS 8500
The 2U models are campus and data center firewalls. If you are asking whether your business needs one of these, the answer is almost certainly no — these are designed for large enterprises, government institutions, universities, hospitals, and organisations running multi-gigabit internet connections across hundreds of simultaneous VLANs.
The XGS 7500 and XGS 8500 support connection speeds up to 100 Gbps and deliver up to 34 Gbps with full threat prevention running. They support 40 GE and 100 GE interfaces, chassis-based redundancy, and are typically deployed in pairs for active-active or active-passive high availability.
For context: most Nairobi businesses, including mid-to-large corporates and multi-branch operations, will be well-served by the 1U tier. The 2U models are for organisations with data centers, carrier-grade infrastructure, or 10,000+ endpoint environments.
Quick Decision Guide
Use this guide to narrow your selection before going to the Sophos sizing tool.
How many users? Up to 10 XGS 88 / 88w Home / micro office 10 – 30 XGS 108 / 108w Small office 30 – 60 XGS 118 / 118w Medium branch / SMB 60 – 150 XGS 128 / 138 Larger SMB / HQ branch 150 – 500 XGS 2100 / 2300 Rackmount — midsize HQ Now apply these modifiers: Internet > 500 Mbps? Size up one tier. Bandwidth beats headcount. SSL Inspection on? Size up one model. Throughput halves under TLS. Heavy VPN use? >20% remote users or 3+ branch tunnels → size up. Final check — always ask: Will you grow in 3 years? Add 30% to your user count before selecting. Do you need HA clustering? You need two identical units. Budget accordingly. No server room? Stay desktop tier. 1U models need rack + proper cooling. When in doubt, use the official Sophos Firewall Sizing Tool firewallsizing.sophos.com — requires partner portal login. Sentire Kenya runs this tool for every client deployment at no charge.Real-World Kenya Scenarios
Scenario A: A 35-person accounting firm in Westlands
The firm has 35 staff, a 200 Mbps leased line, Microsoft 365 for email and file sharing, and two partners who work from home daily over VPN. No server room — the network gear sits in a wiring cabinet in the comms room.
The answer: XGS 118w. The headcount says XGS 108, but the 200 Mbps internet connection and SSL inspection requirement push you up one model. The "w" wireless variant gives you a clean Wi-Fi 6 access point built in, saving the cost of a separate AP for the comms room. Expected cost: approximately KES 85,000–110,000 for the device plus annual licence.
Scenario B: A 200-person logistics company in Industrial Area with three branch offices
The HQ has 200 staff, a 500 Mbps fibre connection, a proper server room with a 12U rack, and three branches in Mombasa, Kisumu, and Eldoret each with 20–30 users. All branches connect back to HQ over IPsec VPN. The company runs a local ERP system that all branches access over the VPN.
The answer: XGS 2100 at HQ, XGS 108 at each branch. The HQ headcount sits inside the 1U tier, the 500 Mbps internet confirms it, and the three branch tunnels add load. At the branches, the XGS 108 handles 20–30 users comfortably, and the VPN tunnel back to HQ is well within its capability. Total HQ device cost: approximately KES 420,000–480,000 before licensing.
Scenario C: A 15-person law firm in Upper Hill, mostly remote
Fifteen lawyers, but 10 of them work remotely most days. The office has five staff consistently on-site. Internet is 100 Mbps fibre. The firm handles sensitive client data and wants full SSL inspection enabled.
The answer: XGS 108, but only just. The headcount is low, but the heavy remote-work VPN load (10 concurrent SSL VPN sessions most days) and the requirement for SSL inspection argue for the XGS 118. If budget is constrained, the XGS 108 will handle it — but there is no headroom for growth. The XGS 118 gives the firm room to add staff without revisiting the hardware within three years.
Gen 1 vs Gen 2 — Which to Buy Today
Gen 1 models (XGS 87, 107, 116, 126, 136) are available from some distributors at lower prices because Sophos has moved to Gen 2. There are two situations where Gen 1 still makes sense: very tight budgets where the lower price is the deciding factor, or temporary deployments where you plan to replace the hardware within 18 months.
For any deployment expected to run for three years or more, Gen 2 is the right choice. You get double the throughput, half the power consumption, 2.5 GE interfaces instead of 1 GE, Wi-Fi 6 on wireless models, and software-level VPN acceleration that Gen 1 cannot access regardless of firmware version. The price difference between Gen 1 and Gen 2 narrows significantly once you factor in the three-year licence cost — the hardware delta is small relative to total cost of ownership.
Four Mistakes That Lead to Wrong Sizing
Sizing on headcount alone. A 50-person office with a 1 Gbps internet connection and SSL inspection needs a larger device than a 50-person office on 100 Mbps with minimal inspection. Always lead with bandwidth and feature load, not just users.
Trusting the Firewall throughput figure. The raw firewall number — 12,500 Mbps for the XGS 108 — looks enormous. It is not your number. Your number is the Threat Protection throughput with your actual feature set running. That is typically 600–900 Mbps for desktop models. Size on that.
Forgetting growth. A firewall purchased for your current headcount is often undersized within 18 months. Always add 30% to your user count and at least one model tier of headroom when writing a quote.
Skipping the Sophos sizing tool. Sophos maintains a partner-only firewall sizing tool that takes your user count, internet bandwidth, feature set, and VPN requirements and returns Minimum, Recommended, and Optimal model choices. It exists specifically because manual sizing gets it wrong often enough to warrant an automated tool. Use it.
Choosing the right XGS model is not difficult once you have the right inputs. Most Kenyan businesses fall into one of three categories: desktop tier for offices up to 150 people, 1U rackmount for midsize organisations and multi-branch networks, and 2U enterprise for large institutions. The specific model within that tier is determined by your internet bandwidth, the features you need to run, and how much room for growth you want to build in.
If you are still not sure, that is what we are here for. Our engineers run the Sophos sizing tool for every client, at no cost and with no obligation. We have sized and deployed XGS firewalls for businesses across Nairobi — from the XGS 88 in a Karen home office to XGS 3300 clusters at corporate headquarters.