Sophos XG: Web Application Firewall Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

See our complete list of Top Web Application Firewall Vendors

Bottom Line

Sophos XG Firewall has WAF as one of its features. Non-Sophos XG users only looking for a WAF may find this product overkill. It is best suited to SMB and mid-market organizations, as well as those protecting IaaS solutions in Microsoft Azure. If you want only a WAF, look elsewhere. But if you need a broader feature set, consider Sophos.

Product Description

Sophos XG Firewall’s WAF feature protects web servers deployed in a network and related applications from any underlying vulnerability exploit. It protects applications accessed via HTTP and HTTPS at Layer 7 (application layer). The web server is also safeguarded against cookie tampering, forceful browsing, and hidden field tampering. The WAF mitigates user-induced vulnerabilities in applications that leave web applications open to attacks, such as cross-site scripting, directory traversal, and forced URL browsing.

Sophos XG Features Rated

Security: Very good. Its reverse proxy-authentication offloading provides persistent basic or form-based authentication for web-facing applications. It adds an extra layer of security to services like Outlook Web Access for Exchange by allowing users to authenticate against exploit-free reverse proxy.

“Everything worked pretty well for us. Ever since we have deployed the Sophos Firewall we did not have single instant of any malware/virus slipping into our network,” said a director of networking systems in the healthcare industry.

Performance: Very good. 65 Gbps throughput and 20 million concurrent connections, or 160,000 new connections per second.

Value: Good. Prices start low for basic appliances but rise for high-end models.

Implementation: Very good. Hardware, software, virtual and cloud options.

“Implementation was very easy and intuitive,” said a technology coordinator in the education industry.

Management: Good. Users find Web Server Protection deployment and management to be simple.

Support: Very good. User comments are positive.

“We have been very satisfied with our overall interactions and experience with Sophos. The team has been professional and responsive to inquiries. The product has performed as we’ve expected,” said an associate director of IT in the education industry.

Cloud Features: Fair. Available in Azure but more cloud capabilities are needed.

Sophos WAF

Security Qualifications

Common Criteria.


Sophos XG Firewall is available in a variety of hardware models based on performance needs, as well as for virtualization platforms, as a software appliance for x86 hardware, and in Microsoft Azure.


Sophos Web Server Protection can be purchased standalone or with any UTM module. Pricing starts at $249 per year for an entry-level XG 85 appliance. Pricing depends on performance and features required.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis