After running a Palo Alto PA-820 for two years, I added a Sophos XGS firewall to my homelab rack — and I have been running both side by side ever since. Sophos takes a different philosophical approach to network security, and understanding those differences makes you a more well-rounded security engineer. If your goal is to work in enterprise IT or cybersecurity, exposure to multiple NGFW platforms is invaluable.
The Sophos XGS series runs SFOS (Sophos Firewall OS), a purpose-built operating system that integrates firewall, IPS, web filtering, application control, VPN, and endpoint synchronization into a single platform. Even on older XG hardware available on the used market, you get a feature set that rivals platforms costing tens of thousands of dollars new.
Why Sophos?
Sophos differentiates itself with Synchronized Security — a proprietary framework that allows the firewall to communicate directly with Sophos-managed endpoints. When an endpoint detects a threat, it signals the firewall to automatically isolate that device from the rest of the network. No manual intervention, no waiting for an alert to be acknowledged. This tight integration between endpoint and network security is a concept that other vendors have since followed, but Sophos pioneered it.
Other reasons to run Sophos in a homelab:
- Free home use license for XG/XGS hardware used at home (Sophos Home Free covers personal use)
- Excellent web application firewall (WAF) built in — useful for protecting self-hosted services
- Strong SSL inspection implementation with certificate management built into the UI
- Centralized management via Sophos Central — the same cloud console used by managed service providers
Hardware Options
Sophos XGS hardware ranges from the desktop XGS 87 up to enterprise rack units. For a homelab, the XGS 87 or XGS 107 are ideal — compact, low power, and more than capable of handling a home network at gigabit speeds. Used XG series hardware (the predecessor) is available on eBay for $50–150 and runs the same SFOS firmware.
Alternatively, Sophos offers an ISO you can install on any x86 hardware or a VM — a great option for getting started before committing to physical hardware.
Initial Setup and Zones
Sophos SFOS uses a zone-based security model similar to Palo Alto. Out of the box, SFOS creates LAN, WAN, DMZ, VPN, and WiFi zones. You assign interfaces to zones, and inter-zone traffic is controlled by firewall rules.
My homelab zone design with Sophos:
| Zone | Interface | Subnet |
|---|---|---|
| WAN | Port1 | ISP assigned |
| LAN | Port2.20 | 10.20.0.0/24 — Workstations |
| SERVERS | Port2.10 | 10.10.0.0/24 — Hypervisors, NAS |
| DMZ | Port2.40 | 10.40.0.0/24 — Exposed services |
| IOT | Port2.30 | 10.30.0.0/24 — Smart devices |
SFOS supports 802.1Q VLAN subinterfaces natively. Under Network > Interfaces, add a VLAN interface on your LAN trunk port for each subnet, assign it an IP address, and associate it with the appropriate zone.
Firewall Rules
Sophos firewall rules are created under Firewall in the main menu. Rules match on source zone, destination zone, source network, destination network, user or user group, and services or application objects. The matching is top-down, first-match.
Key rules in my setup:
- Workstations to Internet — Allow LAN zone outbound with Web Policy applied (URL categories, application control)
- Servers to Internet — Allow specific applications only (updates, DNS); block all others
- IoT isolation — Allow IoT to WAN (DNS + HTTP/HTTPS only); explicitly deny IoT to LAN and SERVERS
- DMZ inbound — Allow specific ports from WAN to DMZ hosts only; no DMZ to LAN access
IPS, AV, and Web Filtering
The Sophos security policy stack is applied per firewall rule via a Security Policy object. Each policy bundles:
- IPS Policy — choose between default, balanced, or strict signature sets. You can also create custom policies excluding specific rules that cause false positives.
- Anti-Malware — HTTP and HTTPS scanning using ClamAV plus the Sophos commercial AV engine (with subscription)
- Web Policy — URL category filtering with 90+ categories. I block malware, phishing, spam, and adult content on all zones; the IoT zone gets an even more restrictive policy allowing only manufacturer update domains.
SSL/TLS Inspection
Modern threats hide in encrypted traffic. Sophos makes SSL inspection straightforward — generate a CA certificate in the SFOS UI, push it to your endpoints (via GPO or Sophos Central), and enable HTTPS inspection on your web policies. Traffic is decrypted, inspected, and re-encrypted transparently. You can exclude specific domains (banking sites, certificate-pinned apps) to avoid breakage.
VPN Options
Sophos offers three VPN approaches:
- SSL VPN — client-based remote access using the Sophos Connect client (free). Works on Windows, macOS, and Linux. Full-tunnel or split-tunnel configurable.
- IPSec/IKEv2 — standards-based, works with native OS VPN clients and third-party hardware. I use IKEv2 for mobile device connectivity.
- RED (Remote Ethernet Device) — Sophos-proprietary SD-WAN tunnel between Sophos devices. Zero-config branch connectivity — the remote RED device auto-connects back to the central firewall.
Synchronized Security in Practice
If you also run Sophos Endpoint (Intercept X) on your workstations, Security Heartbeat activates. The firewall sees a green/yellow/red health signal from each endpoint. You can write firewall rules that only permit traffic from healthy endpoints — a yellow or red heartbeat (indicating detected malware or suspicious activity) automatically restricts that device to a quarantine-only policy. This is zero-trust enforcement built directly into the firewall-endpoint handshake.
Sophos Central Management
Sophos Central is the cloud-based management platform for all Sophos products. From a single console you can manage firewalls, endpoints, wireless APs, and switches. For a homelab, connecting your XGS to Sophos Central unlocks centralized logging, reporting, firmware updates, and the ability to manage your firewall from anywhere. The free tier supports a single firewall and is more than adequate for personal use.
Final Thoughts
Running Sophos alongside Palo Alto in my lab has given me a clear appreciation for both approaches. Sophos wins on ease of management, SSL inspection UX, and the Synchronized Security concept. Palo Alto wins on App-ID granularity and the depth of its application database. In the real world, you will encounter both — and having hands-on experience with each makes you a significantly stronger candidate in any security-focused role.