Sunteți pe pagina 1din 28

Hello, and welcome to this Sophos Certified training course for XG Firewall.

This is Module 11:

Sizing and Evaluation.

Sophos Certified Engineer

Sophos XG Firewall ET811 Sizing and Evaluation

November 2017
Version: 17.0.0
Product version: Sophos XG Firewall 17.0

2017 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos
and marks mentioned in this document may be the trademarks or registered trademarks of
Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness
or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is
at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Module 11: Sizing and Evaluation - 1

To ensure you are able to meet the requirements for you customers, it is important to
understand which subscriptions and bundles are required, and to be able to select the most
appropriate device.

Module 11: Sizing and Evaluation - 2

Module 11: Sizing and Evaluation - 4
The Sophos XG Firewall requires a base license that includes the firewall, VPN and wireless.

For hardware devices, the base license is included in the cost.

For software, virtual and cloud, the base license is a one-time fee that is calculated based the
number of CPUs, cores and RAM. If you increase the number of CPUs, cores or the amount of
RAM after the device is installed, you may have to purchase a new license to take advantage of
the increase in resources.

Please note that the IPsec VPN client is sold separately and is not included in the base license,
and the HTML5 clientless VPN is part of the Network Protection subscription.

Module 11: Sizing and Evaluation - 5

In addition to the base license, software subscriptions can be added to give more features and
functionality to the device; these are Network Protection, Web Protection, Email Protection,
Web Server Protection and Sandstorm. These software subscriptions are common to all Sophos
XG Firewall devices no matter how they are deployed.

You can see the features included in each subscription in this table. Click Continue when you
are ready to proceed.

Module 11: Sizing and Evaluation - 6

The subscriptions are also offered in bundles.

EnterpriseGuard includes the Base Firewall, Network Protection, Web Protection, and Enhanced
Support (we will look at the support options shortly).

FullGuard includes EnterpriseGuard plus Email Protection and Web Server Protection.

Both EnterpriseGuard and FullGuard are for software, virtual and cloud deployments.

EnterpriseProtect is EnterpriseGuard plus hardware,

and TotalProtect is FullGuard plus hardware.

Sophos Sandstorm is included with the FullGuard Plus,

and TotalProtect Plus bundles.

Module 11: Sizing and Evaluation - 7

There are three options available for support:
Standard, which covers 8x5 technical support for 90 days and 1 year return/replace warranty.
This is included with every Sophos XG Firewall
Enhanced, which covers 24x7 technical support and Advanced RMA for as long as the
support contract remains valid
Enhanced Plus, which covers 24x7 technical support, a VIP phone number, access to senior
support resources and a target response time, along with advanced RMA as long as the
support contract remains valid. Enhanced Plus support is required to cover backup devices in
high availability, and also covers access points, REDs and FlexiPorts

The price of the Enhanced and Enhanced Plus support packages are calculated as a percentage
of the hardware cost, or a percentage of the base license cost in the case of software and
virtual devices.

Module 11: Sizing and Evaluation - 8

Module 11: Sizing and Evaluation - 9
It is important to understand sizing the Sophos XG Firewall when planning deployment.

It would be simple to recommend the largest possible device to all customers, however, cost is
often a factor when providing a solution. At the same time, if the firewall does not perform
well when deployed or scaled well as the customer grows, it can leave them with a poor
impression after the deployment is complete. We want to avoid this situation and so sizing is
an important step to understand.

The first steps is to weight the users and adjust for the system load. This is a more involved
method but gives the best estimate for what model firewall is the best fit for a given scenario.
While it takes more time and effort, if the customer is very cost focused, then this method will
produce the best size estimate of the minimum model device that will still provide a positive
user experience. This way, we can assure the customer that the firewall will perform well while
still keeping their cost to a minimum.

There are four steps to effectively sizing hardware applications;

1. Understand the customers environment including user behaviour, application usage and
the network and server infrastructure
2. Starting with the number of users to be protected by the device, the subscriptions
licensed and the information gathered about the customers environment, derive an initial
3. Check for any specific throughput requirements and compare these to the hardware
specifications. Adjust the initial estimate accordingly
4. Optionally, offer an on-site evaluation of the selected device to validate the sizing in

Module 11: Sizing and Evaluation - 10

complex scenarios

Module 11: Sizing and Evaluation - 10

Module 11: Sizing and Evaluation - 11
Module 11: Sizing and Evaluation - 12
First you would use the user behaviour to apply a weighting to the number of users to be
protected by the Sophos XG Firewall. To do this, identify which category of user best describes
the typical user behaviour. Choosing from average/advanced/power. Then multiply the number
of users by the categorys weight, to get the weighted number of users.

For example, if a customer has 80 users and the majority of them fall into the advanced user
category you would multiply by 1.2 giving a weighted number of users 96.

If large groups of users fit into different categories;

1. Adjust the weight based on the percentage of users that fall into a different category. If
you have 80 users where the majority are average users and 25% are power users, you
might use a weighting of 1.125 (1.5x25%+1x75%)
2. Calculate the weighted number of users for each category type, then add the results
together. If you have 30 average users, 20 advanced users and 15 power users, your
weighted number of users would be 77 (30+(20x1.2)+(15x1.5)=76.5

Module 11: Sizing and Evaluation - 13

You would then want to apply a weight based on any requirements which may increase the
overall system load, thereby affecting the performance requirements.

To do this, identify the category that most closely fits your customers environment, then
multiply the weighted number of users calculated in the previous step by the category
multiplier. This will give you the total weighted number of users.

Module 11: Sizing and Evaluation - 14

Use this table to calculate your weighted users:
Enter the User Counts in the table and then multiply them with the indicated factor this
gives you the weighted user count
Identify the system load number and enter it into multiplied by system load

Lets take a look at an example.

If your customer has 560 users, you need to determine approximately how they break down
into standard, advanced and power users.

In this example there are:

100 standard users, which is 100 weighted users
300 advanced users, which is 360 weighted users
160 power users, which is 240 weighted users

This gives us 700 weighted users.

The system load in this example is 1.2 for advanced,


Module 11: Sizing and Evaluation - 15

which gives a total weighted users of 840.

Module 11: Sizing and Evaluation - 15

Now you can use the total weighted number of users to make a first estimate for the required
hardware appliance.

In our example the customer has 840 weighted users, if they are going to use all the features,
then an XG 450 would be the right appliance for that customer.

However, if the customer was only going to be using network protection, then an XG 430 would
be the right appliance for that customer.

As a rule of thumb, estimate that adding Wireless Protection or WebServer Protection will
decrease the range by 5-10% each.

Module 11: Sizing and Evaluation - 16

Software/Virtual Appliances are licensed by numbers of virtual cores and RAM size. Licenses do
not have to match exactly the number of available cores/RAM however, will only activate the
licensed cores/RAM to be used in the Software.

These can be used on various CPU types with various speeds, the performance might vary
significantly even if using the same number of cores/RAM size.

The diagram provides a rough guidance of total weighed user ranges recommended for each
software model. Numbers are based on the following assumptions:

CPU Speed 2.5 GHz

CPU Type Core 1, Xeon (8C16 and above)

Module 11: Sizing and Evaluation - 17

The capacity of the customers internet connection (up and down link) should match the
average throughput rate that the selected unit is able to forward (depending on the
subscriptions in use). However, data might not only be filtered on its way to the Internet, but
also between internal network segments. Hence, you need to consider internal traffic that
traverses the firewall in this assessment.

For instance, the customer might have several servers located within a DMZ, and wants to have
all traffic to those servers from all segments to be inspected by the IPS. Or the customer may
have many different network segments that should be protected against each other (by using
the FW packet filter and/or the Application Control feature). In this case the unit is required to
scan the complete internal traffic between all segments.

It is also important to consider future growth; is the customer expecting to expand over the
next couple of years? This is particularly important if the initial estimate was close to the upper
boundary the model.

Is the customer also likely to want to use more features in the future? If the customer is
purchasing a Full Guard licence they can easily enable additional features that you may not have
included in the sizing, so it is important to discuss with the customer whether they want to size
for a device that can support those features in the future for their users.

Module 11: Sizing and Evaluation - 18

Module 11: Sizing and Evaluation - 19
An on-site evaluation can be used to show a customer the effectiveness of the Sophos XG
Firewall. It allows us to ensure that the XG Firewall meets the requirements of the customer
and that it can easily replace what the customer already has in place.

In order to perform an on-site evaluation you will need to perform the following steps:
1. Offsite preparation
2. Coordinate
3. On-site deployment
4. Report review
5. Present review

Module 11: Sizing and Evaluation - 20

Lets look at the steps required for an on-site evaluation.

Offsite preparation
Perform a factory reset
Setup, Activate and Register the XG Firewall
Use the Full Guard License
Use the latest firmware and patterns

Perform a sanity check
Install preparation steps
Determine the deployment mode you are going to implement
Discover/Transparent Bridge/Gateway
Integrate with authentication server via API

Onsite Deployment
User identification
Configure SPAN in network switch
Configure security audit report
Data should be sent to our Cloud server for report generation
Dynamic updates
Verify that the box can connect to the internet
Check the logs
Send a test email

Module 11: Sizing and Evaluation - 21

Review Reports
SAR report
Review summary findings
Reports on areas to be highlighted

Present Review
Always to be presented in person

Module 11: Sizing and Evaluation - 21

On completion of this module, you should now be able to perform the actions shown here.
Please take a moment to review these.

If you are not confident that you have met these objectives, please review the material covered
in this module.

Click Continue when you are ready to proceed.

Module 11: Sizing and Evaluation - 23

On completion of this course, you should now be able to perform the actions shown here.
Please take a moment to review these.

If you are not confident that you have met these objectives, please review the material covered
in this course.

Click Continue when you are ready to proceed.

Module 11: Sizing and Evaluation - 24

Feedback is always welcome as it helps us to improve our courses for you. If you have any
comments, feedback, or questions during the class or labs, please let your instructor know or

Module 11: Sizing and Evaluation - 25

Now that you have completed this course, you should complete the online assessment that is
available in the training portal
You will have four attempts to pass the assessment
Assessment contains questions on both theory and lab content

To become a Sophos Certified Engineer you need to complete and pass 2 product courses

Module 11: Sizing and Evaluation - 26

Module 11: Sizing and Evaluation - 27