TTechclick ⚡ XP 0% All lessons
Sophos · Next-Gen Firewall · ArchitectureInteractive · L1 / L2 / L3

Sophos Firewall Architecture — SFOS, XGS & the Xstream Platform

Sophos Firewall is one OS (SFOS) running on XGS appliances, virtual machines and the cloud. Its Xstream platform is built on three ideas: decrypt TLS 1.3 natively, scan the stream once and share it across every engine, then offload the trusted remainder to hardware. This lesson traces a packet end-to-end and shows exactly where the throughput comes from.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Sophos Firewall architecture (2026): SFOS on XGS appliances, virtual, software and cloud; the three Xstream pillars — native TLS 1.3 inspection, the single streaming DPI engine (scan once, use many) and FastPath offload on the Xstream Flow Processor; and how it is run from the Control Center inside Sophos Central with Synchronized Security.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

SFOS on XGS, virtual, software and cloud.

 2

Xstream pillars

TLS 1.3, streaming DPI, FastPath.

 3

Packet flow

One pass, then offload the trusted flow.

 4

Manage & deploy

Control Center, Central, sizing sanity.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Sophos Firewall only a hardware box?

Answered in What it is.

2. What does the single streaming DPI engine do?

Answered in Xstream pillars.

3. What frees the CPU for deep inspection on XGS?

Answered in Packet flow.

Most engineers think…

Most people picture a next-gen firewall as 'a box that runs each security engine in turn' — IPS scans, then AV re-scans, then the web filter re-scans the same content. On a busy link that model collapses under its own overhead.

Sophos Firewall is built the other way around. SFOS streams a flow through a single DPI engine that scans it once and shares the result across IPS, anti-malware, web filtering and app control. Xstream TLS inspection decrypts TLS 1.3 first so there is plaintext to scan, and once a flow is trusted the rest is offloaded to the Xstream Flow Processor (FastPath) so the CPU only works on new or risky traffic. That 'scan once, use many, then offload' design is exactly why XGS appliances hit high throughput with full inspection on — and it is what an interviewer is listening for.

① What Sophos Firewall and SFOS actually are

Sophos Firewall (formerly XG Firewall) is a next-gen firewall that runs SFOS, the Sophos Firewall OS. The single idea to hold onto: SFOS is one OS across many form factors. The current hardware is the XGS series (including an XGS Desktop range for small sites), but the same SFOS also ships as virtual, software and cloud editions on AWS and Azure.

Internally SFOS splits into a control plane (the web admin, configuration and management) and a data plane (the part that actually forwards and inspects packets). So when you log into the firewall you are talking to the control plane; the traffic you care about is being handled, at speed, by the data plane underneath.

Figure 1 — One OS, many form factors
The same SFOS runs across every Sophos Firewall form factor — only the chassis changes.One OS, many form factorsXGS hardwareappliance + FlowProcessorXGS Desktopsmall-site boxVirtual / softwareon your hypervisorCloudAWS / Azure
The same SFOS runs across every Sophos Firewall form factor — only the chassis changes.
Figure 2 — SFOS — control plane and data plane
SFOS splits into a control plane you log into and a data plane that forwards and inspects traffic at speed.SFOS — control plane and data planeWeb admin / Control CenterWhere you configure and monitorControl planeConfig, management, policy stateData planeForwarding + Xstream inspection
SFOS splits into a control plane you log into and a data plane that forwards and inspects traffic at speed.
Quick check · Q1 of 10 · Understand

Sophos Firewall is best described as…

Correct: b. SFOS is one operating system that runs across many form factors — XGS appliances (including Desktop), virtual and software editions, and cloud on AWS/Azure. It is not hardware-only or cloud-only.
👉 So far: Sophos Firewall = one OS (SFOS, formerly XG) running on XGS hardware, virtual, software and cloud — split into a control plane you log into and a data plane that forwards and inspects.

② The Xstream architecture — three pillars

The Xstream platform is the inspection design that makes SFOS fast. It rests on three pillars. First, Xstream TLS inspection: native TLS 1.3 decryption at high performance, because most traffic is encrypted and you cannot scan what you cannot read.

One engine, then hardware

Second, the single streaming DPI engine: one stream is scanned once and the result is shared across IPS, anti-malware, web filtering and app control — 'scan once, use many'. Third, FastPath acceleration on the dedicated Xstream Flow Processor in XGS appliances: once a flow has been inspected and trusted, the remainder is offloaded to that hardware so the CPU is freed for the next risky flow. TLS to see it, one pass to scan it, hardware to speed it up.

Figure 3 — The three Xstream pillars
Decrypt TLS so you can see it, scan the stream once for every engine, then offload the trusted flow to hardware.The three Xstream pillarsXstream TLS inspectionNative TLS 1.3 decryption at speedSingle streaming DPIScan once, share IPS/AV/web/appFastPath accelerationOffload trusted flows to Flow Processor
Decrypt TLS so you can see it, scan the stream once for every engine, then offload the trusted flow to hardware.
🧩
SFOS
tap to flip

Sophos Firewall OS — the OS behind Sophos Firewall (formerly XG), running on XGS, virtual, software and cloud. Control plane + data plane.

Xstream Flow Processor
tap to flip

The hardware accelerator on XGS appliances. Offloads trusted, inspected flows (FastPath) so the main CPU is free for new traffic.

🔁
Single streaming DPI
tap to flip

One stream scanned once and shared across IPS, anti-malware, web filtering and app control — 'scan once, use many', no re-buffering.

🔓
Xstream TLS inspection
tap to flip

Native TLS 1.3 decryption at high performance, so the DPI engine has plaintext to scan instead of opaque encrypted bytes.

Say 'scan once, use many' out loud

In an interview, the phrase that lands is the single streaming DPI engine scanning a flow once and sharing it across IPS, anti-malware, web filtering and app control — then FastPath offloading trusted flows to the Xstream Flow Processor. That one sentence shows you understand why XGS is fast with inspection on.

Quick check · Q2 of 10 · Remember

Which is NOT one of the three Xstream pillars?

Correct: c. The three pillars are Xstream TLS inspection (TLS 1.3), the single streaming DPI engine, and FastPath acceleration on the Xstream Flow Processor. An email archive is not part of the Xstream design.
👉 So far: Xstream has three pillars: native TLS 1.3 inspection, a single streaming DPI engine (scan once, use many), and FastPath acceleration on the Xstream Flow Processor.

③ How a packet actually flows — single pass, then offload

Follow one packet. It arrives and is matched against the unified policy (firewall, web, app and inspection rules in one place). If the flow is HTTPS, Xstream TLS inspection decrypts it so there is plaintext to read. The plaintext then streams through the single DPI engine, where IPS, anti-malware, web filtering and app control all read the same single pass — packets are not re-buffered and re-scanned per engine.

The engine returns a verdict. If it is allowed and trusted, SFOS hands the rest of that flow to FastPath on the Xstream Flow Processor, so the CPU stops touching it and moves on. The interview line: the speed comes from not doing the same work twice. A legacy proxy re-buffers content for every engine; Xstream streams it past all of them at once, then offloads what it already trusts.

Figure 4 — One DPI pass, every engine
The streaming DPI engine scans a flow once and shares that single pass across all four inspection engines.One DPI pass, every engineStreaming DPIscan once, use manyIPSAnti-malware / AVWeb filteringApp controlTLS decrypt feedFastPath offload
The streaming DPI engine scans a flow once and shares that single pass across all four inspection engines.
'It is just a faster proxy' under-sell

The legacy model re-buffers the same content for every engine, which is why it chokes at high throughput. Xstream's whole point is the single streaming pass plus hardware FastPath. Calling it 'a faster proxy' misses the architecture and the throughput story entirely.

▶ Watch an HTTPS download get inspected end-to-end

How one flow is processed by SFOS. Press Play for the healthy path, then Break it to see the classic failure.

① Arrive + matchA user downloads a file over HTTPS; the packet arrives and is matched against the unified policy on the XGS appliance.
② TLS decryptXstream TLS inspection decrypts the TLS 1.3 session so there is plaintext for the engines to read.
③ One DPI passThe single streaming DPI engine scans the stream once — IPS, anti-malware, web filtering and app control all read that same pass.
④ Verdict + FastPathThe verdict is allow + trusted, so the rest of the flow is offloaded to FastPath on the Xstream Flow Processor.
Press Play to step through the healthy inspection path. Then press Break it.
Quick check · Q3 of 10 · Apply

A trusted flow has just passed inspection on an XGS appliance. What happens to the rest of it?

Correct: a. Once a flow is inspected and trusted, SFOS offloads the remainder to FastPath on the Xstream Flow Processor, freeing the CPU. It is not re-scanned per packet or shipped to the cloud.
👉 So far: A packet flows: arrive ▸ policy match ▸ TLS decrypt ▸ one streaming DPI pass for IPS/AV/web/app ▸ verdict ▸ FastPath offload of the trusted flow. Speed comes from not scanning twice.

④ Managing it — Control Center, Central and sane sizing

You run SFOS from the Control Center, the dashboard the web admin opens on: live traffic, system health, ATP and Security Heartbeat status at a glance, on top of the unified policy model. Beyond the box, the firewall is part of the Sophos Adaptive Cybersecurity Ecosystem, managed alongside endpoints from Sophos Central. Synchronized Security (Security Heartbeat) is the link that lets firewall and endpoints share health and react together — for example, isolating a host the moment it is compromised.

Deploy without surprises

Size by throughput with inspection on (TLS + DPI), never by raw firewall forwarding — that headline number disappears the moment you decrypt and scan. Pick an XGS Desktop for a small site, a rack XGS for larger, virtual or cloud where there is no rack. The classic mistake is leaving TLS inspection off: the streaming DPI engine then only sees encrypted bytes and threats walk straight in over HTTPS.

Figure 5 — Legacy proxy model vs Xstream streaming
The old proxy model re-buffers content per engine; Xstream streams it past all engines once, then offloads.Legacy proxy model vs Xstream streamingLegacy proxy modelRe-buffers content per engineEach engine scans separatelyHeavy CPU at high throughputTLS often left untouchedXstream streamingSingle streaming DPI passScan once, shared by all enginesFastPath offloads trusted flowsNative TLS 1.3 inspection
The old proxy model re-buffers content per engine; Xstream streams it past all engines once, then offloads.

Priya at Meridian Logistics (Kochi) faces this

A new malware strain reaches a few laptops over an HTTPS download even though IPS and anti-malware are licensed and on, and the Control Center shows all green.

Likely cause

Xstream TLS inspection is not enabled for that traffic (or the destination is on a decryption exclusion list), so the streaming DPI engine only sees encrypted bytes and never gets plaintext to scan.

Diagnosis

Confirm the box is healthy in the Control Center, then check whether a TLS inspection rule actually matches that outbound web traffic; the log viewer shows the download flowed with no DPI verdict.

Control Center ▸ Rules and policies ▸ SSL/TLS inspection rules + Diagnostics ▸ Log viewer
Fix

Create/enable a TLS 1.3 inspection rule covering the outbound web category, push the Sophos decryption certificate to endpoints, and keep a sane exclusion list (banking, health) instead of excluding everything.

Verify

Re-test the download: the streaming DPI engine now scans the decrypted stream, IPS/AV catch the malware, trusted flows still FastPath-offload so throughput holds, and Synchronized Security can isolate any host that was hit.

Prove inspection from the rules, not a hunch

Never assume HTTPS is being scanned. Check the SSL/TLS inspection rules and the log viewer: they show whether a decrypt rule matched and whether the DPI engine returned a verdict. That single read answers most 'why did this get through' tickets without guessing.

Quick check · Q4 of 10 · Analyze

Why is it a mistake to size a Sophos Firewall by its raw firewall throughput number?

Correct: d. The headline firewall throughput is forwarding only. Decryption plus the streaming DPI engine cost cycles, so you size to throughput measured with TLS + DPI on, matching real traffic.
👉 So far: Run it from the Control Center, manage it in Sophos Central, link endpoints with Synchronized Security — and size with TLS + DPI on, never raw forwarding.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Sophos Firewall (formerly XG) runs which operating system across all its form factors?

Correct: a. SFOS is the OS behind Sophos Firewall on XGS hardware, virtual, software and cloud editions. PAN-OS, FortiOS and IOS-XE belong to other vendors.
Q6 · Understand

What best describes the single streaming DPI engine?

Correct: b. 'Scan once, use many' — the engine streams the flow past all four inspection engines in a single pass rather than re-buffering and re-scanning for each one.
Q7 · Apply

On an XGS appliance, what does FastPath on the Xstream Flow Processor actually do?

Correct: c. FastPath is hardware offload of trusted flows after inspection, freeing the main CPU. It is the hardware basis of high throughput with inspection enabled.
Q8 · Analyze

Why is single-pass streaming DPI more efficient than a legacy proxy model?

Correct: d. The legacy proxy model re-buffers content per engine, which is expensive. Xstream streams the flow past all engines once and shares the verdict, so it scales at high throughput.
Q9 · Evaluate

An interviewer asks where you manage a Sophos Firewall and how it works with endpoints. Best answer?

Correct: b. The Control Center is the local dashboard; Sophos Central is the cloud management plane; Synchronized Security (Security Heartbeat) ties firewall and endpoints so they share health and respond together.
Q10 · Evaluate

What is the strongest reason to keep Xstream TLS inspection enabled?

Correct: c. If TLS inspection is off, the DPI engine has no plaintext to scan, so IPS/AV cannot see threats inside HTTPS. Decryption (with a sane exclusion list) is what makes inspection meaningful on encrypted traffic.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is the Sophos Xstream architecture described as 'scan once, use many, then offload' rather than a chain of separate scanners? Then compare with the expert version.

Expert version: Because SFOS streams a flow through a single DPI engine that scans it once and shares the result across IPS, anti-malware, web filtering and app control — there is no per-engine re-buffering. Xstream TLS inspection decrypts TLS 1.3 first so there is plaintext to read, and once a flow is trusted the rest is offloaded to FastPath on the Xstream Flow Processor so the CPU only works on new or risky traffic. A chain of separate scanners would re-read the same content again and again and collapse at high throughput; 'scan once, use many, then offload' is exactly why XGS appliances stay fast with full inspection on.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Sophos Firewall
Sophos's next-gen firewall, formerly XG Firewall, running SFOS on hardware, virtual, software and cloud.
SFOS (Sophos Firewall OS)
The operating system on every Sophos Firewall form factor; splits into a control plane and a data plane.
XGS series
The current Sophos hardware appliance line, including an XGS Desktop range, fitted with Xstream Flow Processors.
Xstream architecture
Sophos's inspection design built on three pillars: TLS inspection, single streaming DPI and FastPath acceleration.
Xstream TLS inspection
Native TLS 1.3 decryption at high performance so HTTPS traffic can actually be inspected.
Single streaming DPI
A scan-once engine that shares one pass across IPS, anti-malware, web filtering and app control.
FastPath / Xstream Flow Processor
Hardware offload of trusted, already-inspected flows on XGS, freeing the main CPU for new traffic.
Control Center
The SFOS web-admin dashboard showing traffic, system health, ATP and Security Heartbeat at a glance.
Sophos Central
The cloud console that manages the firewall alongside endpoints in the Adaptive Cybersecurity Ecosystem.
Synchronized Security (Security Heartbeat)
The link that lets firewall and endpoints share health and react together, e.g. isolating a compromised host.

📚 Sources

  1. Sophos — Sophos Firewall product page: Xstream architecture and XGS appliances. sophos.com/products/next-gen-firewall
  2. Sophos — Xstream architecture: single-pass streaming DPI, TLS 1.3 inspection and FastPath. sophos.com
  3. Sophos — XGS Series appliances data sheet (Xstream Flow Processors, FastPath acceleration). sophos.com
  4. Sophos Docs — SFOS administration: Control Center and SSL/TLS inspection rules. docs.sophos.com
  5. Sophos — Sophos Central & Synchronized Security (Security Heartbeat). sophos.com
  6. Sophos — Adaptive Cybersecurity Ecosystem overview. sophos.com

What's next?

Got the architecture? Next, wire it up: zones and interfaces, VLANs and LAGs, and routing — static, OSPF and BGP — finished off with SD-WAN so the right traffic takes the right link.

Next · All interview lessons → Practice on exam.techclick.in →