Sophos Deployment Mode

In an enterprise environment, not everyone is ready to replace a new firewall devices into their systems. Many people need to check first, many others want to deploy a complete from the start.

With such complex requirements, a firewall should respond flexibly.
Let’s start by looking at the modes Sophos XG Firewall can be deployed in and what cases should use.


Bridge Mode

We discussed how the firewall can be used inline in an existing environment. By putting the firewall in bridge mode, we can place it in the network without modifying the existing design. This can be extremely useful when adding a firewall to an existing environment to use as a proof of concept or even as a drop in solution when not being deployed as an edge device to replace an existing firewall.

In bridge mode, the Sophos XG Firewall supports multiple bridge pairs. You can also construct a multiport bridge that contains more than 2 ports. Note that a maximum of 4 ports can be used in a single bridge.

Bridge mode provides the ideal solution for networks that already have an existing firewall or router acting as a gateway, and where the customer does not want to replace the firewall, but still wishes to add additional security utilizing the appliance’s deep-packet inspection, Intrusion Prevention System, gateway anti-virus and anti spam services. The bridge mode also supports Spanning Tree Protocol.

Gateway Mode


Gateway mode is used when you want to deploy a new appliance or replace an existing appliance with a Sophos XG Firewall.
Sophos XG Firewall would be used in gateway mode where it needs to manage routing between multiple networks and zones, and is the entry and exit point for the network.

Some functions cannot be used in bridge mode and require either gateway mode or mixed mode; these include:
• Using the Sophos XG Firewall as a VPN concentrator
• Multiple WAN links
• Configuring two devices in a high availability cluster


Mixed Mode

Mixed mode is a combination of bridge and gateway mode, where a few pairs work in bridge and the other ports are left to work in a router mode (or Gateway mode).

Mixed mode also works with multiple bridge pairs or bridges that contain more than just two interfaces.


