If you think your home router is protecting your business network, you’re not alone — and you’re not safe. The router your broadband provider installed handles basic traffic routing, but it was never designed to defend against the threats UK businesses face today: ransomware payloads, phishing traffic, rogue devices, and targeted intrusions. A proper business firewall is the front door lock, the security camera, and the alarm system all in one.
Here’s what separates a real firewall from a consumer router, and a comparison of the three solutions small businesses ask about most in 2026: Sophos XGS, Fortinet FortiGate 40F, and pfSense Plus.
Why your router is not a firewall
A standard home router performs Network Address Translation (NAT) — it hides your internal devices behind one public IP address. That provides minimal protection as a side effect, not a deliberate security posture.
A business-grade firewall adds deep packet inspection (examines the content of traffic, not just source and destination), intrusion prevention (blocks known attack patterns in real time), application awareness (can block specific applications or risky categories), a VPN gateway for remote employees, centralised logging, and automatic threat intelligence updates. For any UK business handling customer data, financial records, or health information, a proper firewall is the baseline your cyber insurance provider expects to see.
The three contenders
Sophos XGS (87 or 107 model for most SMBs)
Sophos XGS appliances are purpose-built hardware running Sophos Firewall OS. The XGS 87 is designed for offices of 5–25 users; the XGS 107 suits up to 50.
Cost: Hardware runs roughly £500–750. Annual licensing (which includes IPS, web filtering, and support) adds £300–600 per year depending on the bundle.
Ease of management: Sophos Central is the cloud-based management portal, and it’s genuinely friendly to non-technical administrators. The dashboard surfaces threats clearly, and guided wizards handle most configurations. If you use a managed IT provider in the UK, there’s a good chance they’re already certified Sophos partners.
Standout feature: Synchronized Security links the firewall to Sophos endpoint software. If a laptop is infected, the firewall automatically isolates it from the rest of the network until it’s cleaned. This automatic containment is exceptional value for a business without a dedicated IT security team.
Support: 24/7 phone and chat support included with a support licence. Documentation is thorough and well-organised.
Fortinet FortiGate 40F
The FortiGate 40F is a compact, fanless appliance designed for small offices. Fortinet dominates enterprise security globally, and the 40F brings that pedigree down to SMB pricing.
Cost: Hardware is approximately £350–550. FortiGuard subscription bundles (IPS, antivirus, web filtering, SD-WAN) run £250–500 annually.
Ease of management: FortiOS is powerful but has a steeper learning curve than Sophos. The interface rewards patience. Cloud management via FortiCloud is improving. Most managed IT providers are certified Fortinet partners.
Standout feature: The FortiGate 40F includes a built-in SD-WAN engine, genuinely useful if your business uses multiple internet connections for redundancy. Threat intelligence from FortiGuard Labs is updated in real time from a vast global sensor network.
Support: Support is tiered. Basic software updates are included; FortiCare Premium adds 24/7 technical support and next-business-day hardware replacement.
pfSense Plus
pfSense Plus is open-source firewall software from Netgate, deployable on Netgate’s own appliances or on a spare PC. It’s a different proposition — highly capable, but it demands more technical comfort.
Cost: Software licences for Netgate hardware are included in the hardware price. Hardware ranges from around £170 for the 1100 model to £400+ for mid-range appliances. Community Edition is free but less polished.
Ease of management: The web interface is functional but technical. Setting up VLANs, VPN, and IDS rules requires comfort with networking concepts. This isn’t the right choice if you have no internal IT resource.
Standout feature: No per-feature licences. Snort or Suricata IDS/IPS, pfBlockerNG for DNS filtering, and OpenVPN are all available at no extra cost. Total cost of ownership over three years is often half that of competing solutions.
Support: Community forums are active and helpful. Commercial support from Netgate is available but modestly resourced — not always instant.
Hardware vs cloud-managed: which fits you?
| Factor | On-premises appliance | Cloud-managed (Sophos Central, FortiCloud) |
|---|---|---|
| Management location | Local web interface | Browser from anywhere |
| Internet dependency | Works if internet is down | Requires internet to make changes |
| Visibility for MSPs | Limited remote access | Easy multi-site dashboards |
| Upfront complexity | Higher | Lower |
For most UK small businesses working with a managed IT provider, cloud-managed is the better fit. You get centralised visibility, remote troubleshooting, and policy changes that don’t require anyone to be on-site.
Three questions to answer first
Do you have internal IT support? If no, choose Sophos or Fortinet and consider purchasing through a local UK MSP who’ll manage it for you. pfSense requires technical ownership.
How many users and devices? The XGS 87 and FortiGate 40F both comfortably handle offices up to 25–30 users. If you have more than 50 users, move up a model tier.
What’s your three-year budget? Sophos and Fortinet both run roughly £1,000–£1,500 over three years for a small office. pfSense on a Netgate 1100 might run £400–600 total — but only if you can manage it yourself.
Bottom line
For most UK small businesses in 2026, Sophos XGS offers the best combination of genuine security capability and accessible management — especially if you’re working with a managed IT provider. Fortinet FortiGate 40F is the right call if you need SD-WAN features or your MSP is a Fortinet specialist. pfSense Plus earns its place for technically confident owners who want maximum capability at minimum ongoing cost.
A firewall you understand and maintain is always more valuable than a sophisticated one that gathers dust after installation. Whichever you choose, ensure someone owns the update schedule, reviews the logs monthly, and tests the VPN before employees need it remotely.