We have two offices: a main office with 70 employees and a distant facility with ten employees. Each site is connected through VPN and each site has a Mikrotik CCR1009-7G-1C-1S+PC. I don't need an additional firewall, according to the business that installed the routers, because the routers already have one enabled.

We use Sophos endpoint, thus I was considering installing a Sophos XG at both of my locations.

Do I need to purchase a separate firewall for each of my two sites, or will the Mikritik routers suffice?

It depends......

Yes, Mikrotik / RouterOS has a Firewall and it`s quite good.
For a lot of SME-Environment, the default Mikrotik-Firewall is enough.

It always depends on the application and your requirements


And of course , don`t expect a 200$ Router to have the same as a
High-End 2000$ Firewall with a 400$ a Year-Subscription

There are two aspects - what a "firewall" actually means and what is the convenience of the administration.

A stateful firewall looks into the network layer of the packets but not into the application layer. So you can drop attempts of devices in the internet to actively initiate a connection towards devices in your LAN, and you control connections the devices in distinct LAN segments can establish to each other. And it is the way this is configured (and the level of abstraction in defining zones, and the number of pre-cooked traffic classification rules) what makes the difference between the different vendors' products.

But when it comes to malware being added to the web page of a compromised web site, or delivered within an e-mail message, it is not a task for an L3/L4 firewall - you either need an application layer firewall (which RouterOS does not provide) or an "anti-virus" software on the endpoint. Since most of the web sites of today use HTTPS (HTTP over TLS), and also most e-mail clients use TLS-enrypted protocols, the application layer firewal and/or "anti-virus software" have to decrypt the communication in order to be able to scan the actual payload for malware. Which effectively means the so-called "man in the middle attack", where an entity standing in the data path between the two endpoints of a secure communication pretends to be endpoint A towards endpoint B and vice versa. To facilitate this specifically for TLS, it uses a root CA certificate trusted by the endpoints to sign ad-hoc certificates it uses instead of the original ones to sign the re-encrypted traffic.

So it is a double-sided sword - on one hand, it is the only way to detect malware before it can become a file at the target, on the other hand, it breaks the privacy of users, often including passwords (because why should the user credentials be transported securely at application layer if the whole connection is encrypted).

And another point, malware is typically identified by signatures, and hence the system needs periodic (daily) updates by information from malware analysts, hence there's a subscription to cover the costs of this neverending work.

So it depends on what other security software you use - if you already have an endpoint anti-virus that inspects web and e-mail, you may not need the same functionality packed into a box called firewall.

Yes, you can add Sophos XG firewall in transparent mode between you Mikrotik facing WAN and LAN. The transparent mode works as a bridge for traffic from Mikrotik and LAN and from LAN to Mikrotik and all this traffic is protected by Sophos XG firewall. Really nice setup to protect a network, one I don't like from Sophos as sometimes it gets a bit overprotective, some legitimate services are blocked and you have to invest time to see why and how to fix it.

Do I need to purchase a separate firewall for each of my two sites, or will the Mikritik routers suffice?

It's not ckear from your question, so in case you were thinking about it ... if you decide to run Sophos, then you'll need separate hardware, you can not install any 3rd parts software on RouterOS machines.