With the XG17 out and in full swing what does UTM9.x provides that XG17 doesn't?

I know it's a religion of Astaro which I was a part of for many years but now I have actually jumped on the XG17 bandwagon (although I have a full spare HD with UTM 9.5 in storage ready to be plugged in on moment's notice.) 

 

Thus, I was wondering what are the pro's and cons of running one vs the other, what does one introduce while the other takes away and vice versa. 

 

Most of all what are the capabilities of 9.5 that prevents one from switching to xg17.

 

If it's a GUI then that's not enough, I have gone from Untangle 7 to Astaro to UTM 9 to now XG I can deal with GUI. 

 

Thanks!

  • I was stubborn at first... not liking the new XG GUI.  It's true that some config items are still easier to find in UTM, but things are a lot better with v17.

    I like the top/down ruleset.  I can get really granular with the configuration.

    Other users here can speak to missing features... I mainly use it for URL filtering and IPS and don't need more advanced settings.

    V17 has fixed some scanning issues with streaming video that are still present with UTM.

  • It's really hard to do a direct comparison between the two and Sophos hasn't released any whitepaper for XG17.  Your best bet is to download the Administration Guides for UTM 9.503 and XG17 and skim through the features.

     

    https://news.sophos.com/en-us/2017/05/05/sophos-utm-9-5-is-here-easier-faster-and-more-flexible/

     

    https://www.sophos.com/en-us/support/documentation.aspx

  • After several years with UTM, I feel like I finally understand it sufficiently to configure it correctly (effectively and safely).  My brief attempt to learn XG was discouraging.   Sophos does not seem to provide much concept documentation.

    It would be great if a real user would lay out the concept mapping.  For example, UTM implements web proxy with the hierarchy of Filter Profile...  Policy... Filter Action... then overrides and exceptions.   What is the XG flow for this?  I think it starts with user groups first, not source I.P, but then what?

  • In reply to DouglasFoster:

    Hi folks,

    I have been running UTM for many year-end now running one XG. I went to XG because when I was working we were installing NGFs similar to XG configurations which is a very different way of thinking compared to UTM.

    The UTM supports native IPv6, though the last couple of releases have introduced some bugs. XG has limited IPv6 support and is very difficult to configure, no auto re-assignement, no PPPoE support.

    The UTM mail relay is vey easy to setup and manage, the XG even in the v17 mr-1 it is extremely complex and I have not been able to get it to work after many attempts.

    The UTM DHCP/DNS are linked or linkable, XG the DHCP does not know about the DNS.

    The UTM has a secure NTP and DNS function, the XG has neither.

    The UTM is a pain to setup dual links, the XG is much easier v17 mr-1 has a minor bug with fail over, doesn't work.

    The UTM only scans pop3 and smtp while the XG will scan imap, pop3 and smtp (and S variants)

    The UTM IPS is very easy to tune, the XG is extremely difficult, there is promised improvement but not sure in which version.

    The UTM supports VLANs in firewall rules, the XG does not.

    I am not 100% sure about the accuracy or affects of this, one uses VLAN at L2 and and the other at L3 which is limiting.

    Both devices have very complex reports and can be fine tuned. 

    The XG report generation time is any with in 1 hour of the set time depending on processor load.

    The UTM has lower throughput than the same size XG, but I expect this will equalise as more functions are added to the XG to bring it to UTM function parity.

    The UTM and XG use different web site checking databases, the current XG version is being tuned, but seems to perform better (Sophos in house).

    The XG GUI/menu system is improving with more cross links, but the groupings do not appear to be logical.

    The UTM has very comprehensive logging, the XG is improving,  but has a long way to go to be very useful to the security admins.

    The UTM is configured using the GUI, the XG uses a mix of cli and GUI and if your CLI abilities are limited like mine you are always asking for assistance when the GUI is missing a feature.

    The UTM has good web server security, whereas the XG does not appear to work that well. I have not tried either, this is just repeating forum gossip.

    The UTM is full feature firewall and industrial strength, the XG is slowly getting there. My current opinion is the XG is suitable for small business and home use, for those coming from other products and for those coming from the UTM it is very lacking in functions. The XG is a very good training system for people looking to get into NGF security. There are schools and large business using the XG.

    I know Micheal Dunn will disagree with some of that I have said and if Billybob or Bill Roland read this they might add their 10c worth.

    Ian

    Yes, I know very long winded.

     

    Updated - fixed spelling/typing errors

  • In reply to rfcat_vk:

    Since Sophos can't make up its mind on what to do with UTM, threads/discussions like these keep on popping up. True answer is that try both and see which one is better for you, otherwise readon...

    I am a big UTM fanboy and wouldn't even try to hide that fact. Having said that I have been using XG v17 full time at home since the beta became available and can live with it mostly. But not all is well at XG and to further add to what  (Ian) has already outlined, here are my top gripes about XG.

    • UTM used mcaffee database for web categorization. XG uses sophos which is not that great when it comes to categorization. Most people only see that as ok so a few ads get through so what? The problem is that certain subdomains to legitamate domains have ads, trackers etc and sophos database really fails here. For example most google domains are tagged as search engines. A lot of other cdns are tagged as Information technology incorrectly. 
    • For some reason they can't get logging to work. Probably because back end produces horrendous logs. Astaro always used open source daemons and the in house development tried to stick with regular conf files and logging which makes verbose logging trivial in UTM. That is why its so easy to then grep those logs and present them in the gui. XG which is derived from cyberoam comes from a philosophy of taking open source daemons, making a few changes to them and making them closed source (I have no actual proof of this other than all cyberoam daemons are developed in house. Looking at their firewall offering, I don't think their programmers were capable of writing their own daemons). In any case, the inhouse daemons produce very few logs so sophos is having a hell of a time to now create verbose logging comparable to UTM.
    • If you have any clients that host their own SMTP server, don't even think about XG. No logs to know what happened to your mails and the MTA is very limited in its capabilities.
    • Open VPN is still stuck on a fixed port after almost 2 years of requests. Maybe v18... In the meantime a chinese router can run openvpn on any port that you want. Try selling that to your customers.
    • Port names are stuck as port1, port2 etc. and you can't rename them. HR is having connectivity problems, hopefully you tagged your cables correctly with a sticky tapeIndifferent
    • There is no way of knowing who or what is using all your bandwidth. Actually, there is really no way of knowing if your WAN link is completely saturated in XG other than users coming to you and telling you that you suck as a firewall admin. Nothing even remotely comparable to flow monitor which is not that great to begin with.
    • As Ian has already mentioned, no NTP server so all your IOT devices and phones have to contact the internet for time. Even worse, if you have an inhouse NTP/DNS server, there is no way to DNAT that traffic to internal servers. i.e There is no way to write a rule DNAT all NTP/DNS traffic, source IOT devices/ cell phones destination internet to MY SERVER.
    • IPSec seems to be broken even after the release of v17 MR2 but I don't use IPsec so I will leave that for someone else.

    and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.

    I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

  • In reply to rfcat_vk:

    I don't know enough about most of the functionality rfcat_vk (Ian) or billybob describes to agree or disagree.  But overall I trust their opinions on this.  My area of expertise is on the Web side, and I find the UTM and XG fairly equivalent but different (in how you configure policy).
    That disclaimer in place I will add my 2 cents in.
     
    XG throughput is better than UTM.  With XG v18 and new hardware it will make it even more so.  I disagree with Ian, it won't equalize - XG speed improvements will make gap larger, even as new features are brought in.
     
    Web Categorization is a data issue - not a codebase issue.  I know this is a distinction that may not make a difference to most people, but it does on the Sophos side.  The data that XG uses is also used in other products.  Completely different group of people who work on it.  Improvements occur on a daily basis, not yearly releases.  There are no announcements of fixes.  Most of it is a steady stream of minor issues that get resolved quickly, but the stream never ends.  It is not enough for an admin to see a problem, they must also report it to us if they want it fixed.  Categorization quality seems to be a real issue for some people, and but completely not on the radar for (IMO) the majority of customers.
     
    I disagree with the bolded 'intentional sabotage and downright destruction of the UTM'.  Though it is true there has been little development of new features on the UTM, that phrase makes it appear as though Sophos is making things worse than, say, 2 years ago.  UTM is a pretty feature rich product.  As many people have pointed out - it just works.  So the fact that it hasn't had a UI refresh?  Does that really matter?
     
    Overall, I think rfcat's list includes a few features that UTM has that XG does not.  However it fails to mention that there are several features that XG has that UTM does not.  For many customers, the new XG-only features outweigh the UTM-only features.  There are also probably a dozen minor places where the two products both support something but the XG does it better.
    XG has firewall rules based on user identity.  UTM does not.
    XG has synchronized application control / application traffic discovery.  UTM does not.
    XG has synchronized security / Endpoint heartbeat.  UTM does not.
    XG has web content filtering.  UTM does not.
    XG has policy test simulator for firewall rules and web policies.  UTM only has it for web policies.

    One of the things I see in the comparison is that if XG lacks a feature that UTM has (not complete feature parity), some people say that means XG cannot be used because they cannot do things exactly the same way as UTM (not a drop in replacement).  From how I read some of Sophos' positioning (and I'm speaking completely on my own and not an official representative of the company here) they want to bring in features in XG that are so compelling that people will forsake the lack of feature parity.  In other words - people willing to not have some IPv6 and Port renaming in order to get Endpoint Heartbeat.
     
    Ultimately the question of UTM vs XG must be asked twice.  For a new customer, and for an existing UTM customer.  In my opinion, for a new customer XG is the way to go - their questions should be around feature comparison of their existing solution vs XG.  Only if XG cannot meet their needs should they then look at the UTM.  For an customer already using UTM...  I'm a believer in "if it ain't broke don't fix it".  If they are happy with the UTM and the new XG-only features are not compelling enough, then keep with their current setup.  If the XG-only features are desirable enough then do a site-specific feature comparison to understand if they will lose any functionality they require by migrating.
     
  • In reply to Michael Dunn:

    Thanks, Michael.  I have some questions about the additional features of the XG:

    XG has firewall rules based on user identity.  UTM does not.

    How is this different from STAS used with the UTM?

    XG has synchronized application control / application traffic discovery.  UTM does not.

    What does "synchronized" mean and how is this better than AppCtrl in the UTM?

    What is "application traffic discovery" and what advantage does it offer?

    XG has synchronized security / Endpoint heartbeat.  UTM does not.

    I believe that this is a part of Billlybob's frustration - no effort to improve the UTM while folks continue to pay full boat for it even though adding this capability could be easily done.

    XG has web content filtering.  UTM does not.

    How is "web content filtering" different from Web Filtering on the UTM and what is the advantage?

    Cheers - Bob

  • In reply to BAlfson:

    Re: User Identify in firewall rules
    In XG you can create a firewall rule such as Users in the group "Network Admins" are allowed to SSH from LAN to WAN.
    Now Bob (who is a Network Admin) can use SSH on any device he happens to log into.
    As far as I know in UTM you cannot specify a rule like that for a User or User Group.  Only for a source IP.
     
    Re: synchronized app control
    This is a new feature in v17.  In XG w/Endpoint you can now see that traffic that is going through port 1234 is generated by executable c:\Program Files\Application\Updater.exe.  You can then manually categorize the application traffic, which is then controlled by the existing App Control.  Existing App Control definitions work only a predefined list of traffic sniffing signatures seen by the Firewall.  Now in addition to those you can add any other currently-unknown application using signatures of both the traffic sniffing and executable.
    More info: https://vimeo.com/237000766
     
    Re: web content filtering
    This is a new feature in v17.  You can now create a rule that says anytime that someone visits a webpage where the word 'punch' or 'kill' or 'suicide' appears on the page, please log it in a report.  This looks at the actual content of the web traffic.  To be used in schools, libraries, and other institutions.  Not shown on the quick video, but AFAIK it also logs including the content around the matched keyword so you can see whether this is (for example) a case of online bullying.
    More info: https://vimeo.com/234921971
  • In reply to Michael Dunn:

    Thanks again, Michael.

    You can make firewall rules for users and groups using STAS and Active Directory.

    It's called "synchronized" because the rules are created and monitored in the XG but the work is done by Endpoint?  The ability to customize the category is desirable.  Are there any examples of customers' praise for this capability - anything that let an admin brag?

    What are examples of content control that a business would use?

    I have some users that only use Web and Network along with Central Endpoint Advanced.  That appears to be handled well enough by XG today.  Is there an official target date to have a migration tool for UTM to XG for just these three subscriptions?

    Cheers - Bob

  • In reply to BAlfson:

    It is "synchronized" because you have the Endpoint looking at the list of running processes and you have the Firewall looking at the network traffic, then combining the data.  I'm not sure where the enforcement is done.  I don't know too much about it.  It is being billed as revolutionary because no one else does it, partly because there is no other security company that has equal penetration into the firewall and endpoint worlds.  I'm not 100% sure, but I think some of the application definitions go back to Sophos so that we can then create built-in application definitions that then get pushed out to everyone.  So as customers start using it, the data then gets used to improve everyone - even those who don't use it.  That may also allow for a much quicker discovery of new applications.
     
    As far as I know content control will mostly be used in schools and such.  I think the purpose is more around monitoring and controlling social media.  AFAIK, it can also be used for DLP Data Loss Prevention.  It can monitor when things like credit card numbers or Social Security Numbers are sent from inside the network.  I know more about the technical side of this, but not as much the use case.  You can use it to report on anyone who does a google search for bomb making.  This feature will also make us competitive against other more education-specific companies, especially in areas where there is a demand for increased monitoring.
    edtechnology.co.uk/.../new-statutory-guidance-for-school-web-filters

    As for examples and case studies I would just use Google and the Sophos Community search.  I would assume that Sales and Marketing have some materials.
     
  • In reply to Michael Dunn:

    Hi Michael,

    yes, Billybob and I did leave some items out, but as home users we are aware of the features but have no idea if they work or not. Forum reviews might give you a better indication.

    Seeing the US market has run out of IPv4 (addresses) I would have thought getting IPv6 into place would have been a reasonably high priority.

    I was contemplating adding extra items to that list, so here they are.

    XG allows you to direct networks/users to different gateways while using the web proxy, UTM can't. (Big advantage)

    You can setup ATP rules, WEB rules and IPS rules for each firewall rule. (Big advantage)

    You cannot get reports on VLAN traffic.

    You still need to use CLI in XG in 2018. I know XG was written by Microsoft based on how much of MS stuff still needs to be done in CLI because the MS GUI does not have the same authority (joke).

    WEB/ATP classification. The XG version is faster to respond, this is after a number of issues were raised in the forum about the performance, now how was it fixed, by moving a number of sites to unclassified, just look at your daily reports.

     

    Ian

  • In reply to rfcat_vk:

    On web-categorization data, I have complained about this before during betas. The problem is not that the quality is not upto par to UTM. As Michael pointed out there is a lot of layer8 firewalling going on (the only thing that cyberoam brought to the table). What happens is that right now in XG you can write up firewall rules that can do QoS based on web or application categorization. So lets say you want to throttle streaming media on guest network but allow IT related websites with minimal throughput restraints. Due to bad categorization, certain websites hog the whole bandwidth while you thought you were controlling them correctly. To compensate for that you are back to IP based QoS so one step forward but not quite yet. I never insinuated that you have to wait a whole year for the data to get better. However, sophos' standard response is to submit a url. That is great for open source projects but not really what customers want to hear after paying thousands of dollars for an appliance. On general webfiltering, speed wise, XG is definitely faster and certain websites that balk and don't render correctly using proxies in UTM usually have little problems with XG.

    Same with application control... UTM9 has always categorized my netflix traffic correctly and XG still doesn't. I just throttle my streaming devices so that those netflix 4k streams are not downloading multiple terrabytes on their own. But thats because they wanted XG to be grouped with nextgen firewalls and want to use snort for application categorization instead of netfilter doing layer7. You can't write your own rules for either so really doesn't matter other than the fact that snort has to run full time even though you are not doing any kind of IPS filtering for application control/application categorization/application QoS to work correctly.

    I didn't mention synsec (synchronized security) because unlike UTM9 endpoint protection that allows a few endpoints even for home users (hence the rant about the love for astaro) is a completely different subscription. Same with sandstorm. I have seen sandstorm in action and while the concept is great, the wait time during regular websurfing is too long. It is good for email protection etc. but its comparable in both UTM and XG. Synchronized security looks better on paper than in real life. Don't get me wrong, it works great for what it does but for people not familiar with the concept, think of it like norton enterprise antivirus solution. Your management console gives you all the alerts and the endpoints are quarantined etc. on the basis of the policies defined. Sophos is just taking it a step further and adding applications to it and since the firewall has a say in routing, it can block the endpoint and quarantine it completely. Still, its another subscription on top of your regular license.

    The main problem I have always had with XG is not what the brochure says about the product but what it can actually deliver. I want some kind of feature parity with UTM but I never asked for a clone. XG has a lot of quirks, port renaming is not feature parity, its something I regularly do on every device I own. Its easier to remember, LAN, WAN, DMZ instead of port1, port2 etc. Global QoS with multiple WAN lines with different bandwidths is not feature parity it really needed when your main line fails and your layer 8 rules are worthless because your WAN bandwidth just became 1/4 of what it is usually. NAT rules are just basic stuff that has been available in linux yet XG has hard time DNATTING traffic. Open source MTA servers are being used all over the world but they have been trying to invent one for XG since v15 and at v17... we are still inventing the wheel. Wifi GUI, as dated as it is in UTM still gives me accurate data on signal strengths and information that I want while XG gets stuck on what the client originally connected at.

    The layout of items in XG GUI is very unintuitive. Where would you look for QoS settings in a firewall...somewhere in networking? In XG it is under system servicesIndifferent You are not done yet... you still have to go apply that qos to the web or application policy and then use that policy in a firewall rule before the QoS starts working. This is quirky as hell and has nothing to do with feature parity. Clientless users require an email address... really? your printer has an email address? 

    Finally the abandonment of UTM platform. Yes, it has been abandoned. Its like sophos had a world class rocket sitting in the hangar and they chose a prop plane because it was cheaper and came with a development team. Yes, XG has a lot of new "flashy slogans" synsec, nextgen, you name it. Its also true that UTM didn't need much when sophos acquired it but UTM is still where it was when XG v15 was introduced and there is no telling how much money went into developing XG from there on. Yes we all understand UTM is dead and there is no point in selling one now, but its a hard pill to swallow for people that are on their second or third year of UTM9 license with renewals just on the horizon.

    Regards
    Bill

  • In reply to Billybob:

    Billybob
    and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.

    I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

     

    100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!

  • In reply to Ben:

    Ben
    100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!

    Well at the pace of things today, i'm even wondering if these old school gateways at a perimeter will still be relevant in 3 years. I mean DPI is a hack and nothing else, technologies like HSTS render's such devices completely blind, disable pretty much any captive portal usability (yes yes, teach a user to request 1st an http web site, absolutely), per definition annihilate MiTM DPI. Currently, I'm battling with SSO on a UTM in order to get the users fully authenticated, the gateways knows the user already either per SSLVPN daemon, RADIUS WPA2 Ent WiFi auth and you name it and i'm still not authenticated as a full gateway user (at the UTM layers), useless.. This is so old school that i'm wondering really how long this will make any sense.. At the end with full encryption everywhere the only really important piece of gear has shifted back to the end point if you ask me...

  • In reply to Mokaz:

    Hi,

    they will still be relevant to stop open attacks on devices that do not go to the internet (and by inference have no real network security) and/or until the IoT of things improve their security.

    Ian