PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I know it's a religion of Astaro which I was a part of for many years but now I have actually jumped on the XG17 bandwagon (although I have a full spare HD with UTM 9.5 in storage ready to be plugged in on moment's notice.)
Thus, I was wondering what are the pro's and cons of running one vs the other, what does one introduce while the other takes away and vice versa.
Most of all what are the capabilities of 9.5 that prevents one from switching to xg17.
If it's a GUI then that's not enough, I have gone from Untangle 7 to Astaro to UTM 9 to now XG I can deal with GUI.
I was stubborn at first... not liking the new XG GUI. It's true that some config items are still easier to find in UTM, but things are a lot better with v17.
I like the top/down ruleset. I can get really granular with the configuration.
Other users here can speak to missing features... I mainly use it for URL filtering and IPS and don't need more advanced settings.
V17 has fixed some scanning issues with streaming video that are still present with UTM.
It's really hard to do a direct comparison between the two and Sophos hasn't released any whitepaper for XG17. Your best bet is to download the Administration Guides for UTM 9.503 and XG17 and skim through the features.
After several years with UTM, I feel like I finally understand it sufficiently to configure it correctly (effectively and safely). My brief attempt to learn XG was discouraging. Sophos does not seem to provide much concept documentation.
It would be great if a real user would lay out the concept mapping. For example, UTM implements web proxy with the hierarchy of Filter Profile... Policy... Filter Action... then overrides and exceptions. What is the XG flow for this? I think it starts with user groups first, not source I.P, but then what?
In reply to DouglasFoster:
I have been running UTM for many year-end now running one XG. I went to XG because when I was working we were installing NGFs similar to XG configurations which is a very different way of thinking compared to UTM.
The UTM supports native IPv6, though the last couple of releases have introduced some bugs. XG has limited IPv6 support and is very difficult to configure, no auto re-assignement, no PPPoE support.
The UTM mail relay is vey easy to setup and manage, the XG even in the v17 mr-1 it is extremely complex and I have not been able to get it to work after many attempts.
The UTM DHCP/DNS are linked or linkable, XG the DHCP does not know about the DNS.
The UTM has a secure NTP and DNS function, the XG has neither.
The UTM is a pain to setup dual links, the XG is much easier v17 mr-1 has a minor bug with fail over, doesn't work.
The UTM only scans pop3 and smtp while the XG will scan imap, pop3 and smtp (and S variants)
The UTM IPS is very easy to tune, the XG is extremely difficult, there is promised improvement but not sure in which version.
The UTM supports VLANs in firewall rules, the XG does not.
I am not 100% sure about the accuracy or affects of this, one uses VLAN at L2 and and the other at L3 which is limiting.
Both devices have very complex reports and can be fine tuned.
The XG report generation time is any with in 1 hour of the set time depending on processor load.
The UTM has lower throughput than the same size XG, but I expect this will equalise as more functions are added to the XG to bring it to UTM function parity.
The UTM and XG use different web site checking databases, the current XG version is being tuned, but seems to perform better (Sophos in house).
The XG GUI/menu system is improving with more cross links, but the groupings do not appear to be logical.
The UTM has very comprehensive logging, the XG is improving, but has a long way to go to be very useful to the security admins.
The UTM is configured using the GUI, the XG uses a mix of cli and GUI and if your CLI abilities are limited like mine you are always asking for assistance when the GUI is missing a feature.
The UTM has good web server security, whereas the XG does not appear to work that well. I have not tried either, this is just repeating forum gossip.
The UTM is full feature firewall and industrial strength, the XG is slowly getting there. My current opinion is the XG is suitable for small business and home use, for those coming from other products and for those coming from the UTM it is very lacking in functions. The XG is a very good training system for people looking to get into NGF security. There are schools and large business using the XG.
I know Micheal Dunn will disagree with some of that I have said and if Billybob or Bill Roland read this they might add their 10c worth.
Yes, I know very long winded.
Updated - fixed spelling/typing errors
In reply to rfcat_vk:
Since Sophos can't make up its mind on what to do with UTM, threads/discussions like these keep on popping up. True answer is that try both and see which one is better for you, otherwise readon...
I am a big UTM fanboy and wouldn't even try to hide that fact. Having said that I have been using XG v17 full time at home since the beta became available and can live with it mostly. But not all is well at XG and to further add to what rfcat_vk (Ian) has already outlined, here are my top gripes about XG.
and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.
I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.
In reply to Michael Dunn:
Thanks, Michael. I have some questions about the additional features of the XG:
XG has firewall rules based on user identity. UTM does not.
How is this different from STAS used with the UTM?
XG has synchronized application control / application traffic discovery. UTM does not.
What does "synchronized" mean and how is this better than AppCtrl in the UTM?
What is "application traffic discovery" and what advantage does it offer?
XG has synchronized security / Endpoint heartbeat. UTM does not.
I believe that this is a part of Billlybob's frustration - no effort to improve the UTM while folks continue to pay full boat for it even though adding this capability could be easily done.
XG has web content filtering. UTM does not.
How is "web content filtering" different from Web Filtering on the UTM and what is the advantage?
Cheers - Bob
In reply to BAlfson:
Thanks again, Michael.
You can make firewall rules for users and groups using STAS and Active Directory.
It's called "synchronized" because the rules are created and monitored in the XG but the work is done by Endpoint? The ability to customize the category is desirable. Are there any examples of customers' praise for this capability - anything that let an admin brag?
What are examples of content control that a business would use?
I have some users that only use Web and Network along with Central Endpoint Advanced. That appears to be handled well enough by XG today. Is there an official target date to have a migration tool for UTM to XG for just these three subscriptions?
yes, Billybob and I did leave some items out, but as home users we are aware of the features but have no idea if they work or not. Forum reviews might give you a better indication.
Seeing the US market has run out of IPv4 (addresses) I would have thought getting IPv6 into place would have been a reasonably high priority.
I was contemplating adding extra items to that list, so here they are.
XG allows you to direct networks/users to different gateways while using the web proxy, UTM can't. (Big advantage)
You can setup ATP rules, WEB rules and IPS rules for each firewall rule. (Big advantage)
You cannot get reports on VLAN traffic.
You still need to use CLI in XG in 2018. I know XG was written by Microsoft based on how much of MS stuff still needs to be done in CLI because the MS GUI does not have the same authority (joke).
WEB/ATP classification. The XG version is faster to respond, this is after a number of issues were raised in the forum about the performance, now how was it fixed, by moving a number of sites to unclassified, just look at your daily reports.
On web-categorization data, I have complained about this before during betas. The problem is not that the quality is not upto par to UTM. As Michael pointed out there is a lot of layer8 firewalling going on (the only thing that cyberoam brought to the table). What happens is that right now in XG you can write up firewall rules that can do QoS based on web or application categorization. So lets say you want to throttle streaming media on guest network but allow IT related websites with minimal throughput restraints. Due to bad categorization, certain websites hog the whole bandwidth while you thought you were controlling them correctly. To compensate for that you are back to IP based QoS so one step forward but not quite yet. I never insinuated that you have to wait a whole year for the data to get better. However, sophos' standard response is to submit a url. That is great for open source projects but not really what customers want to hear after paying thousands of dollars for an appliance. On general webfiltering, speed wise, XG is definitely faster and certain websites that balk and don't render correctly using proxies in UTM usually have little problems with XG.
Same with application control... UTM9 has always categorized my netflix traffic correctly and XG still doesn't. I just throttle my streaming devices so that those netflix 4k streams are not downloading multiple terrabytes on their own. But thats because they wanted XG to be grouped with nextgen firewalls and want to use snort for application categorization instead of netfilter doing layer7. You can't write your own rules for either so really doesn't matter other than the fact that snort has to run full time even though you are not doing any kind of IPS filtering for application control/application categorization/application QoS to work correctly.
I didn't mention synsec (synchronized security) because unlike UTM9 endpoint protection that allows a few endpoints even for home users (hence the rant about the love for astaro) is a completely different subscription. Same with sandstorm. I have seen sandstorm in action and while the concept is great, the wait time during regular websurfing is too long. It is good for email protection etc. but its comparable in both UTM and XG. Synchronized security looks better on paper than in real life. Don't get me wrong, it works great for what it does but for people not familiar with the concept, think of it like norton enterprise antivirus solution. Your management console gives you all the alerts and the endpoints are quarantined etc. on the basis of the policies defined. Sophos is just taking it a step further and adding applications to it and since the firewall has a say in routing, it can block the endpoint and quarantine it completely. Still, its another subscription on top of your regular license.
The main problem I have always had with XG is not what the brochure says about the product but what it can actually deliver. I want some kind of feature parity with UTM but I never asked for a clone. XG has a lot of quirks, port renaming is not feature parity, its something I regularly do on every device I own. Its easier to remember, LAN, WAN, DMZ instead of port1, port2 etc. Global QoS with multiple WAN lines with different bandwidths is not feature parity it really needed when your main line fails and your layer 8 rules are worthless because your WAN bandwidth just became 1/4 of what it is usually. NAT rules are just basic stuff that has been available in linux yet XG has hard time DNATTING traffic. Open source MTA servers are being used all over the world but they have been trying to invent one for XG since v15 and at v17... we are still inventing the wheel. Wifi GUI, as dated as it is in UTM still gives me accurate data on signal strengths and information that I want while XG gets stuck on what the client originally connected at.
The layout of items in XG GUI is very unintuitive. Where would you look for QoS settings in a firewall...somewhere in networking? In XG it is under system services You are not done yet... you still have to go apply that qos to the web or application policy and then use that policy in a firewall rule before the QoS starts working. This is quirky as hell and has nothing to do with feature parity. Clientless users require an email address... really? your printer has an email address?
Finally the abandonment of UTM platform. Yes, it has been abandoned. Its like sophos had a world class rocket sitting in the hangar and they chose a prop plane because it was cheaper and came with a development team. Yes, XG has a lot of new "flashy slogans" synsec, nextgen, you name it. Its also true that UTM didn't need much when sophos acquired it but UTM is still where it was when XG v15 was introduced and there is no telling how much money went into developing XG from there on. Yes we all understand UTM is dead and there is no point in selling one now, but its a hard pill to swallow for people that are on their second or third year of UTM9 license with renewals just on the horizon.
In reply to Billybob:
Billyboband finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.
I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.
100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!
In reply to Ben:
Ben100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!
Well at the pace of things today, i'm even wondering if these old school gateways at a perimeter will still be relevant in 3 years. I mean DPI is a hack and nothing else, technologies like HSTS render's such devices completely blind, disable pretty much any captive portal usability (yes yes, teach a user to request 1st an http web site, absolutely), per definition annihilate MiTM DPI. Currently, I'm battling with SSO on a UTM in order to get the users fully authenticated, the gateways knows the user already either per SSLVPN daemon, RADIUS WPA2 Ent WiFi auth and you name it and i'm still not authenticated as a full gateway user (at the UTM layers), useless.. This is so old school that i'm wondering really how long this will make any sense.. At the end with full encryption everywhere the only really important piece of gear has shifted back to the end point if you ask me...
In reply to Mokaz:
they will still be relevant to stop open attacks on devices that do not go to the internet (and by inference have no real network security) and/or until the IoT of things improve their security.