With the XG17 out and in full swing what does UTM9.x provides that XG17 doesn't?

Question

I know it's a religion of Astaro which I was a part of for many years but now I have actually jumped on the XG17 bandwagon (although I have a full spare HD with UTM 9.5 in storage ready to be plugged in on moment's notice.) 
 
 Thus, I was wondering what are the pro's and cons of running one vs the other, what does one introduce while the other takes away and vice versa. 
 
 Most of all what are the capabilities of 9.5 that prevents one from switching to xg17. 
 
 If it's a GUI then that's not enough, I have gone from Untangle 7 to Astaro to UTM 9 to now XG I can deal with GUI. 
 
 Thanks!

Billybob · Accepted Answer

Since Sophos can't make up its mind on what to do with UTM, threads/discussions like these keep on popping up. True answer is that try both and see which one is better for you, otherwise readon... 
 I am a big UTM fanboy and wouldn't even try to hide that fact. Having said that I have been using XG v17 full time at home since the beta became available and can live with it mostly. But not all is well at XG and to further add to what rfcat_vk (Ian) has already outlined, here are my top gripes about XG. 
 
 UTM used mcaffee database for web categorization. XG uses sophos which is not that great when it comes to categorization. Most people only see that as ok so a few ads get through so what? The problem is that certain subdomains to legitamate domains have ads, trackers etc and sophos database really fails here. For example most google domains are tagged as search engines. A lot of other cdns are tagged as Information technology incorrectly. 
 For some reason they can't get logging to work. Probably because back end produces horrendous logs. Astaro always used open source daemons and the in house development tried to stick with regular conf files and logging which makes verbose logging trivial in UTM. That is why its so easy to then grep those logs and present them in the gui. XG which is derived from cyberoam comes from a philosophy of taking open source daemons, making a few changes to them and making them closed source (I have no actual proof of this other than all cyberoam daemons are developed in house. Looking at their firewall offering, I don't think their programmers were capable of writing their own daemons). In any case, the inhouse daemons produce very few logs so sophos is having a hell of a time to now create verbose logging comparable to UTM. 
 If you have any clients that host their own SMTP server, don't even think about XG. No logs to know what happened to your mails and the MTA is very limited in its capabilities. 
 Open VPN is still stuck on a fixed port after almost 2 years of requests. Maybe v18... In the meantime a chinese router can run openvpn on any port that you want. Try selling that to your customers. 
 Port names are stuck as port1, port2 etc. and you can't rename them. HR is having connectivity problems, hopefully you tagged your cables correctly with a sticky tape[:|] 
 There is no way of knowing who or what is using all your bandwidth. Actually, there is really no way of knowing if your WAN link is completely saturated in XG other than users coming to you and telling you that you suck as a firewall admin. Nothing even remotely comparable to flow monitor which is not that great to begin with. 
 As Ian has already mentioned, no NTP server so all your IOT devices and phones have to contact the internet for time. Even worse, if you have an inhouse NTP/DNS server, there is no way to DNAT that traffic to internal servers. i.e There is no way to write a rule DNAT all NTP/DNS traffic, source IOT devices/ cell phones destination internet to MY SERVER. 
 IPSec seems to be broken even after the release of v17 MR2 but I don't use IPsec so I will leave that for someone else. 
 
 and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running. 
 I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

rfcat_vk · Answer

Hi folks, 
 I have been running UTM for many year-end now running one XG. I went to XG because when I was working we were installing NGFs similar to XG configurations which is a very different way of thinking compared to UTM. 
 The UTM supports native IPv6, though the last couple of releases have introduced some bugs. XG has limited IPv6 support and is very difficult to configure, no auto re-assignement, no PPPoE support. 
 The UTM mail relay is vey easy to setup and manage, the XG even in the v17 mr-1 it is extremely complex and I have not been able to get it to work after many attempts. 
 The UTM DHCP/DNS are linked or linkable, XG the DHCP does not know about the DNS. 
 The UTM has a secure NTP and DNS function, the XG has neither. 
 The UTM is a pain to setup dual links, the XG is much easier v17 mr-1 has a minor bug with fail over, doesn't work. 
 The UTM only scans pop3 and smtp while the XG will scan imap, pop3 and smtp (and S variants) 
 The UTM IPS is very easy to tune, the XG is extremely difficult, there is promised improvement but not sure in which version. 
 The UTM supports VLANs in firewall rules, the XG does not. 
 I am not 100% sure about the accuracy or affects of this, one uses VLAN at L2 and and the other at L3 which is limiting. 
 Both devices have very complex reports and can be fine tuned. 
 The XG report generation time is any with in 1 hour of the set time depending on processor load. 
 The UTM has lower throughput than the same size XG, but I expect this will equalise as more functions are added to the XG to bring it to UTM function parity. 
 The UTM and XG use different web site checking databases, the current XG version is being tuned, but seems to perform better (Sophos in house). 
 The XG GUI/menu system is improving with more cross links, but the groupings do not appear to be logical. 
 The UTM has very comprehensive logging, the XG is improving, but has a long way to go to be very useful to the security admins. 
 The UTM is configured using the GUI, the XG uses a mix of cli and GUI and if your CLI abilities are limited like mine you are always asking for assistance when the GUI is missing a feature. 
 The UTM has good web server security, whereas the XG does not appear to work that well. I have not tried either, this is just repeating forum gossip. 
 The UTM is full feature firewall and industrial strength, the XG is slowly getting there. My current opinion is the XG is suitable for small business and home use, for those coming from other products and for those coming from the UTM it is very lacking in functions. The XG is a very good training system for people looking to get into NGF security. There are schools and large business using the XG. 
 I know Micheal Dunn will disagree with some of that I have said and if Billybob or Bill Roland read this they might add their 10c worth. 
 Ian 
 Yes, I know very long winded. 
 
 Updated - fixed spelling/typing errors