With the XG17 out and in full swing what does UTM9.x provides that XG17 doesn't?

I know it's a religion of Astaro which I was a part of for many years but now I have actually jumped on the XG17 bandwagon (although I have a full spare HD with UTM 9.5 in storage ready to be plugged in on moment's notice.) 


Thus, I was wondering what are the pro's and cons of running one vs the other, what does one introduce while the other takes away and vice versa. 


Most of all what are the capabilities of 9.5 that prevents one from switching to xg17.


If it's a GUI then that's not enough, I have gone from Untangle 7 to Astaro to UTM 9 to now XG I can deal with GUI. 



  • In reply to Mokaz:

    I mean DPI is a hack and nothing else, technologies like HSTS render's such devices completely blind, disable pretty much any captive portal usability (yes yes, teach a user to request 1st an http web site, absolutely), per definition annihilate MiTM DPI.

    HSTS is irrelevant as long as the client has the XG's Certificate Authority installed and HTTPS scanning on.  Any device that is in Active Directory should have the CA pushed to it automatically.  Then Captive Portal and MiTM DPI works fine, even on HSTS sites.  BYOD phones are a different issue because installing CA on them is a pain.

  • Before concluding that XG is worth considering as a UTM replacement, I would like to know if it handles certificate security correctly.

    So far, my post in the XG forum has no responses.


  • In reply to Mokaz:

    Curious that you think that endpoints can be effectively protected.    My experience is that there are always some that are misconfigured, so our strategy is to minimize mobile usage and rely heavily on good perimeter defenses.

    I put up a post 6 months ago, asking about defending mobile devices against malware and internal networks against infected mobile devices.   I thought I would get some stories about how easy it would be if I bought more of the Sophos product line.   But it received zero responses, not even a sales pitch.   Certainly left me feeling that nobody else had a mobile device security plan that they thought was rugged enough to deserve bragging rights.

  • In reply to DouglasFoster:

    Oh no not really, i do not think that EP can be "effectively" secured, i'm no End Points solution expert at all. What i think is rather that they actually pretty much "are" at the end of encrypted traffic, which makes them under certain circumstances (like no DPI policy) the 1st in line to actually potentially discover what exactly that gathered content is.. Hence my remark on the fact that i do think that more and more the EP should get more attention..

    Also as somebody here said, installing a DPI cert on BYOD is now almost impossible/or at least very painfull; i've tried on some of the latest Android devices; you simply can't get the cert to install (aside on Firefox itself). (I haven't spent much time at trying to hack my way around this really..)..

    And also, when i've been talking about old school gateways, that doesn't translate to Sophos "only"; its pretty much the same standings with every vendors really.



  • I was at a technical workshop for XG this week and as far as I can say: XG is on the right way but still some things are missing and also some things(IPsec) had to be fixed with the next update.

    When comparing SG and XG keep an eye on these things:

    • Black- and/or Whitelist for E-Mail Protection are missing in XG - on "to do list" for later updates
    • BATV and SPF-Checks are missing - on "to do list" for later updates
    • You can not change Ports for SSL-VPN and Userportal -  on "to do list" for later updates
    • E-Mail Encryption with S/MIME and PGP is missing and is NOT planned for XG (We have a few customers (Automobile/Pharmacy) that use this feature with SG...)
  • I could write 100s of lines too.  My 2 cents is XG is a beta product that should have not been release yet.

    Billions of bugs.

    Horribly un-intuitive.  Complicated.


    WEB proxy / Site categorization fails all the time. Intel, Microsoft, Google, anyone else updates fails to download.  So much for security.

    VPN gate. If yours works, you're lucky.

    Cannot transparent proxy.

    Paul Jr Robitaille