v18 EAP2. Anyone have a clue when ? Because I have quit testing EAP1 ...

Ok

I concluded it was useless for me to continue testing EAP1.  First because I am on the impression things are simply not working.  We are testing something "in the pipe" which, to my judgement, means before EAP.

And there's the thing that many - including me - had half of their posts deleted by moderators with no appropriate judgment.  It has become counter-productive.  What's the point of testing hours just to have our comments deleted in the end ?

Paul Jr

  • Hello Paul jr,

    you are not alone to whom posts have been deleted. It also happened to me several times over the past two week.
    Perhaps it will be the new approach in v18 development that I have heard so often in the recent past at Sophos presentations ...

    I also after less than two weeks I find that I just wasted my time. Today I and my colleague tested Kerberos authorization and I must say that the real "art" in 2019 so poor and unreliable to implement Kerberos authorization. Hat down, Sophos developers against your inability!

    Regards

    alda

    P.S. I wonder how quickly this post will be deleted again!

  • In reply to alda:

    Hi guys,

    this post should not be deleted, it is speaking the truth.

    From reading the historic stuff we should bypass EAP2 and go to EAP3, which will then go to the preproduction release before GA with only partially tested software.

    Ian

  • To clarify things up.  As far as I am concerned, it was not a complete waste of time. 

    1. The free introduction course for v18 was VERY appreciated. 
    2. Playing with TLS/SSL inspection gave me a hint to what will will get around December 2020.  Because obviously, it is not gonna be before that, since it took 6 months this year to solve things like DHCP and all.  Things to fix in v18 are far more elaborate and will certainly take more than a year to fix. 
    3. NAT improvements are more than welcome, I wish I could continue to play with it, but the rest of v18 is just unworkable for now, even for home use.  Things freezes way too often.

    Tonite that was my screen before I reverted back to 17.5.8:

    WEB pages do not render properly, performances graphs shows that everything is idle while pinging the firewall shows an extreme latency.  Icons keeps disappearing, particularly in firewall rules.  Activating TLS/SSL reduces performances even more up to frozen molasse.  Outlook takes forever to open.  Really un-workable.

    Finally, I really don't take that Sophos do not upgrade X105W for reasons that are nothing more than marketing and nothing to do with technicalities.  This is extremely frustrating.

    Maybe others will find positive continuing testing EAP1.  There are many reasons for that and I encourage it.  But me, I do not find the gain is worth the effort.  Also, my enthusiasm is not there most probably because I have waited the bride for too long.

    I will re-evaluate at EAP2, or once I read EAP 1 is ironed out enough to be workable.

    Paul Jr

  • In reply to Big_Buck:

    Hi,

     

    Are you sure that your latency issue is because v18? I've been using v18 EAP1 since the release on a low-powered machine, and had no issues like this. Couldn't it be something else in your network?

     

    Also, I've been testing the v18 EAP1 since release, and it's being an love/hate relationship with it.

     

    The SSL/TLS inspection works, but it's performance is bad. (Mainly compared on port 443 for https traffic, web proxy is way faster than SSL/TLS inspection.(but of course, web proxy only supports 80/443, while SSL/TLS inspection supports any port.))

    Somehow IDS/IPS managed to get at least 50% slower compared to v17.5.x.  *

    My machine will lock itself for 10~ seconds if the load on it is really high for a long period of time.

    I've had to remove two WAF rules, because country blocking isn't woking with WAF on v18. (Already reported.)

     

    * I currently have a J1900 with 4GB of RAM, i'll be upgrading to 8GB RAM (6GB usable), i belive the IPS performance issue is being caused because my machine doesn't have enough RAM for snort alocate to work correctly. One friend of mine, which have the same machine but with 8GB of ram has seeing much higher throughput than mine with 4GB of ram.

     

    Thanks,

  • Eap2 will be released in November and Eap3 in December. There are not official dates. Regarding the performances issue I have identified several bugs but please keep posting in v18 section and keep asking one question per thread. Do not mix questions and topics. Thanks

  • In reply to Prism:

    Let's start with the start.  A J1900 is at a bare minimum 2 times faster as an XG115's E3827.  4 cores vs 2 cores, 2 GHz vs 1.75 GHz, 2 MB cache vs 1 MB cache.  It is MUCH, MUCH faster.

    https://www.cpubenchmark.net/compare/Intel-Celeron-J1900-vs-Intel-Atom-E3827/2131vs2716

    A E3827 is around $55 while a J1900 was $100.

    Note an XG105, is a E3826 clocked at 1.46 with 2 gig of memory.  Marginally slower than an XG115.

    I tested v18 since it was released.  Problems started few days later when I activated TLS/SSL inspection rules. It did two things.  Render Outlook 2010 inoperable.  But also, huge latency you saw on my screenshot.  Latency problem does not revert after deactivating SSL/TLS rules.  It happens many times a day.  And rebooting changes nothing. But at least Outlook runs.

    Luk, I'm not interested for now at posting in the EAP section for obvious reasons mentioned above.  I stopped using it - at least for now - so why would I post there for now ?

    Paul Jr

  • In reply to Big_Buck:

    Paul,

    Regarding deleting post in v18 section several   Mine answers were deleted and at some point I have been removed as moderator too. After complaining and writing email, people from Sophos and other moderators stopped on deleting comments. Some Sophos staff are new to community and they did not know how to behave here. Now this is not occurring anymore. As moderators we do not have rights to see who deleted or blocked the reply and we already asked this to be improved. Keep posting and your content is deleted, send me a pm and I will investigate

  • In reply to lferrara:

    Hello Luk,

    isn't it just a waste of time? I think we all feel how dilapidated the Kingdom of Denmark is. You wrote your opinion because you have many years of experience and because your opinion does not fit into Sophos politics is it deleted? Why should I continue to work with products of this company that do not value my work and my experience, which I provide them for free? Two years they feeding us as v18 will be completely rewritten and today we see the result of their work over the last two years.

    We just waste time ...

    Regards

    alda

  • In reply to alda:

    I replied here:

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18/418428#418428

    with the experience gained during these days. If they do not want to listen, amen! We move the remaining customers from UTM9 to other vendors. Life is not a static thing and we cannot change the world. If they do not want to listen, great, we move away. No problem. Me and other community users/partners remember the XG v15 disaster that you cannot even find documentation anymore. They forget about and many of us told them the UI was terrible, the rest is history. If most of the customers will complain with the new firewall section, something will change like v15 or like firewall registration method where using XG was not even possible if no internet connection was available. I guess before 16.5

    Regards

  • In reply to alda:

    It is Sophos.  It is not a "right".  It is not a "democracy".  It is not a "religion".  It is a Business.  And there to make profits.

    They write and apply their own rules, and if it does not fit someone.  The only alternative is to go elsewhere.

    I personally think XG will catch up other players at version v20.  And like I have written two years ago, it will take at least five years.  So 3 years left.  If it takes more than that, they are dead.  Because others players are not sitting stand still.

    Meanwhile learn and practice your CLI, because it is the only reliable way to manage XG.  The only alternative is to go elsewhere.

    I posted their financial reports few weeks ago and was surprised how small Sophos actually is compared to others.  Consequently, developing XG while maintaining SG is a big chunk.

    To go back to the topic of this post, I will wait for EAP2 or at least when EAP1 becomes really what I understand an "Early Access" is.  By definition, early access means not "Ironed-Out",  but I personally feel more like in a laboratory now, testing concepts.  I cannot use it at home as it is now.  Is is unworkable for me.

    So I understand that non official schedule for EAP2 is November.  But from what I see, EAP2 is EAP1 + unlocked features.  In other words, nothing guarantees that at that point, DPI will work, or that freezes will be things of the past.

    I am far less nervous about this than at the beginning of the year since I already moved most of my IT stuff to other players (i.e. mail gateway, web gateway, and 50% of end points).  It is not a mountain to climb anymore to change my firewall to another player.  I can do it in a day now.  So I'll be able to give a chance to Sophos up until March 2020.

    Thanks Luk for the unofficial time frame.

    Paul Jr

  • In reply to lferrara:

    Hi All,

    To add to what  has already mentioned.

    I personally apologize for any previous posts that were incorrectly deleted or threads that were locked. As per the Community T&C, Sophos encourages the sharing of constructive advice and criticism and the community forums are therefore as open and free from content control as possible. This has been addressed internally.

    Please don't hesitate to reach out to me via PM if you have experienced any of your posts being incorrectly moderated.

    Regards,

  • In reply to alda:

    Ahoj alda,

    I just approved the latest post for you that was flagged as abusive.  Hopefully, as Flo says in the post just above mine, that the new employees have been"corrected" and we won't see the deletion of any more posts of honest frustration and criticism.

    Cheers - Bob

  • In reply to BAlfson:

    Hello ,

    maybe you read my appeal, so you know what I think about the quality of implementing NAT rules.
    Please for answer if there is anyone in this community who is satisfied with the quality of implementation of NAT rules and their link to the firewall rules.
    I think there is no one in this community. I think we all feel as big this problem is.

    I really think this product is going to hell. v15 and v16 were, clearly, disasters. v17 and then v17.5 remedied the bad reputation a little, and we all rightly expected that the two-year promised version of v18 would be a significant advance and that Sophos had learned from previous mistakes. I'm afraid Sophos didn't learn.

    I have written it before, DPI engine, Kerberos, DKIM, etc. and other newly implemented security features move this product clearly forward. But then you come across the horror of implementing NAT rules and links to firewall rules and you don't trust your eyes.

    It's like dr. Jekyll and Mr. Hyde

    Regards

    alda

    P.S. I know my post was very expressive, but I still have the impression that none of the developers understands the seriousness of the situation and they write down a comprehensive explanation of why they implemented it.

  • In reply to Big_Buck:

    J1900 doesn't have AES-NI instructions so there's no hardware acceleration of certain crypto functions.

    This may be the cause for the performance loss you're seeing when activation TLS/SSL inspection.

    I do know from experience that a slower clocked CPU with AES-NI makes a better performing pfSense IPSec router than a faster clocked CPU without AES-NI.

    Bottom line is you really need an AES-NI capable CPU for a security router if you want it to perform well.

  • In reply to ChrisKnight:

    Very good point.  Boy, I overlook that one ... Some reading here: https://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-9.html

    Few things to remember:

    1. AES acceleration applies only to real cores.  Not Hyperthreading.
    2. It applies only to AES, and not to SHA or anything else.  That alone castrate quite a lot its real life utilization.
    3. Very dependent on the compiler used while generating applications/OSes. Since Sophos is an assembly of Open Sources softwares, chances are latests compilers were not used.
    4. Latest AES-NI version have a utmost importance on the performance.  Not all Intel CPU uses the same version.  And it is quite tricky to find it.

    Obviously, there will be cases where AES will have a drastic positif effect.  4, 5, 6 times faster.  I can tell for other product like Mikrotik already.  But with Sophos, you'll only learn when you open the switch.  Or maybe there's some technical paper out there to enlight us ...

    One last thing.  It is puzzling to me Sophos appliances do not implement TPM.  Go figure.

    Paul Jr