Where is V18 at?

Hi,

this request for an update on progress is for those of us that do not have access top partners/resllers.

Would some-one in the know who iso allowed to provide progress on v18 please add to this thread.

I am not after guesses or conjecture, but real timelines (give or take a month).

Ian

  • In reply to twister5800:

    This slide do no tell everything.  But I do not think it was intended to do so.  It's a sale's pitch. 

    For example, there's no clue about the "New Core".  Is it really implemented here ?

    Missing:

    • RE-writen STAS from a to z.
    • Nothing about reliable NTP source (or at least simple NTP) .
    • IPv4 & IPv6 in THE SAME FIREWALL RULE.  Stop the deduplication non-sens.
    • Ultra-limited DHCP won't be improved.
    • Certificate handling.  It's time to have an automatic renewal with Let's Encrypt !!!

    Some comments.

    • Actionable log-viewer.  We will see.  To my opinion, log Viewer had to be re-written from a to z to my opinion.  Far from the gold standard Checkpoint is.  Would had been nice Sophos added a direct connect to WireShark.
    • SNMPV3.  Not recent to say the least.  See RFC 2570 (April 1999) and RFC 3410 (December 2002).
    • New NAT.  NAT on XG is unmanageable and very confusing.  Particularly when coupled with the fuzzy notion of Alias in networking. Hope they catch up with the industry which is always far simpler than XG.
    • Interface rename.  Fails to get me excited.
    • We'll see what Xtream will do.  May be positive.
    • Kerberos Authentication & NTLM.  Wonder why is this listed here.  Could hardly be called a feature. 
    • Jumbo frame support.  My $50 Linksys router was doing that 15 years ago ...  Again, can this be called a feature ?

    They might as well have called it v17.6.

    This slide tells us XG we'll be in catch up mode for a predictable future.

    Paul Jr

  • In reply to Big_Buck:

    For those who like slides.  A compilation so far ...

     

     

    Paul Jr

  • In reply to Big_Buck:

    Big_Buck

    This slide do no tell everything.  But I do not think it was intended to do so.  It's a sale's pitch. 

    [...]

    Missing:

    [...]

    Some comments.

    • Actionable log-viewer.  We will see.  To my opinion, log Viewer had to be re-written from a to z to my opinion.  Far from the gold standard Checkpoint is.   

    You sound like someone who should look for a new product. I can't even begin to wrap my head around how someone wants to seriously compare Checkpoint firewalls to Sophos firewalls. You're not going to get even close to what folks like Checkpoint or Palo Alto do with their stuff. Always remember, you get what you pay for. 

    Sophos is a cheap option and their product will never be able to compete with the big shots. 

    That being said, Checkpoint is hardly the gold standard anymore. Yes, they have a nice GUI and a good firewall management infrastructure, but boy is their code outdated. Palo Alto eat Checkpoint for breakfast. 

    Anyways, spare yourself the frustration and move on to something that can satisfy you. Sophos won't be it, unless you're a small to medium sized business. 

  • In reply to cryptochrome:

    Palo Alto is not in the UTM as far as I know.  They also have difficulties to be above average when in comes to Anti-Virus testers.  They have never scored at the top like Kasperksy, FSecure, Symantec, and Trend Micro consistently do months after months.

    By the way, this month on AV-Test.org, under protection, Sophos scores 5, while Microsoft Defender scores 6. Draw your conclusions.

    Paul Jr

  • In reply to Big_Buck:

    Big_Buck

    Palo Alto is not in the UTM as far as I know.  They also have difficulties to be above average when in comes to Anti-Virus testers.  They have never scored at the top like Kasperksy, FSecure, Symantec, and Trend Micro consistently do months after months.

    By the way, this month on AV-Test.org, under protection, Sophos scores 5, while Microsoft Defender scores 6. Draw your conclusions.

    Paul Jr

     

    You are comparing apples (antivirus) to oranges (firewalls). Palo Alto is the mother of all UTMs. Their founders founded Netscreen, which was the first UTM firewall on the market. When Netscreen was bought by Juniper, they left. Some of them founded Fortinet, the others founded Palo Alto. 

    From a technological point of view, Palo Alto have by far the most sophisticated "Layer 7" firewall on the market. Palo Alto came up with the term "Next Generation Firewalls" and they were the first to actually do full blown layer 7 firewalling as opposed to stateful packet inspection. And they do FAR more than just simple AV scanning like Sophos. 

  • In reply to cryptochrome:

    It is like people forgetting this is an SMB product and so long as your not trying to re-invent the wheel with it then it works nicely. Personally i find it so much nicer to work with than the old SG series. if you want Palo Alto levels of product....buy a Palo Alto. The XG isnt perfect by any means but its alot better than some other products and the fact ou can get one out of the box, online and basically working in less than 10 mins isnt bad. It would be nice if Sophos engaged a bit more with its community for the v18 firmware so they can get some real world feedback from here, simlar to the MS insiders system so they can fix some of the things that get missed with internal testing. AV side its not all about who tests the best, its about the whole product, thats why Gartner have given MS ATP the top spot above Sophos and Checkpoint, but Sophos is still well in the top quadrant and has been very good with its test results for years, Bitdefender always scores high on the test result but Gravityzone is Woefull to use in real life

  • In reply to JimtheITguy:

    JimtheITguy

    It is like people forgetting this is an SMB product and so long as your not trying to re-invent the wheel with it then it works nicely. Personally i find it so much nicer to work with than the old SG series. if you want Palo Alto levels of product....buy a Palo Alto.  

     

    In all fairness, it wasn't me who kept trying to compare Sophos firewalls to the big shots like Checkpoint and PA. In fact, I told the guy the same thing you just told me: If you want Checkpoint, buy Checkpoint. Don't expect Sophos to be Checkpoint.

    I love the XG, despite all its shortcomings and issues. I use it in my home office and I like it a lot. I would never ever put it in a datacenter or at the perimeter of an enterprise network though. That's just not their game. 

  • In reply to cryptochrome:

    I know it wasnt you :-D, I really like the product and with heartbeat auth now working well it makes a brilliant product for SMB's who need some control and security. Having jumped on board at v16 i have been through alot of the "OMGWTFBBQ" moments with firmware after firmware but actually other that a few moments with 17.5 its been pretty solid.I always poke fun at sophos about the XG at any expo they are at and the poor guys on the stands know where we are coming from but i do see the vision they want to build and that i am onboard for. Just switched my pfsense at home back over to an XG after a small break to test some stuff and alot of my customers run XG's now also with very few problems, also cant imagine PA or CP effectively giving away the product for home use like Sophos does.

  • In reply to cryptochrome:

    Well.  I am still running few Checkpoint appliances 600's, 1290's, 3000's and virtual.  Gaia, Embeded Gaia, Splat.  And I have been using these firewalls almost since Checkpoint was founded.  One would have a hard time showing me something Checkpoint can or cannot do that I am not aware of already.  

    When I write Checkpoints logs are second to none in the industry, I really mean it.

    Not long ago, Palo Alto integrated passwords in their services code ... Fortinet too.  So go ahead and forge your own opinion, but Checkpoint have never been stupid enough to do something like that ... When I checked 2 1/2 years ago, the "firewall" portion of the product was good.  It's all others modules that come with a modern UTM that sucked.  Particularly Palo Alto's end-point.  Usability is their strong point.  But they consistently score below major players when the are surveyed and compared on the net.

    Paul Jr

  • In reply to Big_Buck:

    Big_Buck

    When I write Checkpoints logs are second to none in the industry, I really mean it.

    That must be the reason why basically any larger enterprise is purchasing tools like Tufin or Algosec then? Or even purchase SIEMs? Unless you activate their database driven SmartLog feature, the logging is a slow monster that takes forever to load. Ever worked in a large Provider-1 environment? 

    I don't want to discredit Checkpoint, to the contrary. They have a very solid product, arguably one of the best on the market, and they are the market leader for a reason. But they lost an awful lot of customers to Palo Alto (and to Fortinet, to a lesser extent). And if you work in large enterprise networks with hundreds of firewalls like I do, you know why. Checkpoint are only cooking with water like anybody else. 

    Not long ago, Palo Alto integrated passwords in their services code ... Fortinet too. 

    What does that even mean? Care to elaborate?

    When I checked 2 1/2 years ago, the "firewall" portion of the product was good.  It's all others modules that come with a modern UTM that sucked.  Particularly Palo Alto's end-point.  Usability is their strong point.  But they consistently score below major players when the are surveyed and compared on the net.

    You "checked" their product 2,5 years ago, which indicates you never really worked with them. Also, you keep bringing up endpoint security. We're discussing firewalls here though. And that's where Palo Alto really shine. They consistently lead and win the major firewall test fields like those provided by NSSlabs. They have consistently been the leader in Gartner's magic quadrant for Next Gen firewalls for many years now. Their UTM features are top notch. For example, their URL filter is so good, that many companies abandoned their dedicated Blue Coat proxies and replaced them with Palo Alto firewalls just for the URL filter. Their IPS system scores amongst the best on the market (evidence provided by NSSlabs). Ever tried enabling IPS on Checkpoint and load up anything else than their default rule base? Have fun watching your 10 gbit Checkpoint firewall drop to 500 mbit throughput. The same can be said about Palo Altos on-firewall antivirus detection rates and their sandboxing feature. All of them do anything but suck. 

    Does that make Checkpoint bad firewalls? No. Absolutely not. But saying that Palo Alto firewalls suck is a massive show of cluelessnes. No offense. 

  • In reply to cryptochrome:

    It's pretty obvious I'm comparing logs generated by a single appliance.  Not logs from all sorts of devices exported toward logs servers.  It is pointless to compare both environments.  Your comments are clearly out of scope.  Again, I'm clearly not commenting on government size structures.

    When I write Fortinet have integrated password in their codes, well, it really means this.  Fortinet, and others, run with many services. And communication between these services were secured with a password that was inside the code.  Compiled.  Yessssssss that stupid.  I do not know if you were Monk sequestrated in a monastery at that moment, but that was a heck of a bomb shell when that news was released.

    I try not judge anyone's competences after reading 10 lines of text.  Would be advisable you try the same.  As far as I am concerned, Gartner and NSS have morphed essentially into marketing tools. I am old and wise enough not care about these when I select equipment.  I rely on what I read on a daily basis over a long period of time - i.e. a lot, not just a single review, and over months -, feedbacks from those who sells security products (GoSecure being one of them), and finally on tests I conduct.

    My comments still hold.  Checkpoints logs are second to none.  Would be constructive Sophos take notes.  Just hope v18 improves a lot.

    Paul Jr

  • In reply to Big_Buck:

    First of all, I am sorry you feel offended by my comments. 

    Big_Buck

    It's pretty obvious I'm comparing logs generated by a single appliance.  Not logs from all sorts of devices exported toward logs servers.  It is pointless to compare both environments.  Your comments are clearly out of scope.  Again, I'm clearly not commenting on government size structures.

    The argument was whether Checkpoint logging is so much better compared to other firewalls, regardless of size. You brought Checkoint up, clearly a firewall vendor who's primary target is  enterprise networks. Mentioning Checkpoint and then saying you are only talking about a single appliance makes very little sense, as Checkpoint's product range is primarily focusing on large scale deployments with multiple firewalls and central management. So the assumption that we look at exactly that context is a fairly reasonable assumption to make. 

    I try not judge anyone's competences after reading 10 lines of text.  Would be advisable you try the same.  As far as I am concerned, Gartner and NSS have morphed essentially into marketing tools. I am old and wise enough not care about these when I select equipment.  I rely on what I read on a daily basis over a long period of time - i.e. a lot, not just a single review, and over months -, feedbacks from those who sells security products (GoSecure being one of them), and finally on tests I conduct.

    I didn't judge your personal competencies, I was rather questioning your experience in large scale deployments and enterprise environments. From everything you said, one can easily come to the conclusion that you primarily deal with smaller setups. Which is perfectly fine and requires a lot of knowledge. But you can't apply the conclusions you draw from your personal experience to everyone and everything. 

    If I was wrong about that observation, mea culpa.

    My comments still hold.  Checkpoints logs are second to none.  Including PaloAlto.

     

    That is such a subjective statement, so subjective even, that is is a completely mute argument. If you said "in my experience Checkpoint has the best logging" then that's a different story. But selling "Checkpoint has the best logging" as a general fact that universally applies to everyone is nonsense to which you are unable to provide any evidence.

    In order to say that Checkpoint logging is second to none you would need to have tested every single firewall logging solution on the planet to come to this conclusion. You would also need to test Checkpoint's logging under every possible scenario, from a small scale single appliance deployment to large Provider-1 deployments with hundreds of firewalls spread across multiple domains, and include a plethora of other Checkpoint products. 

    This is what I can tell you from my experience (which applies to the latter deployment type): Checkpoint's logging gets extremely slow and bloated. Unless you pay extra money for the SmartLog blade, it is not even based on a database, which makes searching the log painfully slow, especially if you search across multiple timeframes, multiple firewall instances and log files that contain tens of thousands of entries per minute. It gets so slow that single click in the log freezes up the log viewer for 10 minutes. It may work perfectly well in a small environment, but it becomes next to unusable in the scenario I just described (and that's why many enterprises opt for SmartLog or an external solution, in some cases even both). That scenario is a very valid and legitimate scenario in the context of this discussion. 

    In that very scenario, in my experience, Palo Alto's database based logging does a much better job than Checkpoint does, by a very very wide margin. And I am not even talking features here (of which there are plenty that I often dearly miss on Checkpoint). I am just looking at performance and the usability that derives from the lack thereof.  

    Saying Palo Alto sucks, whether when it comes to logging or their detection capabilities (on firewalls) is utterly and factually wrong. 

  • In reply to cryptochrome:

    To all:

    Please stop replying about other Products and kee in mind the scope of this thread "Where is V18 at?"

    If you want to complain about other Products vs XG, please open a new thread.

    Regards

  • In reply to lferrara:

    Fair enough. Apologies for drifting into off-topic territory. 

  • Is this a big secret when will finally be released SFOS v.18? We waiting for clear information when it is scheduled. Each of us could prepare with our devices up to this point.

    Strange situation. The flow of information between Sophos and the community is unsatisfactory.