XG complicated and confusing



the last 5 years i've using the UTM as a virtual appliance at home with the home use license -> max. 50 ip's
And since every device has an ip, the problem is the limitation with the 50 maximum ip's

So i've to switch from utm to xg but that is harder than expected.

I think the web interface is very complicated and confusing.
Some functions are strange. e.g. why do i've to assign an ip to an interface, that has only sub-interfaces with vlan? (keyword native-vlan => /dev/null)

Why do I have to specify a source, destination zone AND source, destination ip for each firewall rule
Or why the hell i can't delete the default zones? I don't need DMZ and i'm a person who want it clean and get rid of stuff that is not necessary.

I have somehow the strange feeling of an Apple product and not a firewall for experienced system admins
Firewall ON / OFF

My first impression tells me that the XG is still in the aplha stadium.


I can not be the only "old" UTM user who does not like the XG yet.

Please tell me your experiences. Possibly. it is only up to me, since I'm used to the old webinterface.



  • Hi Tobias,

    the VLANS on the XG are L3 while the VLANs on the UTM are L2. So to get L3 to work you need an L2 underneath and it needs an IP address.

    Each firewall rule is unique in that you can set your source and destination in greater detail. It allows you to point different users at different gateways, some using proxy others not. Also the XG has a different approach to firewall management/access it is application based where the UTM is site based.

    You are correct the menu system is not logical, but has improved so items are linked between menus.


  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

  • rfcat_vk
    [...]the VLANS on the XG are L3 while the VLANs on the UTM are L2. So to get L3 to work you need an L2 underneath and it needs an IP address.[...]

    what? vlan's on layer 3? i think sdn is the wrong approach here at a hardware appliance (yeah i know, ive got the virtual appliance)


    Nope, you're not alone




    As I get closer and closer to the ip limit, I'm probably forced to switch to the xg

    I'll take a closer look at xg, but if I can not handle it, I'll have to say goodbye to a good product.


    Is there already someone who uses this productively and not only to test

  • In reply to logan517:

    If you want to use the XG application you need to learn to think differently.

    There are no functional differences between a VM XG and physical XG unless you buy an XG device.


  • I was in the same boat at one time, in not too distant past. Moved from UTM9 to XG because of the 50 IP limit and was like a deer facing bright headlights on high beam.

    Slowly, with much help from this forum and my own perseverance, I learned to work the XG. In some respects, XG is easier, but in others, it is lagging way behind UTM9, particularly in logging and reporting. It does require a ton of patience to configure XG. It does not use the same lingo as a normal firewall would.

    But, I would surely say this: I am not that tech savvy a person. If I can do it, you too will succeed.

    All the best,


  • In reply to KennethHolmqvist:

    Hi there,

    You are surely not alone, I migrated the first of my companies UTM to XG 17.5, and while the UI of the UTM wasn't perfect, the XG is unmanageable , f.e. try to search for the FW-rule for a specific host, in UTM there was an icon which showed where an item was used.

    I had a company do the migration, they used a tool, but most of it didn't work. We had 4 days for additional configuration.

    The download for the ssl-vpn config does not work on two users, this issue is not resolved.

    I have another UTM and a Sonicwall I planned to migrate, but if Sophos does not improve here very soon, I think I reconsider. I will have a look at fortinat. Sonicwall isn't satisfying either.

  • In reply to Martin Schmidt:

    I am not the fan of the migration assistant (They most likely used this Tool). 

    Better approach would be to reconsider the Firewall ruleset and Objects, which are needed on all sites.

    While migration to XG, they are so many advantages, which you could consider in your Migration.

    Maybe switch to VTI? Maybe Switch to SSLx for Decryption? Maybe you need to consider Network segmentation (if not applicable). 


    PS: Maybe reviving an 1 1/2 year old Thread is not the best approach :) There are many improvements done in V18, its now GA! 


    XG has other advantages like Data ticker to show unused firewall rules for example. Helping in cleaning up the firewall rule set. Policy tester is another tool to find the current matching rule. 

    If you would like to find the matching rule for a client (maybe even better approach than lookup a network object?), you could use the Policy tester. 


    Just some thoughts, i know, there are some limitation of Migration from SG to XG. 


    About the SSL-VPN Config issue.

    Could you open another thread for this issue? I have some suggestion like the certificate is broken on this Client.

    Or maybe another approach: Switch to Sophos Connect (IPSec)? Its a free Client with the same configuration for all users. 

  • In reply to Martin Schmidt:


    please open a ticket with the support and tell them all the issue you had.

    I am not a fan of migration at all, but in certain circumstances you need the migration.

    Migration tool should work as we expect to have a smooth migration from UTM to XG, at least. I am not talking moving from Fortigate, CheckPoint, Palo Alto. Migration tools help during the sales phase. This should be considered!

    Martin, when you have the case id, please update the forum so someone can take care of it.


  • In reply to lferrara:

    I used XG v15 as self training on how to configure the Pal Alto box that work bought.


  • In reply to LuCar Toni:


    Couldn't find "Data ticker".
    where is it?

  • In reply to Goldy_01:

    Data ticker is the data transmitted/received by each firewall rule. You can find it below firewall rule name or even inside NAT nale (only v18).


  • In reply to lferrara:

    Thanks for answering :)


    looking for "XG has other advantages like Data ticker to show unused firewall rules".

    Just can't find it...

  • In reply to LuCar Toni:

    Hello LuCar Toni,

    you are not a fan of the migration tool. Well and could you please advise me how to do the following in one UTM v9 installation:

    - Migrate more than 600 firewall rules
    - migrate almost 2,000 network objects
    - Migrate nearly 1,000 service definitions and service groups
    - migrate almost 100 NAT rules
    And I haven't mentioned nearly 100 SSL VPN access for defined users from MS Active Directory and more than 50 IPsec site-to-site tunnels.

    Do you really still think there is no need for a migration tool? You're still really convinced, really?
    You probably live in a different world, but we who sell UTM v9 and for many years manage this product every day with our customers and partners are convinced the exact opposite.
    Please tell me also how to justify to the IT manager and also the security director of the same company of this customer that Sophos is unable (or does not want) to provide its partners with a migration tool that can handle most of the above requirements?
    And do you think this customer (and any other customer) will want to pay us for this manual transcription, are you really still convinced?
    Please stop looking at the problem of migrating from UTM v9 to XG only from your point of view and try to look at this problem from the point of view of us as administrators.
    It is still time to do something about this problem.

    It could also happen that customers say: Hmm, Sophos is unable to provide us with a migration tool to migrate from UTM v9 to XG Firewall? Do we really want to migrate to XG Firewall under these conditions? Really?!?

    LuCar Toni, welcome to the real world!



  • In reply to alda:

    I can only agree with . Here some topics are not even treated with interest or with the proper "case study". 

    I have a couple of customers so big that migrating everything manually requires a lot of effort. They can move to another competitor as the migration tool exists already. This is the same issue with logging and reporting. Sophos is not taking the topic seriously. While other vendors provide complete reporting and logging via UI, here in XG you still need to run tail -f /log/*.log to understand what is going on.


  • In reply to alda:

    Hi Alda.

    See my impersonation: https://community.sophos.com/products/xg-firewall/f/sophos-utm-to-xg-migration/118972/utm-to-xg--comparison-and-my-impression

    As for now, It took us more than a week, a lot of rules I had to do from the scratch, and for sure i missed or miss configured some rules.
    For now - like it or not - that's what you  got...
    Super Angry