XG complicated and confusing



the last 5 years i've using the UTM as a virtual appliance at home with the home use license -> max. 50 ip's
And since every device has an ip, the problem is the limitation with the 50 maximum ip's

So i've to switch from utm to xg but that is harder than expected.

I think the web interface is very complicated and confusing.
Some functions are strange. e.g. why do i've to assign an ip to an interface, that has only sub-interfaces with vlan? (keyword native-vlan => /dev/null)

Why do I have to specify a source, destination zone AND source, destination ip for each firewall rule
Or why the hell i can't delete the default zones? I don't need DMZ and i'm a person who want it clean and get rid of stuff that is not necessary.

I have somehow the strange feeling of an Apple product and not a firewall for experienced system admins
Firewall ON / OFF

My first impression tells me that the XG is still in the aplha stadium.


I can not be the only "old" UTM user who does not like the XG yet.

Please tell me your experiences. Possibly. it is only up to me, since I'm used to the old webinterface.



  • Hi Tobias,

    the VLANS on the XG are L3 while the VLANs on the UTM are L2. So to get L3 to work you need an L2 underneath and it needs an IP address.

    Each firewall rule is unique in that you can set your source and destination in greater detail. It allows you to point different users at different gateways, some using proxy others not. Also the XG has a different approach to firewall management/access it is application based where the UTM is site based.

    You are correct the menu system is not logical, but has improved so items are linked between menus.


  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

  • rfcat_vk
    [...]the VLANS on the XG are L3 while the VLANs on the UTM are L2. So to get L3 to work you need an L2 underneath and it needs an IP address.[...]

    what? vlan's on layer 3? i think sdn is the wrong approach here at a hardware appliance (yeah i know, ive got the virtual appliance)


    Nope, you're not alone




    As I get closer and closer to the ip limit, I'm probably forced to switch to the xg

    I'll take a closer look at xg, but if I can not handle it, I'll have to say goodbye to a good product.


    Is there already someone who uses this productively and not only to test

  • In reply to logan517:

    If you want to use the XG application you need to learn to think differently.

    There are no functional differences between a VM XG and physical XG unless you buy an XG device.


  • I was in the same boat at one time, in not too distant past. Moved from UTM9 to XG because of the 50 IP limit and was like a deer facing bright headlights on high beam.

    Slowly, with much help from this forum and my own perseverance, I learned to work the XG. In some respects, XG is easier, but in others, it is lagging way behind UTM9, particularly in logging and reporting. It does require a ton of patience to configure XG. It does not use the same lingo as a normal firewall would.

    But, I would surely say this: I am not that tech savvy a person. If I can do it, you too will succeed.

    All the best,