Everything you ever wanted to know about XG firewall, and weren't afraid to ask

Hi Everyone,

between travel, vacation, and just plain being busy, I've been away from the forums for too long! I'm just getting caught up on what's been going on here, recently, and there's been a few interesting conversations. There's still quite a bit of uncertainty about XG, where it came from, where it's going, and what happens to UTM9 now. Rather than reply to a bunch of older threads, I'll try to address some of the bigger questions and concerns I've seen, here in this thread, faq style. 

Is XG just Cyberoam with a new UI?

No - but it's easy to understand why you might think that. XG is a pretty equal mix of technologies from Sophos UTM and Cyberoam. Some of those compnents are more visible than others. For instance, the web proxy, web app firewall, wireless, atp, and av are all Sophos UTM components ported to XG firewall. The config model, which allows enhanced identity awareness, a full API, and full central management, comes from Cyberoam. Though it also brings with it a dependency on the UI framework. This means, that the UI fundamentally will bear more resemblance to Cyberoam than Sophos UTM. Long time UTM9 fans ask why that would be, and the answer is relatively straightforward. 

Are all the old Astaro developers gone?

No. Of course, we can't hire any more Astaro developers, and it's been almost five years since Sophos acquired Astaro, so change is inevitable. But the old Astaro office remains, and has grown substantially in the last few years. It continues to be a key development center for Sophos UTM and XG firewall, with many astaro developers remaining as leaders in the current teams, and more developers working there today, than ever before.

 Is anyone still paying attention to these forums?

Yes - now more than ever. Since the creation of astaro.org forums, there has never been any official goal for anyone from the company to participate in the forums. For example, I try to participate regularly, for instance, but for around the past month, many projects have kept me away. Over the years, a few people have participated more regularly than others, but entirely at their own choice, and usually on their own time. Some of those people have moved on, and others are here but have moved into new roles, while a few still do respond from time to time. This new community site was built partly, to provide a central platform for a focused team of people can be more involved in more of our product forums. We're working on this today, and you should see some improvement already. You'll also likely see something from the community team, providing some updates on those plans. You should see more activity directly from Sophos, moving forward!

Does Sophos still care about it's users?

Of course! I see comments suggesting that Sophos is too focused on winning awards, and making money, and not paying attention to actually putting out a good procut. Hopefully, the impossibility of such a goal is clear. You can't win awards for a useless product, and you can't keep being successful if your produts aren't useful. Our focus as a company is very clear. "Security made Simple" means bringing enterprise grade protection to small and mid sized organizations, in a way that's easy to use and understand. This is the same vision and focus we've had for many years. Nothing has changed with XG, except we are starting from a different point. in some areas, we've made advancements over UTM (single security policy, synchronized security, etc..) and in others, we now need to catch up. which leads to the next question.

Does Sophos thinks XG is perfect as it is now?

No. We believe XG is a solid starting point for a new platform, with a huge potential. XG isn't meant to be a replacement for UTM9 just yet. For many, it's close enough, and ready. For many new customers, who are migrating from competitors, it's the perfect starting point with Sophos. As a public company, it's difficult to speak about how successful XG has been, while avoiding "forward looking statements". So suffice it to say, there were no unexpected surprises with the release of XG. There's a lot of positive things we can say about XG, but that's not to say we think say it's achieved everything it needs to. It's not yet a suitable replacement for most UTM9 customers. For starters, we still need to close on gaps in features between UTM9. We also need to evolve the UI meaningfully from its first release. There were some things we wanted to do, but couldn't in the first version, and there are things we learned from our users, that we need to change. 

What's happening in the next version of XG?

We've received a lot of feedback so far, from here in the forums, and elsewhere. Here's a few of the points we've heard:

  • Troubleshooting can be difficult.            
    • The live log needs improvement to assist this
      • It should popout in a new window
      • It should color code log lines, according to action (allow/drop/reject)
      • It should refresh much faster than 30 seconds, and auto-refresh by default
  • Interfaces should be able to be enabled and disabled
  • Interfaces should be able to be renamed
  • Finding where to create NAT rules is hard. Once found, they seem harder to use than necessary
  • Email is missing many features, compared to UTM9
    • It should act as a full MTA
    • It should store and forward emails
    • It should allow per domain routing
    • It should be easier to understand, and to setup
  • Web
    • Captive portal can be confusing and tricky to use
    • Heartbeat needs a proper block page
  • Navigation is sometimes difficult
    • Finding items in the menu is harder than expected
    • Navigating between pages is harder than expected
    • Breadcrumb links at top of page should be clickable, and should make navigation easier
  • You can't clone rules
  • Editing policies could be easier
  • Setups with many users and groups need too many rules
  • HA doesn't support some config modes
  • Creating country hosts is harder than it should be
  • Important features are missing compared to UTM9
    • FW to FW RED tunnels
    • OTP
    • Many key email features
    • Many key web filtering features
    • Live Log
    • Menu Search
    • more

The items above are all on our target list for the next release. We have some comprehensive plans to improve the top ten areas needing UI work, in some very meaningful ways. For example, web filtering works very well, and has an understandable model, but doesn't support policy inheritance. We're working on a method to implement a policy model that more closely matches UTM9, but also adds policy inheritance. This model will allow one firewall rule to cover differing policies for differing groups, and at the same time, make policies much more powerful than they are even in utm9.

We're pushing towards starting a beta near the end of April. The first beta should show some solid UI improvements, but it won't be everything. we'll also plan to release a series of updates, which will add more capabilities through the beta process. This should allow for more chance to react to feedback from the beta process, to be incorporated.

This release won't close every feature gap and there will still be room for UI improvement in some areas - but we have a plan, which will not only close the most important gaps with UTM9 today, but will substantially mature the user experience. The goal is to bridge the gap for most current UTM customers. 

What's going to happen with UTM9?

It's pretty natural to assume that UTM9 will slip immediately into maintenance mode. But that's not exactly what we're expecting. UTM 9.4 will go into beta in coming weeks, which will add some significant, and maningful features to UTM9. One of these features brings brand new capabilities to the firewall, and we're bringing it first to UTM9. This new feature won't make it to XG, until later in 2016. 9.5 is also being planned currently, and we plan to keep putting out feature updates for some time to come. At some point, we will move it into maintenance mode, and eventually it will be retired - but we have no intention do that before our partners and customers are ready to move to XG. We're not rushing to retire UTM9. 

What firewall should I replace my UTM with?

Why replace it, if you're not ready to go to XG yet? UTM9 isn't going anywhere, and it's still getting active development and features. 

Hopefully this helps to answer some questions on where we're going next, but lets discuss, if you still have questions. 

-Alan Toews

Product Manager

  • Alan,

    I red your post and I really liked it. You understood what XG is missing and how all of us are missing information from Sophos and Delevopers.
    Here we are helping each other and if you go around you can see some bugs that users post. We need to find a way to make sure you receive all the bugs (not only who owns the support contract but even who has home version).
    I am using Home version and I found some bugs as other users did.

    Anyway make sure you or someone from Sophos spend time on this community. One day we will be at customer site and to be honest we would like to be as professional as possible.
    Even following the XG Architect course will not allow us to know everything and know every issue on XG. So please spend time here with us in order that we can be heard. At least, Sophos should listen to this community and be here at least once per week.
    Otherwise we need to find a way where Moderators/Developers/"Gold Users" can also analyze threads and bring them back to you. I mean a face to face:
    -will improve this community
    -will tempt people to choose Sophos
    -will reduce Sophos Support calls
    -improve our knowledges and experiences
    -will improve many many other things

    Hope to see you here often.
    Now we are looking forward to seeing the new release as this one can be only used for home users/small offices.

    Also improve the community website. At least put pages numbers.
    I am sure other followers will add more comments.


  • Hi Alan,

    Thank you for the post. It explains many questions and shows us that you were working hard on guides and documentation to deliver to customers and the community.

    Just be with us and we will help you enhance an already great product.
  • Hi Alan,
    welcome back. I have read you post with great interest.
    I don't see any mention of IPv6 in the next beta or even during the beta. Many of beta guys have IPv6 so we could test the UTM 9 version. XG has been very disappointing in that field.
    I also note your comment about the http proxy being based on the UTM version. There are big difference from what I can see, clientless users can only use the NAT version of the proxy where as the UTM version allows clientless users access to the transparent proxy.
    I have posted much on these and other subjects. Now I will just have to wait until April for the next installment.
  • Alan,

    Thank you for your post. One thing that I see missing in your list of upcoming fixes is to be able to use "Aliases" in rules. this looks to be a major issue when you have a /XX on your wan interface and want to NAT to an internal IP(s) on your network.

    Also being a Home User the only support we have are these forums but also talk about Sophos in my professional work day to my colleagues. I hope to see the level of interaction from the forums like I was used to on the old Astaror.org forums before XG was released.

    One last thing, Would it be possible to have links added to the top of the UTM 9 section for the download of the installers. I recently had a HD failure and searching through the forums was not very helpful. I resorted to a google search and was able to find them tucked under "Legacy".

    Thank You
    A home user since version 9.2
  • In reply to IanMorehouse:

    Hi Ian,

    Yes, there are differences in implementation, but I'm not sure I understand what you mean by nat and transparent versions of the proxy. Under the hood though, its the same engine in both products.

    Also, IPv6 isn't forgotten, but it's not clear yet which IPv6 improvements will be done in the next release.
  • In reply to AlanT:

    Hi Alan,
    If I turn off MASQ in my web policy nothing gets through, where as all http type traffic gets through with MASQ enabled. There doesn't appear to be a transparent proxy, just a full proxy that requires a proxy pac file or similar.

  • Alan,

    I appreciate the update and the candor. I am a new Sophos customer and based on a short review of UTM9 on AWS, I went for XG for my company. I am starting to have regrets. I may have been better off with something more mature. The UI is simpler, but not necessarily more efficient. I spent hours on country blocking that took minutes in UTM9. I have tried to figure out issues with streaming and web certificates, but the logs, while informative, are not very useful for troubleshooting. Based on your outlook for the beta, it seems it may be a while before the issues in XG are addressed. Is there an option for a customer to go back to UTM9 on a XG appliance for more stability?

  • In reply to GaryChancellor:

    you have to talk with your Sophos Partner. This thread is not the right place to ask for this kind of question and only your Partner can help you with your license issue.
    AlanT here is communicating us that "something is changing and that they are working to release what all of us are expecting from XG".


  • Very pleased, now if you would remove the 50 ip limit in UTM9 and go with the same that is in XG, 4 core 6 gig ram and allow us to install onto a SD card like pfsense so we can run it on other appliances. Now if there is a way, I wouldn't know, haven't researched it.

    Instead of redoing my entire network, I went back to pfsense until XG is working properly and of course able to install onto my watchguard xtm appliance.
  • Is there an update to this now that it is 8 months later?  What features are now working?  What is the current feedback?

  • Most of these issues are still hanging out there. I wish I would have researched the XG product line a little better. Your marketing guys are doing a good job selling a semi functional product. 

  • An update on these issues would be nice. Like some have said already I definitely couldn't recommend the XG product line. And the XG combined with the Sophos end point protection have left a bad taste in my mouth. Striving for simplicity at the expense of utility is counter productive.