XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall

 

 

 

One last tease.. 

     

  • thank you for your long post and for your off notice.

    For XG we are expecting a lot of improvements and you know from Partners, Distributors, Customers, Idea.sophos.com and Community which are the features we are looking for soon.

    Logging is the worst part at the moment on XG. Troubleshooting is a nightmare at th moment (you know already).

    I personally like the idea to have more "advanced and secure" feature that basic feature like renaming interfaces, but this is my point of view. With the view of selling XG on big customers, as a Partner I like this direction.

    WAF and IPS needs a further step in order to fight against the major antagonist inside the "Magic Leader Quadrant" and you are going on the right direction. Maybe v17/v17.5 will be the rigth release to fight against them but all of us are here to give Sophos support and our point of view.

    I really hope that XG is more stable in terms of performance (again IPS needs a lot of improvement) and I hope to see even HB integration with On-Premise Endpoint (this is another big limitation but not your department fault), but I would like to write you here because if they integrate the XG with Sophos On-Premise, your department will really succeed to sell 10x times XG than you do at the moment.

    Please make sure the "teases" you shared are a little bit more big because they are not even readable.

    You and we are on the good way to succeed!

    Best regards,

  • I just hope that you will provide us with some form of HCL for v17.

    I mean I like testing beta products and giving feedback, but it is frustrating when I first have to spend days until I figure out that the software simply cannot properly determine my network cards (Realtek RTL8111EVL & Realtek RTL8110SC) and uses them as 100MBit half-duplex when they are actually 1GBit full-duplex cards. Maybe you can spend a little bit more time on hardware compatibility before the next release? Thank you!

    Anyhow, the features sound great and I am excited to start testing in a few months.

  • Hi Alan,

    thank you taking time to provide the future of v17 release. It is still a long way away.

    What I don't see any mention of is the improvement in IPv6 handling which in this day and age of IPv4 (for want of a name) address ranges running out should be mandatory.

  • Hi Alan,
     
    Thanks for sharing the news!
     
    Some points that could be reminded:
     
     - Better integration with AD, without requiring additional software (aka STAS, SSO Client);
     
     - +1 for HB with On-Premise Endpoint;
     
    Interface has already been greatly improved, no need to touch it for now.
     
    The improvements about logs are welcome! Keep it up.
     
     
  • In reply to lferrara:

    lferrara

     

    Logging is the worst part at the moment on XG. Troubleshooting is a nightmare at th moment (you know already).

    I personally like the idea to have more "advanced and secure" feature that basic feature like renaming interfaces, but this is my point of view. With the view of selling XG on big customers, as a Partner I like this direction.

    I really hope that XG is more stable in terms of performance (again IPS needs a lot of improvement) and I hope to see even HB integration with On-Premise Endpoint (this is another big limitation but not your department fault), but I would like to write you here because if they integrate the XG with Sophos On-Premise, your department will really succeed to sell 10x times XG than you do at the moment.

     

     
    Full Acknowledge to this Points.
     
    On Top Email Protection in MTA Mode has to be hardly improved! Detection Rate is still poor. XG is lacking of many Features, UTM had. Even UTM from my perspective is on the lower end regarding Feature configurability when acting as an MTA. There should be more fine-granular options to be configured. For example Greylisting is nice but Selective Greylisting (configurable per Domain etc. etc. would be much better).  Other Products have 50 Positions to finetune regarding HELO Restrictions. Sophos has about 2. (RDNS and Strict RDNS)...
     
  • Hello,

    Thank you for the information.

    I have been with the firewall product since Astaro ver. 7 through UTM 9.

    Thankyou for having a OVF / VM images for the XG product.

    I just switched to XG in November 2016. And slowly learning XG and it's new look and feel interface. I appreciate your work on the

    "NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful"

    That is the one area giving me some challenges under XG to reconfigure all NAT rules I had on UTM and look forward to that.

    Having XG as a VM makes it easy to switch between and test the product / versions and look forward to working with 17 when it is released.

    I have been very pleased with UTM / XG and from the free home use license will all the features and functions, I can't find a better low cost or free Firewall / Threat Protection system.

    Sincerely,

    Chad

  • Hi Alan,
    Thank you for the information.

    For XG v17, bring back the Users & Groups Menu such as UTM 9, can create groups based on LDAP attributes. It is very necessary to make several groups with many members.
    We have opened ticket, post a new ideas, post on the Sophos community, but still not enough to help this problem.

  • Excellent! Looking forward for a beta testing :)
  • In reply to BTIPTPJB:

    Hi BTIPTPJB, We will expand our auth capabilities to include your asks, and more, but, it won't make it into v17.

  • Glad you are working on making the XG better I wish I knew the infancy of the product before agreeing to purchase and adding it to my production environment. 

  • In reply to ChristineMeisinger:

    Couldn't agree more!

  • I hope this will include IPv6 DHCP-PD. Comcast Business and other US ISPs are using it. It's also part of Sophos SG.

    Hope we will finally see it in v17?

  • I would say there are 2 critical things missing to make the XG more useful, there are more but these i see missing in V16.05

    First is Bandwidth limit per port not per rule, for example with 2 lan ports i want to limit one WAN port to no more than 5MB and then the second WAN port can be unlimited and to load balance if needed, the current traffic shaping is for the whole box which makes failover and load balancing across multiple ISP impossible.

    The second Item is being able to schedule firmware updates at a certain day and time like the SG had.

    With the XG to due basic items is definitely a lot more involved than the SG was, need to make it more user friendly and not have to use the console so much to configure the device.

  • In reply to AlanT:

    Hi Alan, thanks for your answer, hoping these features be added in next versions (v17.5)
    We know that XG is having the User Identity feature, the feature does not work optimally if not fix the user authentication problems
    There was a little extra for an increase XG :
    1.    Web filter category based on WINGc engine is still less than UTM (based on McAfee SmartFilter XL)
    We don’t protest the engine used in the XG, the important thing is to be competitive like UTM
    We try submit web reassessment, but an interval of 4 days still not approved. Whether it is long or slow response teams?

    2.    Ability to choose a time period in Reporting like Sophos Web Appliance. This feature is missing from iView v2 too (there is no information update for iView v3)
    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/17983930-time-based-web-bandwidth-usage-reporting

    http://ideas.sophos.com/forums/267002-sophos-iview/suggestions/8457946-ability-to-choose-a-time-period


    3.    Captive Portal FQDN Support
    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/11580213-captive-portal-fqdn-support

  • Any news on the timing of the Beta?