XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall

 

 

 

One last tease.. 

     

  • In reply to Mast_01:

    While I agree that XG isn't production ready yet, I also feel that we should acknowledge the potential in the product.

    I really love the new UI and I also prefer the new configuration approach after using it for some time. I also love the ease of remote access which I don't see in too many other products. For example, I got to test the hyped Cisco Meraki MX appliance. While it is super easy to configure, it doesn't offer much features or configuration options in general. As such, it turned out to be a product I might like to use in a home environment, but I wouldn't be able to use it in a corporate environment even though it comes at much higher pricing point!

    For all fairness, I have to acknowledge that Sophos came forward and openly said that the next version of XG isn't quite ready yet. I also love the community and direct access to the development team. I don't see that anywhere else.

    So, we should treat XG as a new product with great potential for which Sophos might take input from us. Meanwhile, we can still use the outstanding Sophos SG solution for production environments.

    I mean I also love to see new products quicker, but I personally prefer quality over speed. We are still using Sophos SG to secure our corporate systems and it has been working for us without fail for almost 10 years now. Quite frankly, I would be challenged to name another software product or appliance with the same track record.

    Just my two cents...

  • In reply to JensStraten:

    Agree with you 100% on the SG/UTM track record, however, since the acquisition of cyberoam, it has been on the back burner while most of the energy is being spent on XG. This is what I can't wrap my head around. A new UTM 10 with modernized gui and updated daemons would still have been easier to develop than cyberoam.

    I think since the original astaro team was german, the lure of cost savings using cyberoam development team probably ended up biting them in the end. They have recovered somewhat in the last few months, but the first couple of years of XG have been agonizing to say the least.

  • In reply to Billybob:

    I agree. I think the vision of XG is great, but it seems that it would have been better to keep the German development team... I also feel that Cyberoam was more a concept than an actual product.

    I am guessing it is all about long-term strategy and we don't get to see that. Can't blame them though. With all the competition, they need to keep their long-term cards close.

    Anyhow, let's hope that v17 will be a step in the right direction. I personally would prefer quality over quantity when it comes to new features.

  • At the risk of getting flamed off this board, I think one's perspective on XG depends very much on where one comes from.  I arrived to the Sophos world back in March from Meraki MX firewalls, after we got an XG210.  Personally I think XG is a very good product, it has a huge number of features and capabilities over the Meraki firewalls we just came from for a cheaper price.  In fact, XG functions very closely (and will get even closer in v17 based on what I see and read here) to the way Microsoft's ISA/TMG product worked, so for me, having come from ISA/TMG, I feel XG to be very familiar and natural and love what Sophos is doing vs. the UTM product.  I freely admit that it has some rough edges, it has some inexplicably missing features (no VLAN tagging, and no DHCPv6 PD in 2017 are you kidding me?), and logging is poor.  But then again, everything has flaws.  I get that when XG was released with version 15 it was probably better described as a 1.0 product and maybe the messaging was unclear and so some UTM people dove in thinking it was an "upgrade" and then were sorely disappointed, and even into v16 the perception is that it still isn't "complete" but overall I'm happy with it and believe in Alan and the team that they are going to deliver a homerun with v17.  The nearly monthly maintenance releases, IMO, demonstrate a commitment to quality and progress.

    I have observed that people who come from the Astaro/UTM product tend to be highly critical of the XG in general and believe the UTM is superior in all ways and the XG is just a waste of resources and a folly by Sophos.  I am not qualified to know if the UTM is truly vastly superior in every way, as many claim, since I have never used it, but browsing the UTM forum seems to reveal it also deals with its own problems (the recent UTM Active Directory SSO bug comes to mind), and even those are blamed on XG (Sophos is "diverting resources" away from UTM to XG). 

    I don't know, to be sure there are fair criticisms of XG to be had, but it just feels like it takes an unfair amount of beating at times because its not something that it was never intended to be. 

  • In reply to Bill Roland:

    Hi Bill,

    a number of us UTM fans have joined and used the XG to learn what the new way of thinking is for firewalls and add our experience to the testing.

    As you said the XG does have some features that the UTM does not have and one is the ability to scan imap mail messages.

    Some of the functions are much easier to configure than on the UTM. Further to what you said it depends on where you come from as to whether you think the XG is a good well featured product.

    I am currently using the XG latest release as my main firewall, I have UTM as a backup about to be rebuilt due to hardware issues

    I look forward to the v17 release and wish it would happen soon to stop the continued speculation.

    Ian

  • In reply to Bill Roland:

    All things considered I prefer working with XG than with SG. Everything just seems to make that much more sense (although it didn't initially). QoS is broken, but not really any more than SG. I would like to see nmap, iftop, and all the other commandline tools (busybox is a poor substitute), but I guess they have to make it fit into the XG75 footprint.

  • In reply to jamesharper:

    Hi,

    QOS on the UTM used to work, I had it working for VoIP and outgoing email limiting. I can't test either XG or UTM my internet connection is so poor, there isn't any room bandwidth wish to try anything.

    Ian

  • In reply to JensStraten:

    I'ts great to see so much interest in the upcoming beta :) A couple clarifications:

    JensStraten
    I think the vision of XG is great, but it seems that it would have been better to keep the German development team...

    We haven't gotten rid of them. Our German office is still alive and well, and has many devs working on XG. 

    bill-roland
    no VLAN tagging

    To clarify, XG supports VLAN tagging. The two feature limits with VLANs are that VLANs aren't supported on a bridge, and VLAN ID 1 can't be set yet as a tagged VLAN. 

    Once we get closer to the end of beta, I'll lay out a bit more of the roadmap and future plans and vision for the firewall. For now, I'll say to those who are affected by "the basics", as you say, we get it. There are a few smaller features that we absolutely need to add, because they are rather obvious limits. Product planning is a bit like an iceberg, though. Only a small percentage of what's in the works is visible. Unlike the iceberg, what you can't see is actually pretty exciting. Our plans aren't to replace every bit of functionality in UTM9. quite honestly, there's some pretty crappy features in there, along with all the good stuff. Through v16 & 16.5, our focus was first to close on the biggest sore spots, whether they were gaps with UTM9, or just areas we needed to improve. Second, to advance Synchronized Security, and third, to improve overall quality. (though not exactly in that order)

    several people
    XG isn't production ready

    We delivered on all of our v16.5 goals, though admittedly, getting the quality bar to where we wanted it took a little longer. We're soon going to release MR7, and at a bug and support-ability level, XG v16.5 is now the most successful firewall ever from Sophos. By every measure, XG is succeeding, and being recognized by the biggest industry analysts. It may not be perfect for everyone yet, but the proof is in. XG is production ready! 

    Looking forward to beta, and your feedback!

  • In reply to AlanT:

    Hi Alan

     

    Can we except the beta to be released this week or the next?

    How do we join the beta program?

     

    regards

  • In reply to AlanT:

    AlanT

     

    bill-roland
    no VLAN tagging

    To clarify, XG supports VLAN tagging. The two feature limits with VLANs are that VLANs aren't supported on a bridge, and VLAN ID 1 can't be set yet as a tagged VLAN. 

     

     

     

    We are also not able to use nested VLANs or QinQ (802.1ad) which has caused us some headaches recently. Even though we found a way to create these interfaces in the console they could not be made to show in the GUI and were not persistent. 

    We ended up having replace with a cheaper router that supports this. 

  • In reply to AlanT:

    AlanT

    We delivered on all of our v16.5 goals, though admittedly, getting the quality bar to where we wanted it took a little longer. We're soon going to release MR7, and at a bug and support-ability level, XG v16.5 is now the most successful firewall ever from Sophos. By every measure, XG is succeeding, and being recognized by the biggest industry analysts. It may not be perfect for everyone yet, but the proof is in. XG is production ready! 

    Looking forward to beta, and your feedback!

     

    Hi Alan!

    Two questions:

    • When can we anticipate the v17 beta to start?  I'm greatly looking forward to testing.
    • I'm running Sophos XG at home currently and ran several other software firewalls in the past and found Sophos to be the most intuitive of the bunch.  At the moment, I'm on cable internet with 100mbps speeds, but Fiber is actually being deployed as we speak and am afraid that the limitations of Home may not allow me to fully utilize the gigabit speeds.  Are there any plans to possibly expand the resource limits from 4 CPUs and 6GB of RAM to something higher or perhaps allow us to pay a nominal yearly fee to drop the limits altogether for HOME use only?  Untangled currently does this ($50/yr), and while i prefer Sophos, I think it's a great idea to allow the home user to get a great firewall that (hopefully) everyone can afford.  I would love to hear your thoughts on this.

    Thanks again and keep up the good work!

  • In reply to AaronW:

    Hi Aaron,

    for gigabit (lucky you) make sure your NICs are Intel (not 219) and you have a very fast 4 core CPU. Your memory usage will depend mainly on how many rules and users you have.

    Ian

  • In reply to rfcat_vk:

    rfcat_vk

    Hi Aaron,

    for gigabit (lucky you) make sure your NICs are Intel (not 219) and you have a very fast 4 core CPU. Your memory usage will depend mainly on how many rules and users you have.

    Ian

     

     

    Users or devices?  As I will have minimal users, but loads of devices (IoT, game consoles, servers, etc.).  Currently running on a little Qotom machine with i5 and Intel I211 NICs and cpu barely breaks a sweat with ~120mbps.

  • In reply to AlanT:

     

    thanks a lot for your reply. I am one of the guy who says that XG isn't production ready and I will try to even explain why:

    XG at the moment lacks on logging (v17 let's see) and even flow monitor is missing. Managing and understanding how the bandwidth is consumed at the moment is quite difficult (the sum of the total bandwidth does not work, it is incorrect). You cannot set different Upload and Download speed on WAN interfaces (Some Enterprises have backup connection where they use asymmetric connection). Anti-port scan???? Where is it? Even in Sophos there were some confusion if the anti-port scan was handled by IDS/IPS or not and then after a year the feature is not there....Email filtering? I am not using Email Filtering (I am still using UTM9, SEA and Pure Message) because on XG Email Filtring is almost useless. Limitation on exception creations, DKIM missing, multiple email domain managing, etc. VLAN? In some big configuration, Enterprise are not using VLAN 1 at all (for security reason) and on XG you cannot create VLAN if you do not set the native VLAN ID which cannot be changed from 1. CLI interface...it is quite confusing...sometimes commands are under show while show sometimes is an option for the command. Multiple Firewall. Concurrent are using their own technology (VDOM just to say one) and XG is not able to handle them (this is an Enterprise Feature I know!). Admin users cannot be changed. All the Enterprise Company change the default account to something else.

    The other section is what we have at the moment but cannot be changed or it is not working as expected (like fixed VPN SSL Port, OTP and CAA limitation, User Portal is lacking many features compared to UTM).

    So the list can be longer. As I said I personally appreciate what you have done since MR1 this year and you are pushing a lot but XG is still to be considered and studied before putting it in any big configuration or where the VLAN are the core of the business.

    Well done for NSS labs. This is a nice award but making customers happy and selling XG like water in the desert will be the satisfaction for you and all Sophos Partners. This is not a dream world but something possible in the next future.

    Regards

  • In reply to lferrara:

    lferrara
    (like fixed VPN SSL Port,

    Sorry to say, but this will not be released in V17.0  See Statement of Alan  here: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11145186-change-ssl-vpn-port

    I verified this statement with our contact, they said we shouldn't be expecting this feature in the next 6 month.