XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall




One last tease.. 


  • In reply to Mast_01:

    About a year ago this time I drank the Kool-Aid and did a nine site installation with XG16, my first, after originally pricing them the Sonicwalls as I usually sell.  I also have one in my house (XG115) but still run a Sonicwall at the office.  One of the reasons was because they already used Sophos EP and had a ES1100 mail appliance I was hoping the XG could replace, since the ES1100 is ancient.  I had many days of unbillable time trying to get the firewalls to do basic things that don't require any training or special skills to do with competing products.  I gave up on doing anything with E-mail, was confounded by the firewall rules, IPS, content filtering, VPN, inability to work with SIP trunks, etc., etc.  Nothing worked as you'd expect.  Here we are a year later, with V17 installed on my personal XG115, and I don't feel the ball has really moved.  I'd say they deck chairs have been re-arranged on the Titanic.  The interface is still very slow, just not as slow as it was, many things are still non-intuitive or covered in the GUI, many things still don't work (geo-filtering), lack of logging, etc., etc.  I suspect the reason many on this forum are still even talking XG is they've got some level of history, longer than me, in Sophos firewall products, and have a harder time breaking free and saying enough is enough.  Except for that one customer, I can walk away from it.  Fortunately or unfortunately, I don't think that customer is going to be in business much longer, nothing to do with Sophos I should add, which would resolve the issue of what to do with them.  I didn't come from the old product, so trying to convert them to UTM would be another mountain to climb, especially with all their branch sites being in other states.  I've given up, am in maintenance mode, and will continue to loosely monitor the forum for unexpected breakthroughs or other news relative to my one customer's support.  Luckily the circumstances with that customer are such that I likely won't have to have that awkward conversation about why I sold them what I did. 

  • In reply to Ben:

    sorry but after following the XG project for the last 2 years and trying betas and beeing unimpressed and having read promises of "feature parity" and "huge improvments" i am giving up on this one.


    Problem is that according to their statistics "XG is super popular and accepted", statistics that can easily be invalid, for example: i buy an XG box because that's what my distributor has in stock, i INSTANTLY UPGRADE IT to UTM to have an usable product, but for statistics-sake, it's another successful XG sale!.


    I had and loved Microsoft ISA server, ran it into the ground and replaced it with Forefront TMG 2010 when it came out.  Then when that went EOL I bought a Meraki MX firewall to replace it because the Meraki engineers said it would do everything the TMG does (it didn't come close).  I returned it after 30 days for a refund.  I then bought a XG125 running v15 for a small branch office as a test, continuing to run my EOL TMG at our headquarters.  It was overall easy to setup coming from the TMG world.  Then v16 firmware came out and made it better.  I was confident enough in it that I bought a XG310 for our headquarters doing a 250/250 internet line and a 50/50 used for multiple B2B IPSec tunnels.  We are adding another branch office next month and again I bought a XG125 which as I type this is sitting next to me waiting to be setup.  Over the last year I've also added some RED 15's for guys working at home including myself.  We don't use any of the mail stuff but do use web publishing including for OWA, Outlook Anywhere, lots of custom firewall rules, SSL VPN, etc.


    I'm not saying there haven't been problems because there have been.  I've contacted support or these forums for the majority of the issues and everything has been fixed on my list except for one issue: forms based authentication not redirecting to the right place after login (verified bug logged waiting for fix).  Other then that I have annoyances but not really issues: some insecure cyphers not easily turned on/off through the interface (was given instructions on how to manually do it), some PDF files being blocked from download due to false positives (happened with three sites, we added a firewall rule to bypass IPS), and logging could be better (which it sounds like they are fixing).


    Overall I'm happy with the XG product especially based on the price and feature sets of competing products.  We pass our PCI compliance scans every month which is a big one for us and our insurance.  We don't have issues with them locking up, the only time they reboot is for a firmware update.  The SSL VPN client, although simplistic, is easy for our users to install on their own with instructions and use.  Etc.


    I would think their statistics are correct.  The majority of people that installed a XG device probably had it worked for what they wanted, basic web filtering and VPN.  They aren't on these forums complaining.  They are using the product successfully.  They aren't joining these forums to say "Thanks, everything works just fine".  The majority of people on these forums are people having some type of issue so its always going to sound more negative overall then the actual install base.  Sophos, I would think, doesn't get a call, email, forum post, etc for 75%+ of their installed user base because the product just does what those people want. 


    I'm not trying to defend Sophos or anything but complaining doesn't make the product better.  Using it and giving honest feedback does.  I'll stick with v16 and let you bleeding edge people install v17 when its in general release I'll watch these forums for issues and if I don't see anything that affects my use case I'll test it in a branch office for a few weeks.  If its still good the other branch office.  If its still good, with a current backup, I'll do our HQ and keep marching forward.




    Edit: For the record I worked on both a Astaro and a SG in the past and still find the XG a better interface.  Maybe its because I came from TMG but to me it makes sense.

  • In reply to AllanD:

    AllanD, your story is pretty much a carbon copy of mine, minus the Astaro/SG part (never used them), and I do have some experience with SonicWall.  Those Meraki MX firewalls are dogs compared to TMG and XG. 

  • In reply to Bill Roland:

    Bill Roland
    Those Meraki MX firewalls are dogs


    I received a freebie - no way we could use this in a work environment as its too simple and doesn't do many of the basics. Its now a "Home" device dishing out policies to stop my kids getting to undesirable sites and reporting their usage.


    My experience with the XG230 has been mixed. I came in with no experience with Sophos product or indeed many other Firewalls as we had a managed service. I added the XG in late November last year and have managed to get most things up and running like Web Filtering on Policies, STAS, FW Rules, VPN etc - its in production and working.

    I do think that the reporting is no where up to scratch and I hope v17 really does have much more in depth logging. Many times a client / Service is blocked by the XG yet no logs show it anywhere.

    My biggest issues relate to authentication of non domain connected devices such as Macbooks and iPhones (now using SSO via RADIUS) and also Clientless Users and policies.

    My supplier still maintains the UTM is a better product and we should have "possibly" switched to this instead of XG.

    I am still out on this one.

    I really hope v17+ fixes logging and makes the XG a tool we can use easily.

  • In reply to Ian Melton:

    I am a home user that has been using the UTM since 2005.

    A quick summary of the last series of posts in this thread.

    Those that came from other products (manufacturers) are very happy with the XG.

    Those that came from UTM are unhappy with the XG.


  • In reply to rfcat_vk:

    Agree here. I had a couple of UTM's previously and was blown away at how easy everything *looked* on the XG but actually wasn't. Took me a solid month to get the differences down. Weird stuff like VPN configuration quirks, routing, etc was just different than UTM's, ASA's, or Junipers I have used previously. 

  • In reply to AlanT:

    I'm still not sure what the answer is.  Is XG still locked into using VLAN 1?  I can see some console/CLI where a bridge interface can have vlanid tagged...but not trunk interface.

    So, in an environment where VLAN 1 is disabled, my trunks up to the XG firewall drop into suspend mode if I try to use "native vlan __" ...anything other than "1".

    Is this coming in v17 beta?

  • So, got an email a few days ago "XG Firewall v17 has Arrived!"

    Awesome!! Let's head to the XG update page.... and nothing


  • In reply to Yann Bizeul:

    You have to download it from their main site. It doesn't say whether it's beta or stable.


  • In reply to alan weir:

    The "GA" in the name would be General Availability, so yes, appears to be production release. 

  • In reply to DavidPeterson:

    The upgrade just arrived on my box and went smothly without any problem.

  • In reply to Jens Kruse:

    I loaded V17 on my XG210 just fine, but trying to upload it to an XG85W without booting to it...and the upload fails repeatedly.  its being uploaded from a server sitting on the LAN, so its only 1 hop away from the firewall. 


    and of course, there is no log entry for something like this.

    I'm one of those semi-disgruntled users who bought the XG early and have seen it vastly improve, but my mind is still boggled by how they took things that are standard and easy in other products and made them difficult in the XG. Example: simple naming of NAT. initially, XG interface didn't call it NAT, but the functionality was buried in a business rule.  I spent time hunting for the NAT/DNAT feature but never found it because they didn't call it such.  and those sorts of things continue to pop up, but less and less frequently with each firmware update.

  • In reply to AlanT:

    Hey AlanT,

     Since v17 is GA now, hope you can find some time and update us with more details with future plans for v17 and also Project Picasso. 

  • Played around with an XG17 VM and was kinda disappointed.Still no VTI support for IPSEC tunnels like back in the Cyberoam days ? Will this be looked at in the future ? We've experienced some weirdness from time to time on XG16 when using GRE's and Encrypting them with IPSEC so had to go back to IPSEC policy based routes.


    We much rather prefer to use VTI+BGP underneath to make routing decisions.

  • Hej,

    i still have problems with version v17 in combination with IPSec VPN connections. I hope MR-1 for v17 will improve the IPSec even further.