XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall




One last tease.. 


  • In reply to Steppenwolf:

    What sort of issues are you having? So far I've found the following:

    • Unable to modify IPSEC VPN sometimes. Reboot required to resolve.
    • VPN Failover never shows that a link is connected even though one is (and works fine)
  • In reply to jamesharper:

    I have the following issues in 17.0.0 GA found:

    • Unable to clone an IPSec-connection -> Error: IPsec Connection "XXX" could not be updated
    • RemoteID is not displayed for connections with ExternalCertificate (see screenshot)
    • Unable to create an IPSec-connection with the same DNS Local ID -> Error: Local ID already used by another IPsec/L2TP/Cisco Connection



  • IPSec seems to be an issue for several people.
    We upgraded an appliance to v17 and all our VPNs stopped working. Went back to v16.5 and everything was alright again...

    On another note... why is it still not possible to drop or quarantine spam mail on pop/imap?

  • In reply to Björn Vermöhlen:

    When I rebooted my head office Sophos (v17), the one branch office that I had upgraded to v17 failed to reconnect. I had to log into it and bring the VPN back up.

    Also PPPoE seems to just give up after a while and needs to be manually connected.

    v17 is going to need a lot of reboots!

    That aside, i like XG more and more with every new release.


  • In reply to jamesharper:

    Read my post "Troubled Waters". The end particularly.  community.sophos.com/.../xg-troubled-waters

    Suggestion:  I wish a TAP port could be setup on a single click in order to use Wireshark instead of the XG's logviewer.  I just can't work with XG's log viewer.  It is not even on-par with Checkpoint in 1995 when I first used it.

    NAT in v17 is still very confusing.  Why NAT is not an object attribute instead of being a rule's attribute is beyond me.  It's cumbersome to say the least.

    Also, there's no negation ...  For example a firewall rule could look like this: destination "not" "Encryption_Domain" scan HTTPS.  Where Encryption Domain, let's say, is a group containing all local subnets NATed behind a gateway. In this hypothetical case, "not" "Encryption_Domain" describe the Internet.  By the way, I am not aware of an "Encryption_Domain" object in XG.

    Waiting for XG v18.  Or maybe v20 ...


    Paul Jr

  • It has been more than a year since this post was published.  2017-1-25 in fact.  Maybe some will dare to take time to re-read it.  Gives the impression we are stuck frozen in time.


  • In reply to Big_Buck:

    Funny, I was thinking the same thing.  What ever happened to 17.5?  We were one of those customers that made the decision to go to sophos based off UTM but by the time our budget money hit, XG was the latest so we ended up with the first generation.  Long story short, those devices are still in the boxes on the shelf waiting on software that does what we need.  

  • In reply to Big_Buck:

    I read it again. Couldn't agree with you more. Things aren't moving fast enough. 

  • In reply to RJRiemensnider1:

    Convert your XG license to UTM ("downgrade" in Sophos parlance, when it's the opposite) and use your hardware with a proper working UTM software.


    XG development is too slow and it is NOT yet usability and feature parity with UTM, even when UTM has been completely abandoned

  • In reply to Big_Buck:

    You're right, it's been a while since this post, and feature-wise, only v17 has shipped since then. Looking back at the past year of development and releases, we started off with XG in a bit of a rough place from a quality standpoint. It was generating more support calls per customer than it should have, for several reasons. Some of it, was just because the platform is very different from UTM9, but a big portion was driven by issues in the software. We needed to make some improvements to how we write software, before we raced ahead much faster.  

    We've spent a great amount of effort making sure that the foundation is solid, even getting to a point where XG's measurable quality exceeds UTM9 and other sophos products. We then moved on to v17 and further feature development, while also holding to higher quality standards. We took a hit on feature velocity while we did that, so yeah, we have taken longer to get to where we are now, than we wanted to. As a result, we decided to add a few smaller feature releases, to hold users over until v18 is ready. v17.1 will ship in coming weeks, and v17.2 and .3 will follow later this year. Each making asked for improvements, and adding important new features. 17.1 for instance, among many other things, will allow configuration of the SSL VPN port. You should see some increase in feature velocity this year. 

  • In reply to AlanT:

    Hi AlanT and thank you for the update.

    Increased velocity of small additional features does not help the user base when there are many broken/missing things in the existing software that do not appear to be addressed between releases.


  • In reply to AlanT:

    Alan, I really do appreciate your answer, however users faces real life.  And being unable to provide reliable VPN, among many other things, for months, and now more than a year, is financially unbearable ... Anyone's' businesses requires reliable Internet access. It is not just a wish.

    Quality control ??? I kindly ask you to read this one: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/98440/clean-up-rule-from-any-to-any-drop-that-s-allowed-on-the-internet-anyway-wtf

    And then this one.  Much of the same.  Happens a year later as well !!!: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/101877/xg-reporting-problems-yet-again-firewall-accepting-forbidden-traffic.

    It is pretty sad for me to write I do not bother to raise tickets anymore since it has solidly proven to be absolutely useless so many times.

    The support we have paid last year was for what after all ?  

  • In reply to AlanT:

    AlanT: your update does not help the slightest and is a slap in the face for any paying customer who has been trying to get XG rolling the last year. Push UTM now or loose a lot of customers forever.  This feels all like marketing talk without any substance that has been promised over and over again. In 1.5 years we will be up with two subscriptions on UTM train and i don't see XG to any appeal and we will have to question if costs for UTM still justifices over a product that has been in coma for a while now thanks to XG crap. How about some roadmaps for UTM for us paying customers?

    Custom VPN Port? Seriously you advertise this as an improvement? ... we had this for YEARS on UTM.

  • In reply to Big_Buck:

     please pm me any cases you did report on this. What you describe in those threads is not possible, unless something is horribly wrong with the configuration on the system. The logs showed rule ID 3 with an action of Allow, but your screenshot showed rule ID 3 with an action of Drop, and a traffic counter that shows 0 bytes of traffic in one direction. This suggests that the rue is not permitting anything to pass, or both directions would be non-zero. If traffic is still being logged in association with that rule as allowed, then there is something wrong, that other users aren't reporting. If you can share a related case number with me, I will dig into it with support and engineering, and see where the issue may be. 

    As for measurable quality, you will always be able to point to some issue and say "but what about this?" When I say we are measurably at or better than UTM9, it means that XG causes fewer calls to support per install, fewer escalations per # of cases, and few bugs per number of installs. XG quality is measurably improved over previous versions, as well as UTM9. 

  • In reply to AlanT:

    Dear All

    My understanding from  forum quotes  is  , Those coming from Cyberoam world and Those coming from UTM world  feel XG is not up to mark and soooo on 'a mixed reaction'. My personal user experience is very good except some hick-up on vpn side. Over all build quality has been improved through out last year . Integration with end point is killing feature .  I am able to safely manage more than 500 users with one person army. Look forward for Good product role-out this year from Sophos Stable.

    Best Regards,