XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall




One last tease.. 


  • In reply to AllanD:

    I think every Software has Bugs and Problems.

    What also has to be said here is that I havn't read anything about Security Vulnerabilities in XG while having heard a lot's about security problems in Sophos UTM, Cisco, or Juniper Firewalls!


    As I understand the main Problem, but VPN don't is that much important to me, because we aren't using VPN.


    I've personally used UTM for a lot's of years, but after some testing I prefer the UI of XG over UTM. I think it is more intuitive and much more logical than UTM's "Web Admin".

    I do also like the way how to build rules on XG. It allows much more presice rules than UTM, e.g. setting different application control rules and IPS rules on different VLANs or Subnets. That's why it is possible to customize IPS for having much fewer False Positives.


    P.S.: As you could read here there are also customers who are talking about UTM Bugs too ! https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/101989/many-sophos-utm-9-issues


    When is the release for XG 17.1 planned?




  • In reply to Mast_01:

    I didn't know we could.  Do you know where we go to request this?  I don't see it in the management portal.


    I recently gave away one of our XG115s that we did not use new in the box and they ended up giving it back as it was not intuitive and they ended up using PFsense.

  • In reply to RJRiemensnider1:

    Hi folks,

    looking for updated news on the release of v17.1?



  • In reply to rfcat_vk:

    A Sophos support engineer I spoke to said early May 2018 :)

  • In reply to envercpt:

    Ugh,  originally it was Mid-April.  I'm guessing there was a few issues yet.  Well wish it would happen sooner, but also want a nice release without issues, so I will sit and wait somewhat patiently.  :-)




  • In reply to Scott_D_L:


    this is not quite true. The first introduced term for v17.1 was January this year and for the next version v17.2 was the first presented term April this year.



  • In reply to alda:

    Yeah, I hear you.  I was referring to what a support engineer told me several weeks ago in a open ticket i had.  To be fair he did say that this was subject to change depending on how the release was looking. 



  • In reply to Scott_D_L:

    I write it again ...  What's in 17.1 the rest of us actually need ?  According to plans, nothing interesting for the rest of the year (all of 17.x), which means, not before may 2018. Sorry.

    Paul Jr

  • In reply to Big_Buck:

    Hopefully a lot of fixes for the broken stuff.


  • In reply to rfcat_vk:

    Indeed, one would hope to see all the IPsec issues cleared up in this release.  

  • In reply to Big_Buck:

    I cant wait to change the SSL VPN port which is on this release.


  • In reply to Bill Roland:

    Yes.  This has been 6 or 7 releases that intended to fix VPN ... Why would this one be different ?

    BugS fixeS for VPN are not mentioned much in the list.  We can only speculate.

    That said, I have found yet another "incredible bug".  I thought my VPN was going down just because of VPN multiple issues.

    Guess what ??? I found the WHOLE internal network falls.  Meaning all internal subnets on all ethernet ports.  For example, if I fail to ping on port 2, while the corporate VPN is down (which happens many times per hour), then at that particular moment, all of my other internal subnets are also down.  For something like two minutes.

    Among many other things, it starts to smell like bad Ethernet controller selection with problematic drivers on Sophos hardware appliances.  Much like Microsoft SurfacePro of first generation, or general purposes multiport hardware appliances with very cheap Chinese Ethernet controllers.

    Paul Jr

  • In reply to Big_Buck:

    I posted it on another forum, I just repeat it here.

    The next picture self explains how bad networking is implemented on XG.  I mean VERY VERY VERY BAD.  It shows two simultaneous pings.  One of our Firewalls main internal address is  On the left image, I ping from a desktop.  On one of the subnets we have on that particular firewall, the firewall has IP address ...  It is not only VPN that freezes.  All networking freezes.  In other words, our ISP have nothing to do with.  It does that on all XGs we have installed  Look at this :) :) :) 

    At the moment reconnects, all other subnets and the internet reconnects. Hard not to swear and remain polite.  This happens many times a day.  On all our firewalls whether they are connected together via VPN or not.

    Imagine now if I had put IP telephony on that thing ... Oups.  Forgot to mention.  Ip Telephony has its own Mikrotik Firewall on the same WAN subnet as the XG firewall.  It NEVER (read my lips ... NEVER) go down.  Furthermore proving our ISP has nothing to do with that disgraceful situation.  At our other location, IP Telephony is set up much the same.  On the WAN lan, both are within the same 8 IP addresses subnet. Again.  Read my lips ... It NEVER goes down.  

    No.  XG is years away from being fixed.  And clearly not enterprise ready. 

  • In reply to Big_Buck:


    yes a number of people have noticed that issue and posted on the forums. Reminds me very much of MS Excel while waiting for a response/entry in a cell locks up the PC. 

    I suspect that will be fixed because one of the other posters pointed out that the VPNs do not automatically renew a connection if the external network fails and then restores. IPv6 does the same thing.