XG v17: what's coming next

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall




One last tease.. 


  • What about DHCP Relay? It worked for a few days and suddenly stopped working without any reasons.

    Will it ever be fixed?


  • In reply to Giuliano Pelliccia:

    XG SFOS v17.0.7 mr7   A picture tells all ...  It is like this here all day long.  Many times per hour.  We are not even talking about VPN !!! We are talking about basic networking problems I suspected our ISP could partially be responsible for.  The thing is, our IP phone system is on the same router as our XG firewall.  Those phones never fails.  IP phones are very sensitive to latency on top of it.  If you look at the traffic chart, you see it is very quiet.  So it is not a matter of bandwidth.

    Absolutely painful !!!

  • In reply to Big_Buck:

    Have you escalated this to Sophos support? Out of interest, what's the error on your interfaces?

  • In reply to envercpt:

    I do not escalate anything to Sophos much anymore.  It has proven for so many months, and at countless occasions, to be a colossal waste of time. It never ever fixes anything. I have wasted around 1000 hours with Sophos in the last 20 month.  The forum here is the only chance to fix something.

    Error shown is interface 2 (Port2_GW) down again.  It is bipolar.  Up down up down up down down up up up down up down down down up.  

    Edit: It is getting down more and more often because what this "STATUS" actually shows, I believe, is only the result of the fail-over rule, in "Network" / "Wan-link-Manager" / "Fail-Over Rule".  In our case: "ping our ISP router".  More a hearth beat than anything else.  This ISP Netopia router, is increasingly getting allergic to the XG210.  But not the Mikrotik Firewall on the same subnet used for IP Phones. Adding Goggles DNS greens it up, but then, the networking problem remains entirely.

  • In reply to Big_Buck:


    As per my previous comment I left here. Support would like to assist in troubleshooting your issues, but please help work with us by raising a support case.

    None the less, if you prefer troubleshooting with the help of our community, I would suggest starting a separate thread consolidating all of of your related information. This would make it easier for our community to follow along and assist you.


  • In reply to Big_Buck:

    We have seen this same issue and it comes and goes. We have opened tickets and have gotten no where basically told they didn't see and issues or why it was happening.  We did get other issues they found debugging this fixed.  But randomly we have the same issue and we restart authentication service and sometimes that fixes it.

    But I find support as well to be slow and non responsive.  I have had a ticket open for several months just keep getting passed around and been two weeks with zero response and I keep pinging them for an answer.  

    So yes I agree you need to open a ticket but also agree it doesn't seem to go anywhere.

  • In reply to BrettMcNerney:


    I apologize for your negative experience with our support team. I would like to help and look into this for you. Please PM me with your support case numbers so that I can review and follow up.


  • In reply to FloSupport:

    I know that's no consolation to him, but for whatever it's worth I have not experienced any problems of the scale or type Big_Buck has had and I'm sorry he has encountered so many issues.  

  • In reply to Bill Roland:

    Bumping this thread.  It is more relevant than ever to hear what's coming next.

    By the way, concerning the problem described earlier in the post, Sophos XG and Cisco RV325 routers seemed incompatible.  We have decommissioned the Cisco and connected XG directly to our ISP.  And created a separate network for IP telephony ...

  • Was curious to know if anything was happening on the OTP for WAF side.

    This option was available with UTM and it badly looks like as if UTM will be phased out before XG supports it again.

    It's something I miss quite badly to say the least

  • with all that is said on this, I have used the XG on and off through various versions, but it hasn't stuck (too many issues to fix/update), it does seem since the new release came out, there have been alot of improvements, which means I am now starting to use XG as choice.

    Parity between UTM & XG still has a way to go before everyone is working correctly, but it is completely different since I start with v15.

    Keep it up, maybe v18 will be the game changer (I can't wait!).


    p.s. if you need a v18 beta tester I will happily stick up my hand.... :)

  • In reply to Big_Buck:

    Time to bump this thread.  Last time this year :) ...

    V18 coming ?

    Paul Jr

  • In reply to Big_Buck:

    What new features / bug fixes are you after?

    Mac based authentication would be great for me!

  • In reply to M8ey:

    Mac based clientless authentication should be possible for the next MR version i hope. Cool

  • In reply to M8ey:


    Read here: https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/100440/xg-firewall---roadmap#pi2151=3

    Paul Jr


    1. Logs are still helpless. 
      1. Would be nice we had something that compares to Checkpoint ...
      2. Some shy improvements in v17.5.
      3. The best would be a direct link with WireShark while logs becomes acceptable in a future version.
    2. STAS needs a complete remelting. 
      2. Instead of going tru all those ports, registry keys, et.c. non-sense setups ?
    3. XG as an NTP is a basic requirement.  Should have been done long ago.
    4. Full features DHCP.
      1. At least we could point desktops to 2 or 3 trustable NTPs.
      2. Pooled NTP web sites is such a non sens to me.
    5. 2017 and 2018 were dedicated to bug fixes and stability almost exclusively.  Seems to me the real improvement this year was the MTA.
    6. Hope 2019 will bring us on par with the competition.