v16, what is still missing!

I wanted to create this post to share my impression of XG after a month of test. I can say that v16 is a nice improvement than v15 but still some basic features/improvements are missing:

  1. More log details (log section has been improved but still confusing. Few categories (even not in alphabetic order) and invalid traffic should be split in more categories or provide more information
  2. Interface management: enable/disable is still no possible (apart assigning the interface to a none zone). Refresh DHCP lease on WAN interface is not possible
  3. Flow monitor needs to be improved. We have live connection but flow monitor from UTM is really missing. Inside the live connection tab there is not even the total of each column so you do not know if you are saturating your WAN connection.
  4. DHCP enable/disable: if for some reason you have to disable your dhcp server, you have to delete it and you will lose all the dhcp reservation records
  5. DNS availability group: something really used in middle installation.
  6. IMAP/POP3: more actions are still missing. Changing the header is not enough for some customers that do not want to even see confirmed spam email (which will fill their mailbox too) why?
  7. VPN tabs: Alan said that VPN will be redisegned. Absolutely needed. Now is a bit confusing for not advanced customers. All tabs in the same location (site to site and remote access)
  8. Export XG configuration for auditing: exporting the XG configuration in a readable format is something that I really missing for auditing purposes. In some installation, XG will not fit.
  9. VLAN: unable to configure native VLAN on physical interface. Also VLAN layer 2 are needed
  10. Bridge improvements: XG deployed in bridge mode has some know limitation. UTM does not have the same limitation.
  11. NAT is still confusing. Improve NAT aspect.
  12. Interface menu and option: make sure that they are correctly A-Z order. Customers will not appreciate this.
  13. Custom dashboard: it is too static at the moment and more info are missing: latest AV/pattern updates, in/ou interface graphs
  14. Graphs: why the graphs do not report the time on the X axis? Going to control center and scroll down to bandwidth graph for example does not give you when that peak occured. Really strange!
  15. Monthly report scheduling is missing. 
  16. Reset alerts on Dashboard and services status
  • This release, the first feeling, is more stable

    Mainly about RED.

    In Beta1, RED between two units, were restarting over and over.

    Now is more stable.

    Regards,

  • Hi LFerrara,
    I think that if we are speaking about advanced feature, you miss the real requirement.
    - 1 LAG/LACP with VLAN
    - 2 HA Improvement on stability and configuration if you do it remotely
    - IKEv2. Not possible to wait more time
    - NAT-T on VPN
    - Export/Import tools form other vendor or something to improve massive object import
    - NAT Separated from ACL
    - Management Routing table different from device
    - Loggin and logging and more logging. Enterprise need troubleshooting easy without jumpung from log to windows/menu/logs/cli
    - Advaced security features: Rate Lmiting, sessin timeout ecc.
    - POP3/Imap/Smtp, on Enterpise you must separate the roles from firewall.
    - iView with possility to see every log in native log format
    - Labeling interfaces.. if you have 10 interfaces and some vlan is not easy to play with PortX
    name
    - Security Services Exclusion from some rule.. for example Rule that allow DR Sync. XG if you disable Sec services alway check IPS.. a little but check somethings.... 
    - and many more, but these are the needed
    I Agrre with you for:
    - Bridge or better for my cutomer wire mode ;-)

    I think PM are working a lot to offer us a big and fantastic SFOSv16

  • In reply to GiordanoZambelli1:

    GiordanoZambelli1

    Hi LFerrara,
    I think that if we are speaking about advanced feature, you miss the real requirement.
    - 1 LAG/LACP with VLAN
    - 2 HA Improvement on stability and configuration if you do it remotely
    - IKEv2. Not possible to wait more time
    - NAT-T on VPN
    - Export/Import tools form other vendor or something to improve massive object import
    - NAT Separated from ACL
    - Management Routing table different from device
    - Loggin and logging and more logging. Enterprise need troubleshooting easy without jumpung from log to windows/menu/logs/cli
    - Advaced security features: Rate Lmiting, sessin timeout ecc.
    - POP3/Imap/Smtp, on Enterpise you must separate the roles from firewall.
    - iView with possility to see every log in native log format
    - Labeling interfaces.. if you have 10 interfaces and some vlan is not easy to play with PortX
    name
    - Security Services Exclusion from some rule.. for example Rule that allow DR Sync. XG if you disable Sec services alway check IPS.. a little but check somethings.... 
    - and many more, but these are the needed
    I Agrre with you for:
    - Bridge or better for my cutomer wire mode ;-)

    I think PM are working a lot to offer us a big and fantastic SFOSv16

    Giordano, thank you for your contribution. in my opinion there are some features/improvements that should be inside the XG really soon. I missed IKEv2 (I wrote it down on my notepad). Now in some middle installation is not even possible to propose XG. Your suggestions (which I trust) are for big installation (and there are even others requirements like Virtual Firewall, SMTP Multiple Ehlo, etc...)

    Also my intention is to collect point of view from different users.

  • In reply to lferrara:

    Missing error report on why a policy is not used. I can't get my blocked countries policy to work and there is no obvious error or reason.

    The ability to create a dummy network so you can send unwanted traffic to eg from banned countries.

  • Agree mostly with what others have said. I can't agree enough with logging improvements. Its hard enough troubleshooting certain installations and without proper logging, it becomes even harder.

    Another thing I would like to see is further improvements in the GUI. I have to admit that v16 is a huge improvement over v15. However, sophos in their perpetual need for accomplishing ALL tasks with one or two clicks are still making some parts of the GUI more difficult than it has to be. I know that more finishing touches are coming in public beta but the one or two click philosophy although good on paper is not really factual in practice. 

    For example, the MTA can be enabled by one or two clicks but then, you have to tune the Policies at two completely different headings under

    Protect -> email-> policies and Protect -> Firewall -> Firewall Rules.

    While we created one policy with one or two clicks, now we have an additional policy created somewhere completely different that needs to be configured. This is just bad planning on the layout.

    Same thing goes for the logging (although AlanT has suggested that there are some logging changes coming). You can change the behavior of what is being logged for the MTA under Protect-> email -> mail logs but what is actually being logged is configured by Configure -> system services -> log settings. 

    Same problem with ACLs. The ACLs are controlled for each PORT (By the way ifconfig Port1 and not ifconfig eth0?? (who is the genius behind that??)).  So now, you have to enable your MTA with a few clicks, fix logging with a few clicks then go to firewall policies and fix those policies. Then go to Global logging and check that the logging is enabled and then check if the ACL policy that you have for the port matches the service you are trying to configure. THIS IS NOT ONE OR TWO CLICKS. This looks like things added on top of things that already existed. Sub menus thrown where ever some dev thought they should go. No relationship to the daemon you are trying to configure and most definitely NOT Security made simple

    I would rather see more nested menus under one heading than going back and forth and changing different things that are maybe there for a reason but to an end user look like a bunch of randomly scattered menus.

     I am glad that you are patiently watching XG grow. However, it seems we want to kick the ball down to v17 for certain things. I think that is unacceptable. Lets work on v16 and make it the best that sophos has to offer and then improve it further in v17. I was hoping v16 would make me want to switch from UTM9 to XG. Lets rememeber that the basic menu layout of UTM hasn't been changed since v8 probably v7 which was released almost 10 years ago. We should be excited to see a newer, sexier, easier layout of XG but sadly, its still too complicated and a mess.

    Regards
    Bill

  • In reply to Billybob:

    Bill,

    reading you post makes me cry. Crying

    UTM is another product and was developed from another group. As GUI all of us will agree with you that is the best and well organized ever. If you see other UTM GUI, most of them are messy.
     XG is not bad now (respect v15) but what I do not like is the principle of a big menu and all tabs. I wrote in another thread:

    https://community.sophos.com/products/xg-firewall/v16beta/f/175/t/78150 where I said that sub-menu are needed. Read the answer!

    UTM is great becasue first you choose the menu needed > the sub-menu > fill the tab which have relation between them. This is very important because you follow a way to fill options and the wizard is built-in.

    In XG this does not work like that. The menu I like in XG is the Web Filtering but in my opinion each menu should not have more than 5/6 TABS. What will happen when more features need to be added to the same menu? Another TAB? So inside a menu 11/12 TABS without a relation.....this is very sad and I hate this way to see "Security made simple!". UTM was simple. It has some big limitation, but in terms of GUI, there is no one that can compete with him.

    Apart the GUI, troubleshooting is still a nightmare. Yesterday, for example, XG failed to send an email to my account but the reason, where is it? I do not want that customers call me all the time because troubleshooting is not clear and does not make sense to run grep or find commands inside XG command line.
    Rebooting the appliance you lose all the logs inside the log viewer, log files inside the XG (/var/tslog/....) do not respect the services they should (some of them log everything).

    Drop-packet-capture is a great command but understanding if it is the IPS policy or web filtering that is blocking the traffic is not simple.

    We support Sophos because we sell it and follow them from 10 years+ but XG is not a nice product already. Too many things are missing and the GUI is difficult to digest.

    I do not understand why they did not use sub-menu. More feature more tabs.Broken Heart

    I am looking forward to seeing the new VPN that will come into next release. Now VPN is a mess and when I have to configure it, I regret UTM.

    The time will prove Sophos's XG project right?

  • In reply to lferrara:

    Hi luk, I don't want to be too critical of sophos and unload all my frustrations at them, but you are correct on your analysis.

    From Alan's response in the other thread, I will agree that policy based webfiltering is very easy in XG. However, after they figured out how to configure webfiltering/IPS/AV/Users/NAT on one page in XG, they started adding more menus. This is where the problem comes in and for some reason it feels like you are not following a smooth, clearly thought out flowchart when trying to work with XG. Problems that you have mentioned and I have pointed out above are just a small sample of confusing layout. While these items may seem ok to sophos, to an end user, the placement and layout seems illogical and poorly thought through.

    Non intuitive user interface was the main problem with XG in v15 and while better in v16, is still not the best. As long as they keep changing the basic user interface layout after every major release, they will keep on adding to the confusion. Sophos should really listen to their user base, seriously consider their input and FIX the UI right now in v16 instead of waiting till v16.5 or v17. Complete rewrites of the UI brings unnecessary difficulties to administrators, more bugs to sort through, and an open invitation to users to shop for competitor's products. Although I have enjoyed every version of windows since 2000, people call multiple versions of windows a complete failure mainly because the start menu was not behaving as they expectedSurprise

     I know we are being promised more beta releases before GA and anything else will be fixed in v16.5 and more difficult stuff will be tackled in v17 but isn't that what we heard during initial SFOS beta? We will follow aggressive releases... fix most of it during beta... most of the stuff will be fixed by GA... wait till MR1... v16 would take care of it and so onZip it! I am not a developer so it is easy for me to criticize, but from an end user standpoint, XG is so close yet so far away from being a great product that one would expect from sophos. 

    Regards

    Bill

  • In reply to Billybob:

    Hi all,

    I agree with both of you. Myself experience with Astaro/Sophos UTM  is since v3.1, and I agree that the basic menu was  changed between versions absolutely minimal. But what was at the GUI from the beginning, it was intuitiveness. You did not have to be a network guru but you was be able to setup a firewall rule, SNAT/DNAT, IPS, SMTP proxy etc....  And it was something what our customers and partners appreciated and valued.

    I think  that in the last 10+ years I gained also a lot of experience with other UTM implementations but the XG GUI implementation seems to me the least user-friendly. I do not see  in the XG GUI simplicity and intuitiveness, its slipped ...

    What also I greatly miss is the friendliness of developers to implement features that we still lack and always ask when they will be implemented again and again ( enable/disable/rename interface or please see to luk's list at the beginning of this thread).

    I  have sometimes the impression that the developers play with us the Disney's grotesque Tom and Gerry .....

    alda

  • I hear the feedback, and am not generally disagreeing with it. There is improvement to be done. There are requests for many features, which we generally agree with, and are working hard to implement. Though even with hundreds of developers around the globe, constantly working to improve everything, we are still limited in what we can accomplish in a single release. We must be specific in our goals, to make sure that we are targeting priorities in the correct order. The changes you see in beta, are the result of constant development, since November. The changes in web alone, took two entire development teams, six months to build. Adding more major features at this stage would mean many months more work before release, and the sheer volume of demand from our partners and customers won't tolerate that. 

    We have to prioritize changes, and tackle them in order, and features are always more expensive than you think they will be. something that you think might be small, like renaming interfaces and other objects, turns out to be quite expensive, because it requires some improvements to the config model that we haven't finished yet. Our ultimate goals are to tackle the features being mentioned here, but it isn't practical to get all of it done at once. Also, delaying until it was all done, isn't possible. 

    The business goals set out for XG v16 were to build a quality release that is feature-competitive with UTM9, offer material advantages over UTM9, and offer a dramatic user experience improvement over XG v15, while persuading some, but not even most UTM9 users to make the switch. Persuading every, or most UTM9 user to migrate to XG isn't the goal yet. UTM9 has a long life with new features ahead of it, so we can take our time, and get it right. 

    If you answer the question again, based on the business goals set for XG, what changes?

  • In reply to alda:

    alda

    I  have sometimes the impression that the developers play with us the Disney's grotesque Tom and Gerry .....

    It's unfortunate you feel that way, but please consider that we can't do everything at once. We must prioritize which is most important, and tackle that first. 

  • In reply to AlanT:

    I Alan, i agree with you about business needs. The Business needs a cutting edge tecnology to allow them to sells more, but if in the field this technolgy doesn't work could be dangerous. I think that SFOS16 with this GUI could be the right base to start with every other options and if you are able to add half of features requested previously on the discussion i think your work will be appreciated by both the business and the technical part.

  • In reply to AlanT:

    Alan,

    XG is still not mature for most of the UTM9 installation (apart 110/120 and maybe 220). Some gaps still exist and they should be addressed soon.

    At least it seems that XG is more stable than UTM. HW Resources should be improved also on XG. For example I installed XG v16 on a 110 and the appliance was so slow (CPU at 90-100%) most of the time with no rules and no other configuration.

    After v15, we see that you are improving the product and we are with you to share and test the product but after some deep marketing from Sophos Website, customers are expecting a "revolution" product. I know this is all the time a challenge between different OU inside the company but after 1 year, the product is still not ready to challenge against other UTM's vendors (UTM9 too) and this is very important in order to not lose all the field that Sophos (Astaro) has gained during 10 years.
    Now you have more developers so we hope you have understood all the mistakes you have done with v15 and you are ready to speed up from v16 and include all the features that customers/partners would like to see to be competive on the market (we do not want to leave Sophos and move to another Vendor, but if we are constraints.....)

    Personally I like the way you are sharing your issue and limitation with forum and Webinar in beta, but if you have listened to us some times ago (v15 GUI and log) maybe at this time the product was a little bit ahead.
    Publish a survey where you put all the missing features you have identified and we have shared here where each of us can rate each missing feature. Give us a total number we can use among all the survey. This will help you on what we need very very soon. I know it takes time to develop a feature (because many steps exist before the developers start to write the code).

    Still at the  moment, I think, many of us are still proposing UTM and not XG.

    As always, this is my point of view!

  • In reply to amarrero:

    What is still missing in the first public beta of V16

    1/. a mail scanning system that works in a timely manner

    2/. a mail scanning system that reports actual values of mail messages received

    3/. country blocking that works

    4/. warnings about why policies are ignored

    5/. IPS that reports real intrusions not imaginary ones.

    6/.Web proxy that works in transparent mode

    This version is way better than v15, but is still not ready to be considered a serious firewall/Next gen whatever.

  • In reply to rfcat_vk:

    Hi Ian,

    Regarding Point 6, Web Proxy is working transparently but it requires MASQ as it needs to route the traffic with the WAN interface of XG and without MASQ using the actual source IP  it won't be possible, we had to do a similar configuration in UTM9 also