Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG complicated and confusing

Hi,

 

the last 5 years i've using the UTM as a virtual appliance at home with the home use license -> max. 50 ip's
And since every device has an ip, the problem is the limitation with the 50 maximum ip's

So i've to switch from utm to xg but that is harder than expected.

I think the web interface is very complicated and confusing.
Some functions are strange. e.g. why do i've to assign an ip to an interface, that has only sub-interfaces with vlan? (keyword native-vlan => /dev/null)

Why do I have to specify a source, destination zone AND source, destination ip for each firewall rule
Or why the hell i can't delete the default zones? I don't need DMZ and i'm a person who want it clean and get rid of stuff that is not necessary.

I have somehow the strange feeling of an Apple product and not a firewall for experienced system admins
Firewall ON / OFF

My first impression tells me that the XG is still in the aplha stadium.

 

I can not be the only "old" UTM user who does not like the XG yet.

Please tell me your experiences. Possibly. it is only up to me, since I'm used to the old webinterface.

 

Regards
Tobias



This thread was automatically locked due to age.
Parents
  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

Reply
  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

Children
  • Hi there,

    You are surely not alone, I migrated the first of my companies UTM to XG 17.5, and while the UI of the UTM wasn't perfect, the XG is unmanageable , f.e. try to search for the FW-rule for a specific host, in UTM there was an icon which showed where an item was used.

    I had a company do the migration, they used a tool, but most of it didn't work. We had 4 days for additional configuration.

    The download for the ssl-vpn config does not work on two users, this issue is not resolved.

    I have another UTM and a Sonicwall I planned to migrate, but if Sophos does not improve here very soon, I think I reconsider. I will have a look at fortinat. Sonicwall isn't satisfying either.

  • I am not the fan of the migration assistant (They most likely used this Tool). 

    Better approach would be to reconsider the Firewall ruleset and Objects, which are needed on all sites.

    While migration to XG, they are so many advantages, which you could consider in your Migration.

    Maybe switch to VTI? Maybe Switch to SSLx for Decryption? Maybe you need to consider Network segmentation (if not applicable). 

     

    PS: Maybe reviving an 1 1/2 year old Thread is not the best approach :) There are many improvements done in V18, its now GA! 

     

    XG has other advantages like Data ticker to show unused firewall rules for example. Helping in cleaning up the firewall rule set. Policy tester is another tool to find the current matching rule. 

    If you would like to find the matching rule for a client (maybe even better approach than lookup a network object?), you could use the Policy tester. 

     

    Just some thoughts, i know, there are some limitation of Migration from SG to XG. 

     

    About the SSL-VPN Config issue.

    Could you open another thread for this issue? I have some suggestion like the certificate is broken on this Client.

    Or maybe another approach: Switch to Sophos Connect (IPSec)? Its a free Client with the same configuration for all users. 

    __________________________________________________________________________________________________________________

  • Martin,

    please open a ticket with the support and tell them all the issue you had.

    I am not a fan of migration at all, but in certain circumstances you need the migration.

    Migration tool should work as we expect to have a smooth migration from UTM to XG, at least. I am not talking moving from Fortigate, CheckPoint, Palo Alto. Migration tools help during the sales phase. This should be considered!

    Martin, when you have the case id, please update the forum so someone can take care of it.

    Thanks

  • I used XG v15 as self training on how to configure the Pal Alto box that work bought.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi.

    Couldn't find "Data ticker".
    where is it?

  • Data ticker is the data transmitted/received by each firewall rule. You can find it below firewall rule name or even inside NAT nale (only v18).

    Regards

  • Thanks for answering :)

     

    looking for "XG has other advantages like Data ticker to show unused firewall rules".

    Just can't find it...

  • Hello LuCar Toni,

    you are not a fan of the migration tool. Well and could you please advise me how to do the following in one UTM v9 installation:

    - Migrate more than 600 firewall rules
    - migrate almost 2,000 network objects
    - Migrate nearly 1,000 service definitions and service groups
    - migrate almost 100 NAT rules
    And I haven't mentioned nearly 100 SSL VPN access for defined users from MS Active Directory and more than 50 IPsec site-to-site tunnels.

    Do you really still think there is no need for a migration tool? You're still really convinced, really?
    You probably live in a different world, but we who sell UTM v9 and for many years manage this product every day with our customers and partners are convinced the exact opposite.
    Please tell me also how to justify to the IT manager and also the security director of the same company of this customer that Sophos is unable (or does not want) to provide its partners with a migration tool that can handle most of the above requirements?
    And do you think this customer (and any other customer) will want to pay us for this manual transcription, are you really still convinced?
    Please stop looking at the problem of migrating from UTM v9 to XG only from your point of view and try to look at this problem from the point of view of us as administrators.
    It is still time to do something about this problem.

    It could also happen that customers say: Hmm, Sophos is unable to provide us with a migration tool to migrate from UTM v9 to XG Firewall? Do we really want to migrate to XG Firewall under these conditions? Really?!?

    LuCar Toni, welcome to the real world!

    Regards

    alda

  • I can only agree with . Here some topics are not even treated with interest or with the proper "case study". 

    I have a couple of customers so big that migrating everything manually requires a lot of effort. They can move to another competitor as the migration tool exists already. This is the same issue with logging and reporting. Sophos is not taking the topic seriously. While other vendors provide complete reporting and logging via UI, here in XG you still need to run tail -f /log/*.log to understand what is going on.

     

  • Hi Alda.

    See my impersonation: https://community.sophos.com/products/xg-firewall/f/sophos-utm-to-xg-migration/118972/utm-to-xg--comparison-and-my-impression

    As for now, It took us more than a week, a lot of rules I had to do from the scratch, and for sure i missed or miss configured some rules.
    For now - like it or not - that's what you  got...
    [8o|]