Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG complicated and confusing

Hi,

 

the last 5 years i've using the UTM as a virtual appliance at home with the home use license -> max. 50 ip's
And since every device has an ip, the problem is the limitation with the 50 maximum ip's

So i've to switch from utm to xg but that is harder than expected.

I think the web interface is very complicated and confusing.
Some functions are strange. e.g. why do i've to assign an ip to an interface, that has only sub-interfaces with vlan? (keyword native-vlan => /dev/null)

Why do I have to specify a source, destination zone AND source, destination ip for each firewall rule
Or why the hell i can't delete the default zones? I don't need DMZ and i'm a person who want it clean and get rid of stuff that is not necessary.

I have somehow the strange feeling of an Apple product and not a firewall for experienced system admins
Firewall ON / OFF

My first impression tells me that the XG is still in the aplha stadium.

 

I can not be the only "old" UTM user who does not like the XG yet.

Please tell me your experiences. Possibly. it is only up to me, since I'm used to the old webinterface.

 

Regards
Tobias



This thread was automatically locked due to age.
Parents
  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Hi there,

    You are surely not alone, I migrated the first of my companies UTM to XG 17.5, and while the UI of the UTM wasn't perfect, the XG is unmanageable , f.e. try to search for the FW-rule for a specific host, in UTM there was an icon which showed where an item was used.

    I had a company do the migration, they used a tool, but most of it didn't work. We had 4 days for additional configuration.

    The download for the ssl-vpn config does not work on two users, this issue is not resolved.

    I have another UTM and a Sonicwall I planned to migrate, but if Sophos does not improve here very soon, I think I reconsider. I will have a look at fortinat. Sonicwall isn't satisfying either.

  • I am not the fan of the migration assistant (They most likely used this Tool). 

    Better approach would be to reconsider the Firewall ruleset and Objects, which are needed on all sites.

    While migration to XG, they are so many advantages, which you could consider in your Migration.

    Maybe switch to VTI? Maybe Switch to SSLx for Decryption? Maybe you need to consider Network segmentation (if not applicable). 

     

    PS: Maybe reviving an 1 1/2 year old Thread is not the best approach :) There are many improvements done in V18, its now GA! 

     

    XG has other advantages like Data ticker to show unused firewall rules for example. Helping in cleaning up the firewall rule set. Policy tester is another tool to find the current matching rule. 

    If you would like to find the matching rule for a client (maybe even better approach than lookup a network object?), you could use the Policy tester. 

     

    Just some thoughts, i know, there are some limitation of Migration from SG to XG. 

     

    About the SSL-VPN Config issue.

    Could you open another thread for this issue? I have some suggestion like the certificate is broken on this Client.

    Or maybe another approach: Switch to Sophos Connect (IPSec)? Its a free Client with the same configuration for all users. 

    __________________________________________________________________________________________________________________

  • Martin,

    please open a ticket with the support and tell them all the issue you had.

    I am not a fan of migration at all, but in certain circumstances you need the migration.

    Migration tool should work as we expect to have a smooth migration from UTM to XG, at least. I am not talking moving from Fortigate, CheckPoint, Palo Alto. Migration tools help during the sales phase. This should be considered!

    Martin, when you have the case id, please update the forum so someone can take care of it.

    Thanks

  • I used XG v15 as self training on how to configure the Pal Alto box that work bought.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi.

    Couldn't find "Data ticker".
    where is it?

  • Data ticker is the data transmitted/received by each firewall rule. You can find it below firewall rule name or even inside NAT nale (only v18).

    Regards

  • Thanks for answering :)

     

    looking for "XG has other advantages like Data ticker to show unused firewall rules".

    Just can't find it...

Reply Children
No Data