Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG complicated and confusing

Hi,

 

the last 5 years i've using the UTM as a virtual appliance at home with the home use license -> max. 50 ip's
And since every device has an ip, the problem is the limitation with the 50 maximum ip's

So i've to switch from utm to xg but that is harder than expected.

I think the web interface is very complicated and confusing.
Some functions are strange. e.g. why do i've to assign an ip to an interface, that has only sub-interfaces with vlan? (keyword native-vlan => /dev/null)

Why do I have to specify a source, destination zone AND source, destination ip for each firewall rule
Or why the hell i can't delete the default zones? I don't need DMZ and i'm a person who want it clean and get rid of stuff that is not necessary.

I have somehow the strange feeling of an Apple product and not a firewall for experienced system admins
Firewall ON / OFF

My first impression tells me that the XG is still in the aplha stadium.

 

I can not be the only "old" UTM user who does not like the XG yet.

Please tell me your experiences. Possibly. it is only up to me, since I'm used to the old webinterface.

 

Regards
Tobias



This thread was automatically locked due to age.
Parents
  • Nope, you're not alone, I have been following SFOS/XG since it was called copernicus before the official release and it has improved a lot, but I'm still not convinced about it, I miss my unified objects from the UTM too much. I considering the UTM more or less dead since there's not much development on it, at least not publicly.

    This screenshot is from a webinar in late 2016 and as you know we haven't seen 9.6 yet, I would love to see OpenVPN 2.4 and IKEv2 on the UTM and hopefully that's what they mean by "VPN Improvements" but one can never know. Our UTM license is due for renewal next year and I have started to think about the future. Should I stay with the UTM because i know it and like it, and hope for a miracle? Should i look for another solution after 11+ years of running UTM? Should I wait and see what XG version 18 has to offer? That's just some of the thought that goes through my head. I have the Endpoint Protection and Intercept X, so I'm ready for the synchronized security adventure, but as I said I'm not confident in the XG yet

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Hi there,

    You are surely not alone, I migrated the first of my companies UTM to XG 17.5, and while the UI of the UTM wasn't perfect, the XG is unmanageable , f.e. try to search for the FW-rule for a specific host, in UTM there was an icon which showed where an item was used.

    I had a company do the migration, they used a tool, but most of it didn't work. We had 4 days for additional configuration.

    The download for the ssl-vpn config does not work on two users, this issue is not resolved.

    I have another UTM and a Sonicwall I planned to migrate, but if Sophos does not improve here very soon, I think I reconsider. I will have a look at fortinat. Sonicwall isn't satisfying either.

  • I am not the fan of the migration assistant (They most likely used this Tool). 

    Better approach would be to reconsider the Firewall ruleset and Objects, which are needed on all sites.

    While migration to XG, they are so many advantages, which you could consider in your Migration.

    Maybe switch to VTI? Maybe Switch to SSLx for Decryption? Maybe you need to consider Network segmentation (if not applicable). 

     

    PS: Maybe reviving an 1 1/2 year old Thread is not the best approach :) There are many improvements done in V18, its now GA! 

     

    XG has other advantages like Data ticker to show unused firewall rules for example. Helping in cleaning up the firewall rule set. Policy tester is another tool to find the current matching rule. 

    If you would like to find the matching rule for a client (maybe even better approach than lookup a network object?), you could use the Policy tester. 

     

    Just some thoughts, i know, there are some limitation of Migration from SG to XG. 

     

    About the SSL-VPN Config issue.

    Could you open another thread for this issue? I have some suggestion like the certificate is broken on this Client.

    Or maybe another approach: Switch to Sophos Connect (IPSec)? Its a free Client with the same configuration for all users. 

    __________________________________________________________________________________________________________________

  • Martin,

    please open a ticket with the support and tell them all the issue you had.

    I am not a fan of migration at all, but in certain circumstances you need the migration.

    Migration tool should work as we expect to have a smooth migration from UTM to XG, at least. I am not talking moving from Fortigate, CheckPoint, Palo Alto. Migration tools help during the sales phase. This should be considered!

    Martin, when you have the case id, please update the forum so someone can take care of it.

    Thanks

  • I used XG v15 as self training on how to configure the Pal Alto box that work bought.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi.

    Couldn't find "Data ticker".
    where is it?

  • Data ticker is the data transmitted/received by each firewall rule. You can find it below firewall rule name or even inside NAT nale (only v18).

    Regards

  • Thanks for answering :)

     

    looking for "XG has other advantages like Data ticker to show unused firewall rules".

    Just can't find it...

  • Hello LuCar Toni,

    you are not a fan of the migration tool. Well and could you please advise me how to do the following in one UTM v9 installation:

    - Migrate more than 600 firewall rules
    - migrate almost 2,000 network objects
    - Migrate nearly 1,000 service definitions and service groups
    - migrate almost 100 NAT rules
    And I haven't mentioned nearly 100 SSL VPN access for defined users from MS Active Directory and more than 50 IPsec site-to-site tunnels.

    Do you really still think there is no need for a migration tool? You're still really convinced, really?
    You probably live in a different world, but we who sell UTM v9 and for many years manage this product every day with our customers and partners are convinced the exact opposite.
    Please tell me also how to justify to the IT manager and also the security director of the same company of this customer that Sophos is unable (or does not want) to provide its partners with a migration tool that can handle most of the above requirements?
    And do you think this customer (and any other customer) will want to pay us for this manual transcription, are you really still convinced?
    Please stop looking at the problem of migrating from UTM v9 to XG only from your point of view and try to look at this problem from the point of view of us as administrators.
    It is still time to do something about this problem.

    It could also happen that customers say: Hmm, Sophos is unable to provide us with a migration tool to migrate from UTM v9 to XG Firewall? Do we really want to migrate to XG Firewall under these conditions? Really?!?

    LuCar Toni, welcome to the real world!

    Regards

    alda

Reply
  • Hello LuCar Toni,

    you are not a fan of the migration tool. Well and could you please advise me how to do the following in one UTM v9 installation:

    - Migrate more than 600 firewall rules
    - migrate almost 2,000 network objects
    - Migrate nearly 1,000 service definitions and service groups
    - migrate almost 100 NAT rules
    And I haven't mentioned nearly 100 SSL VPN access for defined users from MS Active Directory and more than 50 IPsec site-to-site tunnels.

    Do you really still think there is no need for a migration tool? You're still really convinced, really?
    You probably live in a different world, but we who sell UTM v9 and for many years manage this product every day with our customers and partners are convinced the exact opposite.
    Please tell me also how to justify to the IT manager and also the security director of the same company of this customer that Sophos is unable (or does not want) to provide its partners with a migration tool that can handle most of the above requirements?
    And do you think this customer (and any other customer) will want to pay us for this manual transcription, are you really still convinced?
    Please stop looking at the problem of migrating from UTM v9 to XG only from your point of view and try to look at this problem from the point of view of us as administrators.
    It is still time to do something about this problem.

    It could also happen that customers say: Hmm, Sophos is unable to provide us with a migration tool to migrate from UTM v9 to XG Firewall? Do we really want to migrate to XG Firewall under these conditions? Really?!?

    LuCar Toni, welcome to the real world!

    Regards

    alda

Children
  • I can only agree with . Here some topics are not even treated with interest or with the proper "case study". 

    I have a couple of customers so big that migrating everything manually requires a lot of effort. They can move to another competitor as the migration tool exists already. This is the same issue with logging and reporting. Sophos is not taking the topic seriously. While other vendors provide complete reporting and logging via UI, here in XG you still need to run tail -f /log/*.log to understand what is going on.

     

  • Hi Alda.

    See my impersonation: https://community.sophos.com/products/xg-firewall/f/sophos-utm-to-xg-migration/118972/utm-to-xg--comparison-and-my-impression

    As for now, It took us more than a week, a lot of rules I had to do from the scratch, and for sure i missed or miss configured some rules.
    For now - like it or not - that's what you  got...
    [8o|]

  • I would migrate them via XML Script. 

    Query everything via RESTAPI, convert them to XML and upload them to XG.

     

    This is a 30 min job, to build such a script. 

    Would migrate Network object, definitions and Service groups.

    NAT / Firewall Rules could be created as well, but actually hard to archive. You would need to put some Brain into it, because you need to convert them into a logical construct for XG. 

    As a Partner, i would simply build this script once. 

    Only the SSLVPN Clients are not able to migrate. Maybe a good time to think about Sophos Connect? 

     

    I know, this is hard, because you need to put some time into this (max one day). But the real world nowadays works with APIs and Scripts. That seems to be the reason, most (MSP) Partners hires developers. They build everything, because Sophos and other vendors for other features are opening everything to the API world. 

     

    If you do not want to do the effort, you can go with the Migration Tool. That is actually doing this for you, but it is not the best practice from my point of view. That just my personal experience, working with different partners in different regions. 

     

     

     

    __________________________________________________________________________________________________________________

  • Hello Goldy_1

    I have read your post and of course I gave you my [Y]. 

    Regards

    alda

  • Hello LuCar Toni,

    I really enjoyed reading your post. Really, I really laughed!
    In other words, you described what a migration tool should do. That's great, it seems we're finally getting along.
    And wouldn't it be better if all you just described here was doing a migration tool from Sophos? Because who other than the manufacturer of both products (UTM v9 and XG Firewall) should best know the good and bad sides of their products, including the very downsides of their products, right?
    You might not have understood that I want the migration tool to migrate (as I have described earlier) network objects, network services and service groups, and other basic functions. Why should I spend time writing scripts and then looking for errors if the manufacturer of these products should do this job better for me? Isn't that a bit of your duty?!?
    And then after migrating these basic objects and services (without previous unnecessary stupid slave work) then check whether the new product makes firewall rules and NAT rules make sense and everything works as it should.
    You may not have much experience in real-world deployment of a firewall, but first you need to ensure the basic functionality of the firewall and then you can start thinking about other security features that are constantly highlighted here, such as SSL / TSL decryption, heartbeat security and synchronized application management. This ongoing phase of migrating from UTM v9 to XG Firewall is not easy at all. Neither you nor Sophos can be surprised that no one wants it. You probably do not realize enough that if you do not make it easier for administrators to reach a first goal (migration from UTM v9 to XG Firewall), nobody will ever run again. There will be no reason to run further, customers and partners will run elsewhere ....

     Maybe a good time to think about Sophos Connect? 

    Really? Could you please tell me why customers should switch from SSL VPN to Sophos Connect when this great product can't work with MS Active Directory user groups? Please tell me why? When this product does not have the basic elementary functions offered by other solutions! And in which year will Sophos Connect support the SSL VPN protocol?

    LuCar Toni, I apologize for my sarcasm, but I can't. Please use the relevant arguments in the discussion and I will not be sarcastic. I experienced the use of similar arguments when the Communists ruled in my country, and this was a way to resist demagogues of a similar type.

    Regards

    alda

    P.S. I'm sorry, but I'm really mentally very tired when someone tries to convince me with absolutely illogical arguments. I think it would take less demagogy and more logical thinking ....

  • Lucar your response does not make sense. If you are a professional person stop replying in this way and try to be constructive.

    People pay for a license and not all people are skilled to perform an xml translation.

    The translation takes time and you need to be a developers to build a proper script. Here we are admins and not devs. This is the main problem and that’s why the XG is complicated. Firewalls are used by admins and not by devs.

    Since you are devs there the migration tool is just poor....and you are devs, that’s strange.

    You are the SW house of both products and you know exactly both and for you a tool should require less effort.

    If Sophos wants to accelerate the migration from UTM to XG, the tool is the best way to encourage people to move to XG.

    It does not make any sense to have 3 different products that do the same thing.

    If you remove quickly UTM and cyberoam OS, Sophos will have all devs on a single product and go faster.

    Lucar you live in a different world than others. Customers are more prone to move to a product that gives you a smoother transaction than creating everything from scratch unless the Sophos’s goal is to move to small customers where they have 10 firewall rules. If this is the case, we cannot complain but you should stop to declare XG is an enterprise firewall.

  • Hello luk,

    I can only agree with you. You have described exactly the situation we are in.

    [Y]

    Regards

    alda

  • I understand your points, i am simply here in my free time to give some tips, how to handle such topics. 

     

    __________________________________________________________________________________________________________________

  • A bit off-topic.

    alda said:
    Really? Could you please tell me why customers should switch from SSL VPN to Sophos Connect when this great product can't work with MS Active Directory user groups? Please tell me why? When this product does not have the basic elementary functions offered by other solutions! And in which year will Sophos Connect support the SSL VPN protocol?

    This is the answer everyone got on reddit about the current VPN client issues.

     

    Hi There,

    Our team is planning to support user groups for Sophos Connect IPsec client in XG v18.5, Further, Sophos Connect will also add support for SSL VPN, and will remove the burden on users needing to self-install. These changes, once in place, will be communicated through our Social media platforms and under EAP programs.

    ^JG


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home