TLS 1.3 It has been in the work for four years. Knowing that TLS 1.2 have been implemented only recently on selected products (for those who figured how), when can we expect it will be implemented on XG and other products ?

TLS 1.3 is available in SFOS v18 (tentative release date 18th Feb) for XG Firewall. :)

Hi,

do you mean GA release or just v18 eap4?

Ian

SSLx (DPI) supports TLS1.3 and does not downgrade the TLS communication to TLS1.2.

GA

What ??? GA ??????????

But DPI is now even close to work properly !!!

So all we had with v18 is a NAT re-melt ?

Paul Jr

What ??? GA ??????????

But DPI is now even close to work properly !!!

So all we had with v18 is a NAT re-melt ?

Paul Jr

Paul that is not correct.

V18 is plenty of new features. Take the XG engineering course and you will see how many improvements have been added. Dpi is under improvement and it will be fixed in GA. I am the one that at the moment in beta, dpi is not working at all but They found 2 bugs and they are fixing it.

It is not true ... Yes and No.

First, I took the "free" courses. already.

Full of new features ... Depends if you look at this from within Sophos, or from a market point of view.

DPI (or whatever called xtream) and NAT re-melt are certainly main titles of v18. If one discount any of them, you cut v18 in half.

As for for DKIM, among other things, ... that is catch-up with things competitors had since a decade. It is like saying connecting your Iphone to a car is a new feature ... If your previous car was a Citroën 2cv, then, yes, there are "many" new features.

We can also underline basic things we still do not have.

1. A "real time" workable Logviewer. Or real time link to wire Shark. A log Viewer CheckPoint's style.
2. A real DHCP.
3. A real NTP relay or server.
4. et.c.

So ... It's better than v17. Yes. But it won't shake our security's industry.

Just add to that some closed minded folks at Sophos decided you cannot install it on XG105 when we all know it works very well with a $60 of hardware upgrade. A boosted XG105 is actually faster than a XG115. No. They want you to fill trashes sites and spent another thousand or two dollars uselessly.

Finally, we have waited 3 years for that. Better late than never.

Paul Jr

It still a little bit far from competition in certain features, but the line has been tracked. I am waiting also for a logging improvement but the rest of the features are great now and depending in the industry you work in, v18 can be deployed on several installation and replace UTM 9.

UTM does not have DPI at all and other features. Also, apart some bugs on DPI (which is still not fixed), XG v18 was very stable since EAP1 and this sounds like a great improvement compared to "disasters" occurred during 17. MRX where they tried to fix IPSec protocol.

For my point of view, v18+ has all the chance to take a relevant portion in the industry!

I've learned from the mistakes I've spoke here on the forum, but v18 isn't that bad as i through.

The new DPI has a nice addition for XG, well It's currently only giving issues in very specific environments, also it's giving weird errors with FireFox.

The "NAT re-melt" in my opinion has a good thing, every competitor currently have NAT separated from the Rules Policies, the new model present on v18 EAP3R1 and now on GA for NAT is easy to understand and manage.

The only "bad" thing about the "NAT re-melt" is Linked-Nat, pretty much the first thing I did on EAP1 has to delete every single one of the Linked-NAT generated by XG and created actual useful and easy understandable ones.

About the "basic things we still do not have", I'm probably playing devil advocate here, but.

1) Currently only Checkpoint & Forcepoint (that i know and used) have real-time Log viewers, and that's because they have their own client to do this (Smart Console & SMC) (They doesn't depend on WebUI), hell, even PAN doesn't have a real-time log viewer.

2) True, there's no discussion here.

3) I can see this as an UTM feature, but is it really needed for a NGFW? No other competitor have it (Besides Fortinet), if you have a need to force your clients to use the same NTP server, you can pretty much do this right now with a new NAT Rule.

Also about the XG105 being unusable for v18, at the same time it sucks, almost every vendor does this. Last week I've discovered my CP-1490 is still on R77 with a reskinned client of R80.x, simply because the 15x0 series has been released.

Thanks!