Initial reactions to Sophos XG OS

My thoughts? (not aimed at Adam, but at the Sophos team or whoever it was that bought them out and gutted the product)

"We at Sophos don't care what you want to do with your router. We want a cloud based solution, where we have all the control. No longer can you fine tune the firewall and web filter, now you have to rely on us knowing what we're doing".

Seriously, F***K THIS S**T.
I want to be able to explicitly allow traffic on my network. It's not intuitive at all how to do this. Port Forwarding.... was the goal to make it confusing? And the web filter? What happens when it blocks a site I want accessible, or breaks the site partially. Well, I can completely remove the category, but I can't figure out how to explicity define the site to be ignored. And I sure as hell can't edit the categories at all.


I understand the desire to make it turn key. But now, I can't do anything outside your narrowly defined box, without resorting to command line. If I wanted that, I would have stuck with pfSense.
My choices are revert back to Sophos UTM 9.3, or pfSense now. Sure, you didn't lose a paying customer (home use), but you sure as hell have lost an enthusiast that has generated traffic and customers for you.

Regards
Drashna Jaelre
Christopher Courtney.

Hi folks,

I managed several years cisco routers in order to connect our locations to the internet, meanwhile I have almost a year of experience with SG 230 which connects one of the locations and brings web security to the LAN.
Now it's time to renew or replace the old cisco routers. My first thought was to use SG UTMs but due to the lack of netflow and not properly implemented ipfix, we had to reconsider this action. Our support partner suggested to try XG UTM because it can export netflow data.
Well, I spend the whole weekend to get netflow working but I couldn't. All I have seen during that time was far away from a marked ready product. Basically it has nothing to do with all the well known Sophos devices. I see here a complete different/new device, it starts with the, sometimes confusing, interface name, QoS is all down to shaping, I cannot find any queue information which is essentially to see what's going on and take proper action, the log output is a joke.... It feels like an early prototype and I'm not willing nor able to take the risk and connect several locations with a system in this state.
Additionally I'm a bit confused now, is the XG the road which Sophos follows now, in order to replace the SG series?

The initial setup with 172.16.16.16 was a show stopper. Why I could not assign an internal IP at the time of initial configuration without agreeing to the EULA is completely beyond my comprehension.
The menus are hard to navigate. Once you are 2-3 levels deep in a menu, you can not navigate back, you have to re-enter the menu item again.
No way to view live log, it is delayed by 30 seconds.
Creating rules is harder. I was trying to configure port forwarding and gave up after trying for an hour.
I have successfully made Netflix work on UTM 9 and it has been working fine for last 4 years. I tried to do the same settings on XG, but could not even find them. The terminology is confusing and I had no clue what I was looking at. The important configuration parameters are carefully hidden in obscure menus.
Needs better documentation, something explaining what each function does. It will also be a good idea to release a UTM 9 to XG mapping.
I am just a home user, with slightly more than average networking skills. Maybe I am completely off base but thought that I would provide feedback as I was very excited about using the XG. I had to shutdown XG and restart UTM 9.
Thanks,
Arun

Hi Arun,
at the moment no much documentation is available. astaro.org forum has been closed and lack of information is in the air.
XG is a completely a new product and you can find Administrator PDF at this link:
www.google.it/url

NAT is integrated and available inside Policy > Security Policies.
As Sophos said it is not time to upgrade to XG yet. At the moment, I Think, that Sophos released this product as it is to check what customer thinks about and to improve it. UTM9 is a great product and XG will be a good product (at least we hope) within 2/3 releases.
The only thing I suggest you is to vote and open new feature request on:
feature.astaro.com/.../330219-sophos-xg-firewall

Many of us wrote many bad things about XG. We need to wai.

Hope you can get more info from manual pdf and from this community.

Luk

what is beyond my comprehension is the marketing sophos does for XG. I get alot of updates on it on Facebook. When asking what the benefits are you get a link that basicly says nothing about that. If they spent as much on marketing a stillborn product like this one wonders if they shouldn't put the effort into UTM 9.

To all the disappointed UTM users,

I don't see anyone referencing Cyberoam here, and I think that is the culprit.

You UTM guys are the victim of a recent acquisition of Sophos named Cyberoam. I don't know UTM 9 or any of the other products of Sophos, since we own Cyberoam firewalls (I deliberately say own, not use). And Cyberoam was acquired by Sophos a while ago. The resemblance of XG with Cyberoam is just too remarkable to be coincidental. The whole configuration tree is the same as Cyberoam. Moreover, I thought XG was a new skin around Cyberoam, as it was so similar in terms of concepts, with the omission of some functions in Cyberoam that were too compromising. Now this would be good if Cyberoam was superior to UTM9, but I doubt it was, unless UTM 9 was a complete disaster.

There is a category of vendors which have incomprehensible concepts and which all seem to produce the same documentation ith an accompanying screendump of what we can see ourselves on the screen:

if you want to configure A press button A.In field X, fill in X. Press OK to continue or Cancel to cancel.

Wow, I thought I should have pressed button B to configure A, should put the value of Y into X, and then press OK to cancel it!

It just went from 150 pages of incomprehensible, useless instructions written by Cyberoam to 612 (!) pages of incomprehensible, useless instructions for XG.

We have had two Cyberoams for over a year now as to replace our ISA servers, but they never caught any virus from web browser traffic, and the vendor never got our WAF working with HTTPS, which was the entire purpose of buying Cyberoam in the first place. I'll spare you the details, but this Cyberoam firewall is based on concepts from a twisted mind, is undocumented, is not properly tested and in summary, just doesn't work.

And you UTM guys seem to be the victim, since XG is just Cyberoam with a new skin. I initially thought the acquisition of Cyberoam by Sophos was going to improve the situation for Cyberoam owners, but now that I see Sophos is using the crappy Cyberoam OS as their basis, I feel sorry for you, but I am now going to find myself another product. Yes, it is going to be more expensive, but the time we lost with trying to get these crappy products to work exceeds the surplus investment of a proper security device.

Cheers,

Emile

I am completely new to Sophos and I'm demo'ing the XG hardware unit. I am also struggling in multiple areas. I have administered multiple firewalls, UTMs, network security devices, ect.

Generally, it seems as if Sophos has used its own names for items that are normally called the same thing regardless of vendor. Example: IP Host is usually called an address object.

The word Policies is used in two different places. one at the top level, then again under the Objects > Policies area. Confusing.

I haven't found an automatic way to create a reflexive rule. most vendors have a simple button for that when creating a firewall rule.

My current challenge is setting up a 1-to-1 NAT. I have found something that is called Network Address Translation under Objects > Policies but the settings for it do not allow for a complete NAT setup. I'm confident its buried somewhere, but i can't find it. A simple concept, not simple to create.

I also found when creating an IPSEC tunnel, that the remote network has 4 options. IP Host, Network, Range, and IP List. only the first two are valid options. I tried Range several times. it created an IP Host but it was never in the list to select. after a call to the sales engineer and tech support, we figured out that Network must be used, not a range of IP addresses...yet the option to use a range is on the interface.

I'm still working on learning things...but getting frustrated.