Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 52241 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial reactions to Sophos XG OS

AdamTyler

Hey everyone, just want to start by saying THANK YOU Sophos for making this firewall available in the home use license form.  You've lost "0" revenue and gained a small army of experienced users who I'm sure recommend your product in their place of business because of the positive individual experience and comfort with the OS.

I downloaded the Sophos XG firewall ovf template and deployed to my home VMware cluster yesterday and spent a few hours thumbing through the interface.  I have some immediate thoughts and was curious as to what the community of users had to add.

1. Simple?  It sounds like development set out to make the firewall interface extremely simple.  Nothing more than 2 or 3 clicks away is one quote from a marketing video.  I would argue that the drive to make the product simple will alienate experienced administrators.  I'm not talking network engineers here, but it's pretty standard to have NAT and firewall policies separate.  This concept is widely used across fortigate, SonicWALL, and was beautifully executed in UTM9.  I admit that I didn't spend long, but I couldn't make sense of the firewall/NAT wizard in XG.  It appeared to go back to a home use port forwarding approach rather than the rich NAT/PAT capabilities of the UTM9.

Perhaps after a migration tool is available, it will allow us to convert more of our advanced UTM9 configs over and it will make more sense in action.  But from someone that has been configuring firewalls professionally for years, I felt this piece was done incorrectly.  Someone with experience should be able to configure standard NAT/PAT/firewall policies by clicking through the interface.

2. VLANS?  Why can't you provision an interface with VLAN tag without it already being provisioned and IP'd as untagged?  This works well in UTM9 and should be added to Sophos XG.  This forces you to set a bogus IP on the primary interface and tie to zone before you can add tagged interfaces using that hardware.

3. On prem mail server filter?  I couldn't get anywhere with this.  Simple settings like "the ip of your mail server", were nowhere to be found.  UTM9's Mail filter I was able to configure with AD integration and never a look at a manual.  Too simple guys!

What do you think community?  Other comments/input?  Curious to know if I'm alone on some of this.



This thread was automatically locked due to age.
Parents
  • 0
    I am completely new to Sophos and I'm demo'ing the XG hardware unit. I am also struggling in multiple areas. I have administered multiple firewalls, UTMs, network security devices, ect.

    Generally, it seems as if Sophos has used its own names for items that are normally called the same thing regardless of vendor. Example: IP Host is usually called an address object.

    The word Policies is used in two different places. one at the top level, then again under the Objects > Policies area. Confusing.

    I haven't found an automatic way to create a reflexive rule. most vendors have a simple button for that when creating a firewall rule.

    My current challenge is setting up a 1-to-1 NAT. I have found something that is called Network Address Translation under Objects > Policies but the settings for it do not allow for a complete NAT setup. I'm confident its buried somewhere, but i can't find it. A simple concept, not simple to create.

    I also found when creating an IPSEC tunnel, that the remote network has 4 options. IP Host, Network, Range, and IP List. only the first two are valid options. I tried Range several times. it created an IP Host but it was never in the list to select. after a call to the sales engineer and tech support, we figured out that Network must be used, not a range of IP addresses...yet the option to use a range is on the interface.

    I'm still working on learning things...but getting frustrated.
Reply
  • 0
    I am completely new to Sophos and I'm demo'ing the XG hardware unit. I am also struggling in multiple areas. I have administered multiple firewalls, UTMs, network security devices, ect.

    Generally, it seems as if Sophos has used its own names for items that are normally called the same thing regardless of vendor. Example: IP Host is usually called an address object.

    The word Policies is used in two different places. one at the top level, then again under the Objects > Policies area. Confusing.

    I haven't found an automatic way to create a reflexive rule. most vendors have a simple button for that when creating a firewall rule.

    My current challenge is setting up a 1-to-1 NAT. I have found something that is called Network Address Translation under Objects > Policies but the settings for it do not allow for a complete NAT setup. I'm confident its buried somewhere, but i can't find it. A simple concept, not simple to create.

    I also found when creating an IPSEC tunnel, that the remote network has 4 options. IP Host, Network, Range, and IP List. only the first two are valid options. I tried Range several times. it created an IP Host but it was never in the list to select. after a call to the sales engineer and tech support, we figured out that Network must be used, not a range of IP addresses...yet the option to use a range is on the interface.

    I'm still working on learning things...but getting frustrated.
Children
No Data
Unfiltered HTML