Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 52246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial reactions to Sophos XG OS

AdamTyler

Hey everyone, just want to start by saying THANK YOU Sophos for making this firewall available in the home use license form.  You've lost "0" revenue and gained a small army of experienced users who I'm sure recommend your product in their place of business because of the positive individual experience and comfort with the OS.

I downloaded the Sophos XG firewall ovf template and deployed to my home VMware cluster yesterday and spent a few hours thumbing through the interface.  I have some immediate thoughts and was curious as to what the community of users had to add.

1. Simple?  It sounds like development set out to make the firewall interface extremely simple.  Nothing more than 2 or 3 clicks away is one quote from a marketing video.  I would argue that the drive to make the product simple will alienate experienced administrators.  I'm not talking network engineers here, but it's pretty standard to have NAT and firewall policies separate.  This concept is widely used across fortigate, SonicWALL, and was beautifully executed in UTM9.  I admit that I didn't spend long, but I couldn't make sense of the firewall/NAT wizard in XG.  It appeared to go back to a home use port forwarding approach rather than the rich NAT/PAT capabilities of the UTM9.

Perhaps after a migration tool is available, it will allow us to convert more of our advanced UTM9 configs over and it will make more sense in action.  But from someone that has been configuring firewalls professionally for years, I felt this piece was done incorrectly.  Someone with experience should be able to configure standard NAT/PAT/firewall policies by clicking through the interface.

2. VLANS?  Why can't you provision an interface with VLAN tag without it already being provisioned and IP'd as untagged?  This works well in UTM9 and should be added to Sophos XG.  This forces you to set a bogus IP on the primary interface and tie to zone before you can add tagged interfaces using that hardware.

3. On prem mail server filter?  I couldn't get anywhere with this.  Simple settings like "the ip of your mail server", were nowhere to be found.  UTM9's Mail filter I was able to configure with AD integration and never a look at a manual.  Too simple guys!

What do you think community?  Other comments/input?  Curious to know if I'm alone on some of this.



This thread was automatically locked due to age.
Parents
  • 0
    To all the disappointed UTM users,

    I don't see anyone referencing Cyberoam here, and I think that is the culprit.

    You UTM guys are the victim of a recent acquisition of Sophos named Cyberoam. I don't know UTM 9 or any of the other products of Sophos, since we own Cyberoam firewalls (I deliberately say own, not use). And Cyberoam was acquired by Sophos a while ago. The resemblance of XG with Cyberoam is just too remarkable to be coincidental. The whole configuration tree is the same as Cyberoam. Moreover, I thought XG was a new skin around Cyberoam, as it was so similar in terms of concepts, with the omission of some functions in Cyberoam that were too compromising. Now this would be good if Cyberoam was superior to UTM9, but I doubt it was, unless UTM 9 was a complete disaster.

    There is a category of vendors which have incomprehensible concepts and which all seem to produce the same documentation ith an accompanying screendump of what we can see ourselves on the screen:

    if you want to configure A press button A.In field X, fill in X. Press OK to continue or Cancel to cancel.

    Wow, I thought I should have pressed button B to configure A, should put the value of Y into X, and then press OK to cancel it!

    It just went from 150 pages of incomprehensible, useless instructions written by Cyberoam to 612 (!) pages of incomprehensible, useless instructions for XG.

    We have had two Cyberoams for over a year now as to replace our ISA servers, but they never caught any virus from web browser traffic, and the vendor never got our WAF working with HTTPS, which was the entire purpose of buying Cyberoam in the first place. I'll spare you the details, but this Cyberoam firewall is based on concepts from a twisted mind, is undocumented, is not properly tested and in summary, just doesn't work.

    And you UTM guys seem to be the victim, since XG is just Cyberoam with a new skin. I initially thought the acquisition of Cyberoam by Sophos was going to improve the situation for Cyberoam owners, but now that I see Sophos is using the crappy Cyberoam OS as their basis, I feel sorry for you, but I am now going to find myself another product. Yes, it is going to be more expensive, but the time we lost with trying to get these crappy products to work exceeds the surplus investment of a proper security device.

    Cheers,

    Emile
Reply
  • 0
    To all the disappointed UTM users,

    I don't see anyone referencing Cyberoam here, and I think that is the culprit.

    You UTM guys are the victim of a recent acquisition of Sophos named Cyberoam. I don't know UTM 9 or any of the other products of Sophos, since we own Cyberoam firewalls (I deliberately say own, not use). And Cyberoam was acquired by Sophos a while ago. The resemblance of XG with Cyberoam is just too remarkable to be coincidental. The whole configuration tree is the same as Cyberoam. Moreover, I thought XG was a new skin around Cyberoam, as it was so similar in terms of concepts, with the omission of some functions in Cyberoam that were too compromising. Now this would be good if Cyberoam was superior to UTM9, but I doubt it was, unless UTM 9 was a complete disaster.

    There is a category of vendors which have incomprehensible concepts and which all seem to produce the same documentation ith an accompanying screendump of what we can see ourselves on the screen:

    if you want to configure A press button A.In field X, fill in X. Press OK to continue or Cancel to cancel.

    Wow, I thought I should have pressed button B to configure A, should put the value of Y into X, and then press OK to cancel it!

    It just went from 150 pages of incomprehensible, useless instructions written by Cyberoam to 612 (!) pages of incomprehensible, useless instructions for XG.

    We have had two Cyberoams for over a year now as to replace our ISA servers, but they never caught any virus from web browser traffic, and the vendor never got our WAF working with HTTPS, which was the entire purpose of buying Cyberoam in the first place. I'll spare you the details, but this Cyberoam firewall is based on concepts from a twisted mind, is undocumented, is not properly tested and in summary, just doesn't work.

    And you UTM guys seem to be the victim, since XG is just Cyberoam with a new skin. I initially thought the acquisition of Cyberoam by Sophos was going to improve the situation for Cyberoam owners, but now that I see Sophos is using the crappy Cyberoam OS as their basis, I feel sorry for you, but I am now going to find myself another product. Yes, it is going to be more expensive, but the time we lost with trying to get these crappy products to work exceeds the surplus investment of a proper security device.

    Cheers,

    Emile
Children
No Data
Unfiltered HTML