Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 43 subscribers
  • Views 63583 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Am I the only person who likes this new XG product?

ChavousCamp

Wow - reading the comments here...... sounds like I'm the only one outside of Sophos Corporate who likes this product.

And no - I'm not a Sophos employee _OR_ a Sophos plant.

In fact, I came to the firewalls grudgingly through their other products.  I am (or was) a Watchguard/pfSense/Cisco/Several Others kind of guy. I started with SGN (encryption) and SMC (the server-based mobile control) and then started looking at the firewalls because of a few integrated features.  I decided to go through the engineer cert training for both UTM and XG.  In fact, I think I went through the XG training the day - or the day after - the training itself was released.

After all that - I don't see why everyone is so down on this product.

Sophos has been exceeding clear on the fact that 1) NO SG is not going away any time soon. 2) if you like your SG or CR product, you can KEEP your SG/CR product and 3) YES there are missing features, expect new ones soon.

Are there limitations and weaknesses - YES. It's a VERSION 1 product! (they can call it version 15 all they want.  It's a v1 product)

Is it still a pretty cool damned product? YES. 

Will it improve drastically? Likely, YES.

Seriously guys - give it a few months.  It is brand new, needs a few tweaks, and change always sucks - but the compelling new features they've put in - heartbeat, cloud management, etc - are, or are going to be, excellent.

As of now, our NFR of the XG230 is happily running down in our server room, humming away, and acting as our primary gateway to the internet.  Working like champ so far. 



This thread was automatically locked due to age.
  • 0

    ChavousCamp said:

    Seriously guys - give it a few months.

    ...

    ChavousCamp said:

    a very aggressive development timeline

    First, I'll start by saying I never used UTM9 (it sounds nice), second I'm a paid customer not a home user (multi-year license), third and the most important is the above comments. This is my biggest issue here...sloooooooooooooooooow development, poor communications, delayed schedules, etc. etc.

    I realize there has been several BETA versions but c'mon, agile development is all about short spurts of beta->GA (rinse/repeat) releases (think GMAIL early days,  releases weekly to the general masses!). Sophos should be spinning a new release every week IMO, active development and releases are more important then a list of bugs in the works for eons.

    Case in point here, SSL VPN. OpenVPN fixed an issue with datetime per RFC specs and its been months since I've been able to use a feature I paid for. See here: https://community.sophos.com/products/xg-firewall/f/127/t/77547 -- again I'm aware there is a BETA fix but I'm uncomfortable knowing the next "release" could be months away (to fix regression or new bugs,etc).

    I've worked with hundreds of vendors and various applications. The developer who releases fixes in a timely manner will always have my business over the ones that spend weeks or months to finally address it.

  • 0

    I too have done both the UTM and XG training and certification cources and while I will be somewhat bias toways the SG/UTM platform as i know it well here are my issues with the XG.

    Support

    Loggin a ticket with Sophos arround a simple feature issues i had to guide the tech arround via WebEx as they could not find the menue they needed. I know this may improve but extreamly fustrating and very unassuring considering they ar ment to be the experts. 

    No it wasnt a level 1 either.

    Deployment


    No more offline deployment, you litterally have to configure WAN connectivity before you can even start the config in a device, rather then the UTM where you could do a 30 day trial. Build everything & then ativate it later. Seems like a small issue but it's a massive pain when you are trying to prestage systems or have delays in orders.

    Reliability


    We have now had 3 instances where Sophos has returned the XG devices under RMA and replaced them with the SG devices. In once instance a randon rule was passive traffic intermittantly. Also traffic from rule 1 was flowing over rule 7, even when both were disabeled. 

    We spent about 6-8Hrs on the phone as a P1 case untill we concluded it was a bug. By this stage we had a few unhappy customer who refused to touch the XG again, it was replaced with an SG, no issues.

    Another instance was a VPN to a SonicWALL device was flapping up and down as well as intermittantly dropping voice traffic. Swapped out with an SG and all was well.

  • 0
    I really wanted to like XG. I liked the new interface and finally started to figure out the logic of building policies. My biggest issue was that the performance was terrible using the same rules I had on UTM 9. I'm not sure if it is due to the 4-core limitation. That probably isn't a big deal on an Intel i3/5/7/Xeon but when you're running it on a server grade Atom processor it would be nice to be able to spread the load out over all 8 cores. System load was a constant 2 with no traffic running. If I started a download running then my ping to Google shot up to 1,200ms and I couldn't browse the internet. When I ran the top command my CPU usage was usually 2%-15% and I couldn't figure out where the load value of 2 was coming from. Maybe it's a bug that will be fixed in the future? My second biggest gripe with XG was that I was never able to get SMTPS filtering running for my mail server. It could be that I just don't understand the differences between when you need to use certificates and certificate authorities. I was able to get my certificate into the certificate section so I could use the WAF with my web server, but I was unable to get it working for email. In UTM 9 I just uploaded my cert in the cert section and then I could use it for the WAF and SMTPS. I'm not sure why in XG it wants me to select a cert I've uploaded to the CA section for SMTPS and select a cert I've uploaded to the cert section for WAF?
  • 0
    I think its funny when people call this a 1.0 product. You have fallen victim to clever marketing.

    This is Cyberroam, this is not some new creation. This is the same cyberroam core with a new gui. In fact, cyberroam customer can upgrade to SFOS right now. And its the only update available to them.

    Cyberroam has sucked for years. A new GUI on top does not change that. Cyberroam v1 through v10 has been a terrible product and v11 (SFOS v1) doesn't change that nor will version 12 or 13...ie SFOS v2 and v3.

    Sophos knew they couldn’t tell UTM customer they are migration to Cyberroam. Many Sophos customers looked at cyberroam and decided against that platform when they initially joined hte UTM camp.

    So the easy thing was to call this SFOS, and everyone fell for it.
  • 0 in reply to Billybob

    BillyBob,

    we will continue to support Sophos and customers if Sophos is going in the direction we are hoping to.

    We only have 2 ways to let them hear from us:

    1. this community

    2. feature requests.

    At the moment I have XG at home and I am trying to push what is really missing before to move some small customer to XG.

    So add feature request and vote the one that are already there.

    It is a great news that MTA will be back! At least, something is moving! [:D]

    Now we need live log, better UI navigation and dashboard too.

    Luk

  • 0 in reply to lferrara
    Hi Luk, thanks for pointing out the MTA feature request as accepted, I had already noticed it ;) I see you have a lot of other feature requests trying to improve everything. Thanks for not giving up and actively pressuring sophos into making SFOS better. Maybe they will listen to a few feature requests this time.
    Regards
    Bill
  • 0
    I do not know cyberoam but the configuration is horrible compared with UTM9 that i´m running since .0 version.
    I would have taken the UTM and added the user based firewalling.

    Christian
  • 0 in reply to rfcat_vk
    I bit the bullet and set up an x64 system to try this. (Why can't they document that? The web site says 'intel' not x64.). I had to load up my disk from an x86 system anyway as my microserver would not run the usb stick properly - no keystrokes seen. Then I moved the disk to the x64 microserver.

    Next I waste a bunch of time finding out certain ways of coding rules keep me off the internet. And some more time to see native ipv6 for a few minutes before it broke.

    every thing I do is 'pot luck'. it takes the changes, then I have to wait around for some minutes to see if it will do what I asked. I click on something in yellow to find out what it is trying to tell me and get a change to the display that is not informative at all. to me it is Beta quality. And without the heartbeat for home users, I have yet to figure out a motivation to switch everything over to it.

    I am very pleased to have a UTM 9 for free and to see the constant stream of pattern updates and regular code fixes. I have figured out its quirks (very few) and have improved my patterns and exceptions over time. Starting over on this new thing has been painful at best. Yet I see that people on my favorite forums have turned it up as production for their home network. I have to assume their needs are different from mine.

    So we all get to pick and choose and if the developers are deaf and mute I guess I will just go away and see what has happened six months from now, maybe it will improve.
  • 0
    In reply to ChavousCamp:
    I am not sure where you have been living, but from your answer not active in the beta version. There have been some fixes, but nothing seriously done about all the issues that were raised during hte beta. This version is still very limited in functionality with some very serious limitations in what should be standard in a new frontline security product.
    No IPv6 native
    unable to name your device
    licence migration from trial to production - needs a complete rebuild with all rules and other objects built from scratch
    not very well thought out clientless policy defaults/mandatory fields

    Your comments about memory are way out of place and show limited understanding of this product. Home users limited to 6gb it is fine by me. X64, not an issue, but APs that worked in beta fail in production that is not good.

    The licencing process has been improved, but still has some big drawbacks, you have to have a special network setup so that the SF-OS can talk to the internet to register and synchronise. The DNS gets screwed up if you use the external setup, but the registration process doesn't work without a DNS on the external interface.

    Billybob has posted many short comings of a product that wants to be taken seriously in the market place. I would recommend this product as it stands for a home user, but not for a business.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    I like it! Thanks for the Home User Support Sophos! I wish I could use all my 8 cores on my Atom CPU. But I don't need it really. I don't have my remote stuff set up yet but have not been over 25% usage of my CPU. I think its a good way to make sure it's for home use. I like that they let the home users keep all the other features :-) I am am not a IT Pro and am still learning the new GUI. I have had a few issues, but the Sophos Community is very helpful and try to help fix a lot problems users have. I did have to migrate to another endpoint solution because Sophos Home has no support for my home server and I was getting BSOD on all my windows systems with the endpoint. But when XG UTM supports the end points I am going to come back to Sophos for that... in the mean time the XG Firewall / UTM is Rocking at my house !!  ;-)

Unfiltered HTML