Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 41 subscribers
  • Views 2589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 to XG migration

pumpkinpower

Hello,

 

I've been running UTM9 for a number of years now for my environment as a VM in ESX with great success.   Alas come to nearly 2020 and a proliferation of devices means that I've been hitting the 50 IP's pretty hard and its time to do something about it.   I decided to migrate to the Sophos XG to see if this will do the job for me.   After some initial teething issues with vlans on Port 1 which I worked around I have the XG up and running quite well for basic DMZ separation and access to the internet.

My Setup:

SophosXG VM (17.5.9 MR-9) running on ESXi

Port 1 - Out of Band Management

Port 2 - WAN (NBN Ethernet connection)

Port 3 - Vlans (mix of LAN and DMZ Scopes)

Port 4 - WAN (LTE Backup link)

 

I've fiddled around with the firewall and have some things functioning again inter DMZ but I'm not across it as well as I'd like yet and am lacking the tweaks I had on the UTM.

 

What I really need to setup and REALLY miss from the UTM9:

 

- Per vlan total interface bandwidth limitation and the ability to turn on and off a vlan easily.    I don't want to police all the types of traffic on a subnet and build QoS rules, i just want to limit the whole network to a given upload/download speed limit so one network can't consume my WAN (alas our internet isn't that great and limiting bandwidth per vlan makes it very usable).

 

- Per vlan time restrictions.  I cannot find a way to set custom time periods, only whats pre defined and thats not good enough.

 

Small aesthetic things are not being able to see per network/vlan traffic on the control center page, whilst there's a lot of information on some things I feel are lacking like this, I don't get a feel for whats going on in real time per network where as on the UTM I could see at a glance what network is pulling data up or down.  In the example here from my UTM9 you can see very easy that vlan66 and vlan67 which are limited to 3 Mbit down from the internet are busy :)  but overall we're only pulling 6 Mbit down through our NBN WAN connection and the LTE connection is in standby.'

 

Also is there a way to see reports/activity with hostnames/definitions rather than just IP?  I've defined a number of devices in DHCP scopes and Firewall rules and that works fine, but any reporting ignores that and shows a list of IP's which is a bit well, meh.? 

 

Any assistance on the overall vlan Bandwidth limiting would be MUCH appreciated.

 

Have a safe and Happy New Years eve :)



This thread was automatically locked due to age.
  • 0 in reply to pumpkinpower

    Hi,

    there is another thread in the XG forum of users having trouble with XG in a VM with suggested and working solutions.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to pumpkinpower

    Can you show us a screenshot of your vmware Ports?

    Please login as admin / admin into the shell on vmware and go to advanced shell (Option 5, Option 3).

    Use ifconfig to see all ports.

    Compare the MACs of ifconfig with vmware, if both interfaces are actually the same.

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Righto, It's been a few days and I have found out what was going wrong and have Sophos XG SF01V (SFOS 18.0.0 EAP3) licenced and running on ESXi perfectly.   I thought I should come back and fill in the story.

    After 5 or so complete re-installs and configures of XG 17 and 18 and the same issue occurring with no WAN connectivity I moved onto trying another product.  This time I had problems installing it due to the age of my ESXi server so I bit the bullet and did a complete ESXi re-install and setup everything nice and fresh.  I could now install the product but lo and behold, it did exactly the same thing with no WAN connectivity!!   Clearly this was a local issue, not Sophos XG.   After a lot of double double checking all my network/vlan configuration on physical and virtual switches and not finding fault I googled a lot more in frustration.

    The interesting thing was that the WAN worked perfectly with my existing virtual UTM9 and did once with the SophosXG 17 install.   What it come down too was something I had not experienced before but people warned of was that some ISP's hold the MAC reservation on the connection for some time so if you swap from 1 device to another it simply won't work.  The solution was to simply unplug the WAN Ethernet cable and take a 10 minute break between switching the WAN from 1 device to another (I would guess possibly moving the MAC address from 1 VM to another would work too).   I've done this successfully several times now and it's flawless.

    So the issue was me switching the WAN too quickly from firewall to firewall whilst testing, a simple gotchya.

    The great thing is that I now have my ESX infrastructure all updated, a SophosXG 18 up and running and licenced and it all working off 2 NIC's Port 1 all my local vlans and Port 2 WAN working perfectly.

    Thank you for your assistance and efforts and I'm writing this followup to possibly help someone else in the future.  I'd be happy to assist others with a similar setup if anyone has any questions.

    PS.  The only drama I had so far was that the IPS settings stopped my son's PS4 connecting to the Playstation Network, resolved by turning off IPS.


  • 0 in reply to pumpkinpower

    Try this and see if it helps?

    https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/117459/recommended-ips-policies-for-soho

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML