Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is still missing on v18

To be honest I like the v18 version but, of course, certain implementation need a better improvement. I posted this thread only for reporting and logging:

https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/118663/reporting-and-logging-dear-xg-we-need-a-big-improvement-in-these-2-fields

and I did not complete the list as it is already long.

For the rest of the features, where I have feedbacks from my customers, the list of things to implement and improve are:

  1. Logging and reporting as described in the above thread
  2. Merge network objects. The same subnet/IP list and so on is created multiple times now. Please leave the hosts as the only source/Destination and make sure it is usable in all sections. For example, DHCP, DNAT wizard and so on
  3. Merge DHCP and DNS entries. It is a mess to understand which computer name with which IP and so on.
  4. Delete objects like UTM. Inform where the object is used before the deletion is performed
  5. Perform backup and restore via CLI. In some few cases, the box does not start completely or the UI is down. Allows admins to perform backup/restore operations via console
  6. Improve the DNAT wizard. I already had some feedbacks from the presentation I did to few customers about the new DNAT wizard. From 8 of 10 people, said: Why they removed the nice Create Business Application Rule? It was so nice and straightforward compared to other vendors and compared to the raw Server DNAT wizard? So I would prefer and suggest to have the old BAR. For the DNAT wizard, Sophos you need to include:
    1. Destination IP should be a selectable object and not an ip
    2. Possibility to choose an IPS filter
    3. Possibility to decide if the rule is enabled/disabled
    4. Enable logging by defautl
  7. Have unencrypted backup option. It is a bad options, but some small customers they cannot remember even their own password. Ability to decide if the backup is encrypted or not.
  8. Change firmware version from console. If the box does not start for some reason but the console starts, possibility to choose (ok restart the box with this firmware version). This can be done now but the process is not straightforward
  9. Change KBs to Kb/s. QoS in the industry is based on Kb/s.
  10. Flow monitor Graph where we can show to customers they bandwidth consumption and block or shape application directly from there like UTM. When I showed this during POC, in the UTM era, customers where already impressed and prompt to buy it!
  11. Customize the control center: customers are different. Every customer wants to customize their dashboard. One of the top request is the current bandwidth utilization in the Control Center. The gadget is missing!
  12. UI resolution on big screen! Change the UI framework!

Hope other users can add their top features list.

As always, I am here to improve the product!

Regards



This thread was automatically locked due to age.
Parents
  • Is IKEv2 Remote Access an option now with v18?  Haven't had a change to test v18 just yet.

  • Hi Ryan, IKEv2 has not been implemented yet for remote access VPN.

    I add even the feature to change port. Now if you are running a network on port A 1 Gb network and the customer upgrades the switch where XG is connected to 10 Gb, to change the port without losing the configuration is a nightmare. You need to use sql commands to change references inside psql.

  • Hello luk,

    yes, changing the configuration that takes a maximum of 5 minutes on UTM v9 can take a whole day with XG v17/18 !!! I can confirm from my very recent experience.

    Regards

    alda

  • Thanks Alda. Any good example?

    With XG Customers, I am struggling with troubleshooting and report.

    I am teaching: TCPDUMP, CONNTRACK, TAIL -F, CAT and GREP. Customers which are not Linux expert, I spent more time for them to troubleshooting XG than configuring.

    For reporting, it is a nightmare. I.E: "Can I have a report for all traffic generated from this VLAN to this VLAN?" Take note multiple rules exist from the same source/destination network.

    I reported the most issue with reporting in another thread.

  • Hello luk,

    logs and reporting? In the case of XG, we can even think that this feature exists in this product, really?!? Indeed, as you mentioned, reporting, it is a nightmare. In another thread, someone in this forum mentioned that the report does not use rule names but still uses only rule numbers. I also think a very good example of how good reporting in XG is.
    In XG v18 it is now possible to change port names, but what a surprise, the Log viewer still uses ONLY the original system names. I reported this problem as a bug in EAP1 (October last year) and what names does the Log viewer use in XG v18 GA (second half of February this year)? What a surprise, of course, ONLY the original system names.

    I think we agree that the modification in Log viewer to use user-defined port names is only in the correct selection to the internal SQL database.

    I think we should stop lying, this product will NEVER be like UTM v9.

    Regards

    alda

  • Thanks Alda.

    Reports should use the names and not the rule id. Remembering numbers in reporting is like remembering the www.google.com IP address instead of the dns name.

    Anyway, with Sophos, we need to report which improvements we need for that part. I am sure that they will listen and improve logging and reporting as they did for UI v15 --> v16.

    Please report your experience and suggestions to the following thread:

    https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/118663/reporting-and-logging-we-need-a-big-improvement-in-these-2-fields

    I am trying to collect users' experience so devs and PM can listen. I hope that someone from Sophos devs or can join this thread and the other above mentioned.

    Regards

  • Great conclusion "I think we should stop lying, this product will NEVER be like UTM v9."

    Every time i have to configure a XG, i wonder why the gui is so...%$%&(/ and slow compared to the UTM 9.

     

    -) General: no standard filtering option in all masks like UTM 9 (or like under Firewall rules in v18)

    -) General: no function for showing more than 20 entries on an page

    -) General: no edit and clone button available, globally

    -) General: order is random, if you create a firewall rule and want to select a source network, you have to search (if you know the exact name), if you scroll, you will find A in the middle and y at the beginning and so on

    -) General, VPN: the manually changed name of an interface is not shown, only the Portnumber

    -) Host and Services: no search function for Service/Ports, always search for the name (if i knew the name, i would not search), so you have to klick through the pages and the next page arrow jumps around, why no navigation at the top of the pages and a search function like UTM.

    -) Object information, where is the object used

    -) Global search, easier find menus, instead search under the ...

    -) Mailprotection/General Settings: add TLS sender email domain. No way to add a domain. You have to go to the hosts and services/fqdn host and add the domain, after that go back an add the domain, for real

    -) DHCP: why not prefill the DHCP Range if you select the interface

    -) Network: why not adding Interface Address and Network Address to host list automatically, spoiled by the utm

    -) Firewall rule: if you search for a word or part of a name in networks or services, it will only show results that exactly matches the search term, not searching parts of the term

    -) Firewall rule: whats the meaning behind a rule position and a rule number. why not keeping it simple like guess....UTM

    -) Firewall rule: rule number and reorder/move to position in edit firewall rule missing, always drag the rule or detach it from a group to reorder it

    -) Firewall rule: after saving a rule that is grouped, please don´t collaps the group

    -) Users: sometimes the Apply, Cancel button is at the bottom of an page, more often after the settings

    -) Web/General Settings: Block unrecognized SSL protocols, nice to have exceptions on that, basically yes block, but not on these ssl vpn destination urls or ips.

    -) Web: re-categorized specific URL, domains and IP address

    -) on UTM, enabled Webproxy SSL Scanning breaks SSL-VPN client outgoing connections, thats how it should be in my opinion, on XG the vpn works through Webproxy and DPI ssl scanning. Only Application block can prohibit ssl vpn outgoing client connections. Don´t understand why.

    .) OpenVPN is categorised as general internet Risk 2 low, so if you want to block Proxy and Tunnel Risk 4 and 5 you don´t block that client and users can connect 

    -) Web/Exception: import/Export URLs/IPs feature like UTM is great, fast and clean import (have you tried setting up Zoom target IP List in XG https://support.zoom.us/hc/de/articles/201362683-Einstellungen-der-Netzwerkfirewall-oder-des-Proxy-Servers-f%C3%BCr-Zoom)

    -) Groups: add a new group, please autoselect surfing quota and access time, so that we can only name it and save it 

    -) Groups: why cant we assign Surfing Quotas or Access time to build in "Clientless Open Group", this non authenticated device can only surf 1h a day could then be realized

    -) Groups: in my opinion, there has to be 2 kind of local groups, one for the surfing quota and that stuff, and one kind to group only the users, so that a VPN-Policy or a match known users can be assigned to just user-groups, (user assigning to multiple groups has then to be enabled)

    -) Users: if a useraccount is Admin, not possible to degrade the account to user level, has to be deleted and newly created

    -) Network: bridge SSID-VLAN with Interface, vlan interface no longer editable (ID or just the name)

    -) Backup & Firmware: show current status of configuration import. If you import the whole config, after some minutes it says "...takes long, view in log" but not in which one and how long it would take or how many percentages are done.

    -) Letsencrypt still very nice to have it

     

    All of that costs time in configuring the xg firewall.

    Yes you can create XML import files, so if you have some of them, you don´t need to manually type in all your std. Services.

    But it takes much time longer to set up a XG with the same features like SG, and that can only be improved by getting the gui fixed.

     

    Regards

    Michael 

Reply
  • Great conclusion "I think we should stop lying, this product will NEVER be like UTM v9."

    Every time i have to configure a XG, i wonder why the gui is so...%$%&(/ and slow compared to the UTM 9.

     

    -) General: no standard filtering option in all masks like UTM 9 (or like under Firewall rules in v18)

    -) General: no function for showing more than 20 entries on an page

    -) General: no edit and clone button available, globally

    -) General: order is random, if you create a firewall rule and want to select a source network, you have to search (if you know the exact name), if you scroll, you will find A in the middle and y at the beginning and so on

    -) General, VPN: the manually changed name of an interface is not shown, only the Portnumber

    -) Host and Services: no search function for Service/Ports, always search for the name (if i knew the name, i would not search), so you have to klick through the pages and the next page arrow jumps around, why no navigation at the top of the pages and a search function like UTM.

    -) Object information, where is the object used

    -) Global search, easier find menus, instead search under the ...

    -) Mailprotection/General Settings: add TLS sender email domain. No way to add a domain. You have to go to the hosts and services/fqdn host and add the domain, after that go back an add the domain, for real

    -) DHCP: why not prefill the DHCP Range if you select the interface

    -) Network: why not adding Interface Address and Network Address to host list automatically, spoiled by the utm

    -) Firewall rule: if you search for a word or part of a name in networks or services, it will only show results that exactly matches the search term, not searching parts of the term

    -) Firewall rule: whats the meaning behind a rule position and a rule number. why not keeping it simple like guess....UTM

    -) Firewall rule: rule number and reorder/move to position in edit firewall rule missing, always drag the rule or detach it from a group to reorder it

    -) Firewall rule: after saving a rule that is grouped, please don´t collaps the group

    -) Users: sometimes the Apply, Cancel button is at the bottom of an page, more often after the settings

    -) Web/General Settings: Block unrecognized SSL protocols, nice to have exceptions on that, basically yes block, but not on these ssl vpn destination urls or ips.

    -) Web: re-categorized specific URL, domains and IP address

    -) on UTM, enabled Webproxy SSL Scanning breaks SSL-VPN client outgoing connections, thats how it should be in my opinion, on XG the vpn works through Webproxy and DPI ssl scanning. Only Application block can prohibit ssl vpn outgoing client connections. Don´t understand why.

    .) OpenVPN is categorised as general internet Risk 2 low, so if you want to block Proxy and Tunnel Risk 4 and 5 you don´t block that client and users can connect 

    -) Web/Exception: import/Export URLs/IPs feature like UTM is great, fast and clean import (have you tried setting up Zoom target IP List in XG https://support.zoom.us/hc/de/articles/201362683-Einstellungen-der-Netzwerkfirewall-oder-des-Proxy-Servers-f%C3%BCr-Zoom)

    -) Groups: add a new group, please autoselect surfing quota and access time, so that we can only name it and save it 

    -) Groups: why cant we assign Surfing Quotas or Access time to build in "Clientless Open Group", this non authenticated device can only surf 1h a day could then be realized

    -) Groups: in my opinion, there has to be 2 kind of local groups, one for the surfing quota and that stuff, and one kind to group only the users, so that a VPN-Policy or a match known users can be assigned to just user-groups, (user assigning to multiple groups has then to be enabled)

    -) Users: if a useraccount is Admin, not possible to degrade the account to user level, has to be deleted and newly created

    -) Network: bridge SSID-VLAN with Interface, vlan interface no longer editable (ID or just the name)

    -) Backup & Firmware: show current status of configuration import. If you import the whole config, after some minutes it says "...takes long, view in log" but not in which one and how long it would take or how many percentages are done.

    -) Letsencrypt still very nice to have it

     

    All of that costs time in configuring the xg firewall.

    Yes you can create XML import files, so if you have some of them, you don´t need to manually type in all your std. Services.

    But it takes much time longer to set up a XG with the same features like SG, and that can only be improved by getting the gui fixed.

     

    Regards

    Michael 

Children