What is still missing on v18

Is IKEv2 Remote Access an option now with v18?  Haven't had a change to test v18 just yet.

Hi Ryan, IKEv2 has not been implemented yet for remote access VPN.

I add even the feature to change port. Now if you are running a network on port A 1 Gb network and the customer upgrades the switch where XG is connected to 10 Gb, to change the port without losing the configuration is a nightmare. You need to use sql commands to change references inside psql.

Hello luk,

yes, changing the configuration that takes a maximum of 5 minutes on UTM v9 can take a whole day with XG v17/18 !!! I can confirm from my very recent experience.

Regards

alda

Thanks Alda. Any good example?

With XG Customers, I am struggling with troubleshooting and report.

I am teaching: TCPDUMP, CONNTRACK, TAIL -F, CAT and GREP. Customers which are not Linux expert, I spent more time for them to troubleshooting XG than configuring.

For reporting, it is a nightmare. I.E: "Can I have a report for all traffic generated from this VLAN to this VLAN?" Take note multiple rules exist from the same source/destination network.

I reported the most issue with reporting in another thread.

Hello luk,

logs and reporting? In the case of XG, we can even think that this feature exists in this product, really?!? Indeed, as you mentioned, reporting, it is a nightmare. In another thread, someone in this forum mentioned that the report does not use rule names but still uses only rule numbers. I also think a very good example of how good reporting in XG is.
In XG v18 it is now possible to change port names, but what a surprise, the Log viewer still uses ONLY the original system names. I reported this problem as a bug in EAP1 (October last year) and what names does the Log viewer use in XG v18 GA (second half of February this year)? What a surprise, of course, ONLY the original system names.

I think we agree that the modification in Log viewer to use user-defined port names is only in the correct selection to the internal SQL database.

I think we should stop lying, this product will NEVER be like UTM v9.

Regards

alda

Thanks Alda.

Reports should use the names and not the rule id. Remembering numbers in reporting is like remembering the www.google.com IP address instead of the dns name.

Anyway, with Sophos, we need to report which improvements we need for that part. I am sure that they will listen and improve logging and reporting as they did for UI v15 --> v16.

Please report your experience and suggestions to the following thread:

https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/118663/reporting-and-logging-we-need-a-big-improvement-in-these-2-fields

I am trying to collect users' experience so devs and PM can listen. I hope that someone from Sophos devs or PMParth can join this thread and the other above mentioned.

Regards

Great conclusion "I think we should stop lying, this product will NEVER be like UTM v9."

Every time i have to configure a XG, i wonder why the gui is so...%$%&(/ and slow compared to the UTM 9.

-) General: no standard filtering option in all masks like UTM 9 (or like under Firewall rules in v18)

-) General: no function for showing more than 20 entries on an page

-) General: no edit and clone button available, globally

-) General: order is random, if you create a firewall rule and want to select a source network, you have to search (if you know the exact name), if you scroll, you will find A in the middle and y at the beginning and so on

-) General, VPN: the manually changed name of an interface is not shown, only the Portnumber

-) Host and Services: no search function for Service/Ports, always search for the name (if i knew the name, i would not search), so you have to klick through the pages and the next page arrow jumps around, why no navigation at the top of the pages and a search function like UTM.

-) Object information, where is the object used

-) Global search, easier find menus, instead search under the ...

-) Mailprotection/General Settings: add TLS sender email domain. No way to add a domain. You have to go to the hosts and services/fqdn host and add the domain, after that go back an add the domain, for real

-) DHCP: why not prefill the DHCP Range if you select the interface

-) Network: why not adding Interface Address and Network Address to host list automatically, spoiled by the utm

-) Firewall rule: if you search for a word or part of a name in networks or services, it will only show results that exactly matches the search term, not searching parts of the term

-) Firewall rule: whats the meaning behind a rule position and a rule number. why not keeping it simple like guess....UTM

-) Firewall rule: rule number and reorder/move to position in edit firewall rule missing, always drag the rule or detach it from a group to reorder it

-) Firewall rule: after saving a rule that is grouped, please don´t collaps the group

-) Users: sometimes the Apply, Cancel button is at the bottom of an page, more often after the settings

-) Web/General Settings: Block unrecognized SSL protocols, nice to have exceptions on that, basically yes block, but not on these ssl vpn destination urls or ips.

-) Web: re-categorized specific URL, domains and IP address

-) on UTM, enabled Webproxy SSL Scanning breaks SSL-VPN client outgoing connections, thats how it should be in my opinion, on XG the vpn works through Webproxy and DPI ssl scanning. Only Application block can prohibit ssl vpn outgoing client connections. Don´t understand why.

.) OpenVPN is categorised as general internet Risk 2 low, so if you want to block Proxy and Tunnel Risk 4 and 5 you don´t block that client and users can connect 

-) Web/Exception: import/Export URLs/IPs feature like UTM is great, fast and clean import (have you tried setting up Zoom target IP List in XG https://support.zoom.us/hc/de/articles/201362683-Einstellungen-der-Netzwerkfirewall-oder-des-Proxy-Servers-f%C3%BCr-Zoom)

-) Groups: add a new group, please autoselect surfing quota and access time, so that we can only name it and save it 

-) Groups: why cant we assign Surfing Quotas or Access time to build in "Clientless Open Group", this non authenticated device can only surf 1h a day could then be realized

-) Groups: in my opinion, there has to be 2 kind of local groups, one for the surfing quota and that stuff, and one kind to group only the users, so that a VPN-Policy or a match known users can be assigned to just user-groups, (user assigning to multiple groups has then to be enabled)

-) Users: if a useraccount is Admin, not possible to degrade the account to user level, has to be deleted and newly created

-) Network: bridge SSID-VLAN with Interface, vlan interface no longer editable (ID or just the name)

-) Backup & Firmware: show current status of configuration import. If you import the whole config, after some minutes it says "...takes long, view in log" but not in which one and how long it would take or how many percentages are done.

-) Letsencrypt still very nice to have it

All of that costs time in configuring the xg firewall.

Yes you can create XML import files, so if you have some of them, you don´t need to manually type in all your std. Services.

But it takes much time longer to set up a XG with the same features like SG, and that can only be improved by getting the gui fixed.

Regards

Michael 

Great conclusion "I think we should stop lying, this product will NEVER be like UTM v9."

Every time i have to configure a XG, i wonder why the gui is so...%$%&(/ and slow compared to the UTM 9.

-) General: no standard filtering option in all masks like UTM 9 (or like under Firewall rules in v18)

-) General: no function for showing more than 20 entries on an page

-) General: no edit and clone button available, globally

-) General: order is random, if you create a firewall rule and want to select a source network, you have to search (if you know the exact name), if you scroll, you will find A in the middle and y at the beginning and so on

-) General, VPN: the manually changed name of an interface is not shown, only the Portnumber

-) Host and Services: no search function for Service/Ports, always search for the name (if i knew the name, i would not search), so you have to klick through the pages and the next page arrow jumps around, why no navigation at the top of the pages and a search function like UTM.

-) Object information, where is the object used

-) Global search, easier find menus, instead search under the ...

-) Mailprotection/General Settings: add TLS sender email domain. No way to add a domain. You have to go to the hosts and services/fqdn host and add the domain, after that go back an add the domain, for real

-) DHCP: why not prefill the DHCP Range if you select the interface

-) Network: why not adding Interface Address and Network Address to host list automatically, spoiled by the utm

-) Firewall rule: if you search for a word or part of a name in networks or services, it will only show results that exactly matches the search term, not searching parts of the term

-) Firewall rule: whats the meaning behind a rule position and a rule number. why not keeping it simple like guess....UTM

-) Firewall rule: rule number and reorder/move to position in edit firewall rule missing, always drag the rule or detach it from a group to reorder it

-) Firewall rule: after saving a rule that is grouped, please don´t collaps the group

-) Users: sometimes the Apply, Cancel button is at the bottom of an page, more often after the settings

-) Web/General Settings: Block unrecognized SSL protocols, nice to have exceptions on that, basically yes block, but not on these ssl vpn destination urls or ips.

-) Web: re-categorized specific URL, domains and IP address

-) on UTM, enabled Webproxy SSL Scanning breaks SSL-VPN client outgoing connections, thats how it should be in my opinion, on XG the vpn works through Webproxy and DPI ssl scanning. Only Application block can prohibit ssl vpn outgoing client connections. Don´t understand why.

.) OpenVPN is categorised as general internet Risk 2 low, so if you want to block Proxy and Tunnel Risk 4 and 5 you don´t block that client and users can connect 

-) Web/Exception: import/Export URLs/IPs feature like UTM is great, fast and clean import (have you tried setting up Zoom target IP List in XG https://support.zoom.us/hc/de/articles/201362683-Einstellungen-der-Netzwerkfirewall-oder-des-Proxy-Servers-f%C3%BCr-Zoom)

-) Groups: add a new group, please autoselect surfing quota and access time, so that we can only name it and save it 

-) Groups: why cant we assign Surfing Quotas or Access time to build in "Clientless Open Group", this non authenticated device can only surf 1h a day could then be realized

-) Groups: in my opinion, there has to be 2 kind of local groups, one for the surfing quota and that stuff, and one kind to group only the users, so that a VPN-Policy or a match known users can be assigned to just user-groups, (user assigning to multiple groups has then to be enabled)

-) Users: if a useraccount is Admin, not possible to degrade the account to user level, has to be deleted and newly created

-) Network: bridge SSID-VLAN with Interface, vlan interface no longer editable (ID or just the name)

-) Backup & Firmware: show current status of configuration import. If you import the whole config, after some minutes it says "...takes long, view in log" but not in which one and how long it would take or how many percentages are done.

-) Letsencrypt still very nice to have it

All of that costs time in configuring the xg firewall.

Yes you can create XML import files, so if you have some of them, you don´t need to manually type in all your std. Services.

But it takes much time longer to set up a XG with the same features like SG, and that can only be improved by getting the gui fixed.

Regards

Michael 

Thanks Michael for your long feedback!