Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Functionality going from UTM to SFOS - got a map?

I am going from using UTM for years, to SFOS v20 on XGS 3300 hardware.

I haven't been able to find any reference that would map functionality from UTM to SFOS.

Does such a thing even exist?

Thanks!



This thread was automatically locked due to age.
  • I don't have an official "map" handy but for the most part all the features in UTM are in SFOS now (plus some, of course).  The primary things that are notably missing (but easily worked around) are no support for Let's Encrypt as done in the UTM (certificate management), and no NTP server.  I've converted a bunch of these (we are a Platinum MSP/Partner) and haven't run into any roadblocks to conversion (the two "issues" I mention here aren't really of concern in the commercial customer environment for the most part).

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Also, IPv6 functionality is not up to UTM level.

    Ianb

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I switched from UTM to SFOS a while back. Some things that are functionally different right off the bat:

    1. In the UTM is is very easy to assign static hosts from the DHCP leases. You can assign static IP addresses to devices even within the DHCP lease range. With SFOS it's a bit more difficult as the static hosts have to be outside of the DHCP lease range and must be manually entered by copying MAC addresses.

    2. In the UTM, you can "drag and drop" host objects into different fields to include or exclude devices from things like firewall and IPS rules.

    3. Things are generally easier to do in the UTM, but SFOS has many more security enhancements (such as DPI HTTPS inspection instead of just using the transparent proxy like the UTM has), SFOS has the built in "Sophos Assistant" and NAT/VPN setup wizards. But some things could be made easier, like creating static hosts, and being able to use FQDN as DNS forwarders.

  • First of all: I want to highlight the Migration script by Sophos to get the "busy work" done. https://github.com/sophos/Sophos-Migration-Utility-CLI This tool essentially is a script to migrate stuff from UTM like host objects etc and gives you an XML Import file for the firewall. 

    You cant migrate things, which are differently in SFOS like firewall rules (UTM Rules make no sense in the SFOS, as SFOS approaches Zones differently). 

    Points from  are valid, if you face them. For example: Customers in your size often use a DHCP Server, therefore a DHCP static mapping is not applicable. 
    Drag & Drop is more a "how do you like to do it" feeling. You can search in the field of SFOS to "click" it and not drag and drop. 
    Easier or complicated is more a discussion in terms of "Are you used to a different approach". 

    Things to notice from  : NTP Server can be done by a NTP Server workaround:  Sophos Firewall: Using NAT to achieve NTP proxy like functionality  
    Lets Encrypt is more for the WAF Features, depends if you use WAF on UTM or not - In SFOS the WAF Subscription is exclude from the bundle, as customer start to not opt-in for it anymore. 

    Most - If not all - feature gaps are tracked by Sophos internally and considered to be addressed in the future (or not). Depending on the needs and the time to invest. For example a NTP Server on the firewall is easily workaround able and the time needed, to build a fully featured NTP Server and harden the system (as it is a service the firewall services, you have to harden the system), is much higher then the potential outcome. 

    __________________________________________________________________________________________________________________