Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 6 replies
  • Subscribers 41 subscribers
  • Views 2412 views
  • Users 0 members are here
Options
Suggested

You really don't want to buy an appliance without disk

Wayne Folta

We have an XGS87 which has experienced lock-up and reboot issues since SFOS v21 came out. Sophos is working hard on finding the problem, and I give the trouble-shooting personnel full credit.

BUT it has led me to believe that it's a crucial mistake to buy an appliance without a dedicated storage drive. Why? You don't get on-device reporting, but you can use Sophos Central for that. So...

THE issue is that debugging a crashing issue is going to involve Sophos personnel logging things and the XGS87 (and I guess second-generation bottom-of-the-line appliances) doesn't have a separate storage device. So: a) some logs are lost, b) after a reboot you can recover some logs but you have to act quickly, and MOST IMPORTANTLY c) if the logging is extensive enough to fill the tiny pseudo-disk, it will halt everything and rebooting will not fix this and you eventually have to go in via the serial console and find that log file and delete it. (You can boot off of the other image, but you need to rescue the one in which the disk went to 100% usage.)

So I would never buy an XGS without a separate, and reasonably-sized storage drive. It makes marketing sense, I guess, for a small branch office, but if anything serious goes wrong, you're hosed. For example, the current process logging that Sophos is doing to figure out the kernel panic will fill the pseudo-disk in 24-30 hours, which will in itself take down the appliance.

(I also have a suspicion that something in SFOS v21 is not happy with diskless appliances and so the XGS87 is incapable of running SFOS v21, but that's just a suspicion on my part at this point.)



Added TAGs
[edited by: Erick Jan at 12:25 AM (GMT -8) on 16 Dec 2024]
  • 0

    I can purchase an SD card or USB, etc for < $20.  Value engineers seem to have taken cost cutting way to far.  I would not invest in a Cheap security device.  The savings are lost when problems come about.

  • +1

    Basically this is an approach by a lot of vendors out there. 

    SFOS is only doing it on the entry model (XG85-XGS88). The other models always have an Disk. I think, the XG85 was introduced in 2015, so nearly 10 years now, and the issues are small compared to the advantages. 

    XGS88 is also used as an replacement for RED, which has the same "tech specs" like no Disk. But at least a full webadmin and management for the appliance. 

    Sophos is also looking into those situations (Kernel Panics etc.). But the goal is, to resolve Kernel Panics and not to store them forever. 

    __________________________________________________________________________________________________________________

  • 0

    I totally agree with you—having dedicated storage on an appliance is essential, especially for logging and troubleshooting. Without it, important logs can get lost, and things can break down fast when storage fills up. Your suspicion about SFOS v21 not playing well with diskless appliances makes sense, and hopefully, Sophos can fix that soon. If stability is a priority, looking into models with dedicated storage might be worth it. Hope they get this sorted out!

  • 0 in reply to LuCar Toni

    Popular or not, I would highly recommend not buying a diskless appliance. I do appreciate that -- as you note -- Sophos is working hard on the bug, but it's been a LOT of wasted time trying to identify the reason. And diskless is the main cause of that.

    Also, it's not clear that there's a solution to the kernel panic. Last I heard, it seems like it is just plain running out of RAM and there's minimal memory leaking. I'm looking at upgrading to an XGS108, which has a disk, and therefore can be debugged more straightforwardly and can dip into swap if it needs it during a memory surge. The XGS108 is overkill for a home user, but diskless is a newbie trap.

  • 0

    Upgraded to an XGS108, which has 6GB of RAM (XGS87 had 4GB) and which also has 64GB of UFS storage. Way, way better option. From least-important to most-important:

    5, Dual power isn't generally useful without an infrastructure to support it, but it was nice in the process of replacing the XGS87, letting me switch from the XGS108's power adapter to the XGS87's when I moved it into place. (Turns out they use the same-spec adapter, and the XGS87's was already routed as I wanted.)

    4. More ports is nice. XGS87 had 4 ports + SFP (which I got an inexpensive ethernet adapter for), but XGS108 has 6 ports + SFP so potentially 7 ports. (XGS88 would have been a downgrade port-wise with only 4 and no SFP.)

    3 On-device reporting is nice and there are some reports that would take a bit of work to figure out how to do in Sophos Central. And they're pretty. But not as flexible as Sophos Central's SQL-like approach. There are definitely things you can do in SC that you can't do on-device. Though I do like on-device reports as an additional capability. (And it fills that part of the main display.)

    2. Side-effect of on-device reporting is much more room for on-device logging. So now I really can look back a couple of days rather than just a matter of hours in the logs.

    1. RAM usage looks pretty stable and is staying below 70% so far, while Snort goes out of control on the XGS87 and keeps growing. Not sure if there was some kind of corruption in the Snort patterns at some point and it stuck, or if my appliance got a corruption in its Snort database... or if there is something where if memory grows too fast around 80%, SFOS messes up and can't really recover effectively. At any rate, more RAM (and more powerful CPU and more ports) is better. At any rate, I'm running a third-party threat feed as well and still staying stable.

    0. If there are problems in the future, I'll actually be able to capture logs over a period of many days to help debug, rather than losing some logs on crash/reboot or not having the space to run extra logging for more than a couple of days. (On the XGS87, at one point Sophos was logging output from atop and after 2-3 days it filled the tiny storage, rendering the appliance inoperative until I got in via the serial port and deleted the log, for example.)

    So 50% more RAM, 3x the throughput (due to significantly faster CPU, perhaps 4-core instead of the XGS' 2-core), and having sufficient on-device memory is wonderful.

Unfiltered HTML