Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 6 replies
  • Subscribers 42 subscribers
  • Views 1127 views
  • Users 0 members are here
Options
Suggested

You really don't want to buy an appliance without disk

Wayne Folta

We have an XGS87 which has experienced lock-up and reboot issues since SFOS v21 came out. Sophos is working hard on finding the problem, and I give the trouble-shooting personnel full credit.

BUT it has led me to believe that it's a crucial mistake to buy an appliance without a dedicated storage drive. Why? You don't get on-device reporting, but you can use Sophos Central for that. So...

THE issue is that debugging a crashing issue is going to involve Sophos personnel logging things and the XGS87 (and I guess second-generation bottom-of-the-line appliances) doesn't have a separate storage device. So: a) some logs are lost, b) after a reboot you can recover some logs but you have to act quickly, and MOST IMPORTANTLY c) if the logging is extensive enough to fill the tiny pseudo-disk, it will halt everything and rebooting will not fix this and you eventually have to go in via the serial console and find that log file and delete it. (You can boot off of the other image, but you need to rescue the one in which the disk went to 100% usage.)

So I would never buy an XGS without a separate, and reasonably-sized storage drive. It makes marketing sense, I guess, for a small branch office, but if anything serious goes wrong, you're hosed. For example, the current process logging that Sophos is doing to figure out the kernel panic will fill the pseudo-disk in 24-30 hours, which will in itself take down the appliance.

(I also have a suspicion that something in SFOS v21 is not happy with diskless appliances and so the XGS87 is incapable of running SFOS v21, but that's just a suspicion on my part at this point.)



Added TAGs
[edited by: Erick Jan at 12:25 AM (GMT -8) on 16 Dec 2024]
Parents
  • 0

    Upgraded to an XGS108, which has 6GB of RAM (XGS87 had 4GB) and which also has 64GB of UFS storage. Way, way better option. From least-important to most-important:

    5, Dual power isn't generally useful without an infrastructure to support it, but it was nice in the process of replacing the XGS87, letting me switch from the XGS108's power adapter to the XGS87's when I moved it into place. (Turns out they use the same-spec adapter, and the XGS87's was already routed as I wanted.)

    4. More ports is nice. XGS87 had 4 ports + SFP (which I got an inexpensive ethernet adapter for), but XGS108 has 6 ports + SFP so potentially 7 ports. (XGS88 would have been a downgrade port-wise with only 4 and no SFP.)

    3 On-device reporting is nice and there are some reports that would take a bit of work to figure out how to do in Sophos Central. And they're pretty. But not as flexible as Sophos Central's SQL-like approach. There are definitely things you can do in SC that you can't do on-device. Though I do like on-device reports as an additional capability. (And it fills that part of the main display.)

    2. Side-effect of on-device reporting is much more room for on-device logging. So now I really can look back a couple of days rather than just a matter of hours in the logs.

    1. RAM usage looks pretty stable and is staying below 70% so far, while Snort goes out of control on the XGS87 and keeps growing. Not sure if there was some kind of corruption in the Snort patterns at some point and it stuck, or if my appliance got a corruption in its Snort database... or if there is something where if memory grows too fast around 80%, SFOS messes up and can't really recover effectively. At any rate, more RAM (and more powerful CPU and more ports) is better. At any rate, I'm running a third-party threat feed as well and still staying stable.

    0. If there are problems in the future, I'll actually be able to capture logs over a period of many days to help debug, rather than losing some logs on crash/reboot or not having the space to run extra logging for more than a couple of days. (On the XGS87, at one point Sophos was logging output from atop and after 2-3 days it filled the tiny storage, rendering the appliance inoperative until I got in via the serial port and deleted the log, for example.)

    So 50% more RAM, 3x the throughput (due to significantly faster CPU, perhaps 4-core instead of the XGS' 2-core), and having sufficient on-device memory is wonderful.

Reply
  • 0

    Upgraded to an XGS108, which has 6GB of RAM (XGS87 had 4GB) and which also has 64GB of UFS storage. Way, way better option. From least-important to most-important:

    5, Dual power isn't generally useful without an infrastructure to support it, but it was nice in the process of replacing the XGS87, letting me switch from the XGS108's power adapter to the XGS87's when I moved it into place. (Turns out they use the same-spec adapter, and the XGS87's was already routed as I wanted.)

    4. More ports is nice. XGS87 had 4 ports + SFP (which I got an inexpensive ethernet adapter for), but XGS108 has 6 ports + SFP so potentially 7 ports. (XGS88 would have been a downgrade port-wise with only 4 and no SFP.)

    3 On-device reporting is nice and there are some reports that would take a bit of work to figure out how to do in Sophos Central. And they're pretty. But not as flexible as Sophos Central's SQL-like approach. There are definitely things you can do in SC that you can't do on-device. Though I do like on-device reports as an additional capability. (And it fills that part of the main display.)

    2. Side-effect of on-device reporting is much more room for on-device logging. So now I really can look back a couple of days rather than just a matter of hours in the logs.

    1. RAM usage looks pretty stable and is staying below 70% so far, while Snort goes out of control on the XGS87 and keeps growing. Not sure if there was some kind of corruption in the Snort patterns at some point and it stuck, or if my appliance got a corruption in its Snort database... or if there is something where if memory grows too fast around 80%, SFOS messes up and can't really recover effectively. At any rate, more RAM (and more powerful CPU and more ports) is better. At any rate, I'm running a third-party threat feed as well and still staying stable.

    0. If there are problems in the future, I'll actually be able to capture logs over a period of many days to help debug, rather than losing some logs on crash/reboot or not having the space to run extra logging for more than a couple of days. (On the XGS87, at one point Sophos was logging output from atop and after 2-3 days it filled the tiny storage, rendering the appliance inoperative until I got in via the serial port and deleted the log, for example.)

    So 50% more RAM, 3x the throughput (due to significantly faster CPU, perhaps 4-core instead of the XGS' 2-core), and having sufficient on-device memory is wonderful.

Children
No Data
Unfiltered HTML