Which fundamental features need to be re-engineered on Sophos XG

This thread comes up in every beta version and frankly other than a few of us, I don't think anyone is paying attention to what is being said (once again). A copy of this thread is probably available in v16 and v17 betas with the same wants and needs.

Logging was implemented halfheartedly in v17 after many broken promises. At this point to be honest, if you like XG as it is, then use it. For a home user, its pretty nice compared to pfsense or other free offerings mainly due to free categorization and free av included in the product. Otherwise other open source products are much lighter on resource usage. Why we don't have verbose logging has always been a mystery to me and the only thing I have been able to come up with is that when cyberoam developers were hacking together some of the daemons, they didn't make any provisions for logging and we still can't get any daemon to spit out verbose logging. For whatever reason, sophos has continued developing those daemons even though they had other options available to them. 

Reporting is bad compared to the other vendors that sophos is competing against. Its not terrible but it looks much nicer at first glance. The problem becomes apparent when you have to generate specific reports and you find out that you can't and even the stuff you get is random ip addresses all over the place.

I like gui myself so won't complain about commandline but the point remains. If you are offering it, then have it organized properly with similar syntax all across the product. 

Renaming ports has been a major request since v15. We can now rename ports in the gui but its not implemented anywhere else in the system. Similar to other objects that  is pointing out. Every daemon is doing its own thing and there is nothing in the back end that would tie it all together and give the admin a cohesive structure all across the board so that things can be defined or named anything one time and then can be used over and over anywhere as needed.

Finally, I will say that I do like their efforts on TLS decryption without proxy. The gui is kind of clunky at the moment but they are developing new under the hood stuff that we sometimes don't give them credit for.

If you are reselling these, the hardware pricing is agressive compared to other vendors in the magic quadrant. However some of the chinese manufacturers are offering appliances with similar functionality to palo**** very cheap.

This thread comes up in every beta version and frankly other than a few of us, I don't think anyone is paying attention to what is being said (once again). A copy of this thread is probably available in v16 and v17 betas with the same wants and needs.

Logging was implemented halfheartedly in v17 after many broken promises. At this point to be honest, if you like XG as it is, then use it. For a home user, its pretty nice compared to pfsense or other free offerings mainly due to free categorization and free av included in the product. Otherwise other open source products are much lighter on resource usage. Why we don't have verbose logging has always been a mystery to me and the only thing I have been able to come up with is that when cyberoam developers were hacking together some of the daemons, they didn't make any provisions for logging and we still can't get any daemon to spit out verbose logging. For whatever reason, sophos has continued developing those daemons even though they had other options available to them. 

Reporting is bad compared to the other vendors that sophos is competing against. Its not terrible but it looks much nicer at first glance. The problem becomes apparent when you have to generate specific reports and you find out that you can't and even the stuff you get is random ip addresses all over the place.

I like gui myself so won't complain about commandline but the point remains. If you are offering it, then have it organized properly with similar syntax all across the product. 

Renaming ports has been a major request since v15. We can now rename ports in the gui but its not implemented anywhere else in the system. Similar to other objects that  is pointing out. Every daemon is doing its own thing and there is nothing in the back end that would tie it all together and give the admin a cohesive structure all across the board so that things can be defined or named anything one time and then can be used over and over anywhere as needed.

Finally, I will say that I do like their efforts on TLS decryption without proxy. The gui is kind of clunky at the moment but they are developing new under the hood stuff that we sometimes don't give them credit for.

If you are reselling these, the hardware pricing is agressive compared to other vendors in the magic quadrant. However some of the chinese manufacturers are offering appliances with similar functionality to palo**** very cheap.

Logging is just bad, no way around it and it wastes more time than necessary.  I think we were all hoping this release would help fix that with all the talk of "core rebuild from scratch".  HA!

Just yesterday I got to enjoy a two hour hunt for logs that didn't exist.  Never use the Email protection but thought I'd try to solve a problem by using the firewall as a relay for an O365 customer.  Nothing in the log viewer that gave me the full smtp connection log, OK, will drop down to cli.  No awarrenmta.log at all.  Oh, looks like it's actually smtpd_main.log or reject, or error, or???  None of those had the information I was looking for.  So where the heck was the small bit of info we see in the gui email log actually coming from?  Couldn't figure it out and moved on.  Waste of time for such a trivial task.

I'm not one to wank.  I actually really like the product and it's potential.  Like most though, I think Sophos has to nail v18 to fix customer relations.  Unfortunately, the early returns on v18 EAP so far have been constant threads like this from the same 7-8 users who aren't shy to voice their opinions.

Maybe next time Sophos could get Luk et al in on the dev payroll!

OK.  I will stop ranting.

Features I would like to see improved (not necessarily re-engineered):

* Fully object based like UTM. This was one of my expectations that just isn't there in this early stage.  I hope it's something that is simple to add in a future MR.

* Unified Connect VPN client (both SSL and IPSec).  Also was hoping for better management of the policies in this release, but looks like that will be a future MR or even moved to Central.

* XG to XG RED interface priority/failover.  I'd like for the extra functionality we get when defining the type as a RED15 or RED50 to be available in an XG to XG deployment (so Firewall RED Client type).  Essentially, allow us to define in the RED config the primary and secondary IP's the client will connect on and how those will be used (failover or load balancing).

axsom1 said:

Maybe next time Sophos could get Luk et al in on the dev payroll!

Well, in my list was to try to be engaged by Sophos for my Computer Engineering Thesis work (Secure SDLC and OWASP) but I am sure getting a week in Sophos could be difficult for them. I sent just 2 letters to 2 big companies and one accepted the request. This company does not produce Firewall or Anti-malware products but until few years ago it was in the Gartner and Forrester.

I am always available to provide feedbacks. Sharing and comparison are the power to augment your knowledge. This is my spirit!

Sorry for these personal words! Thanks axsom1

Whats so frustrating about logging is that I don't think sophos sees it as a problem. Every time I bring up logging they say pcap. One has nothing to do with the other. I can't tell the user to send me email again so I can capture their packets. To me pcap capture is the last thing I ever want to do. Nice detailed logging solves 99.9% of the problems very easily. Logging improvements have been discussed to no end on these forums. I am sure the decision not to prioritize logging and reporting is something internal that we are not aware of.

I am not going to say too much on the complete rewrite of XG as I don't know who started the complete rewrite "NEWS" nor am I going to comment on the new NAT enhancements. NAT is not something we should be discussing in 2019 on a linux firewall is all I am saying on the topic. 

 Thats why you are the terminator. You keep on going and never give up. Some of us are not as persistent and we can only give the same feedback so many times (some of which is being deleted lately). Only sophos can decide where they see themselves as a company in the next few years.