Which fundamental features need to be re-engineered on Sophos XG

DPI feature is a step forward. Nothing to say about. Well done to the Sophos unit that worked hard on that. Appreciated it! From my point of view Sophos is putting features and features on top to stay updated with the market but we need that some pillars work. I would say:

  • Logging. Logging module is very bad. Compared to other competitors and to Sophos UTM, in most cases, tcpdump and drop-packet-capture are still needed.
  • Reporting: still reporting is bad. Check the reports you can generate on UTM9 compared to XG and you see the difference
  • Screen resolution: trial the product with an IT manager in his room where a big screen is installed and you lose already points to convince him
  • Proper command line: when admins go in the console or they need to access the advanced shell, commands are spread around without sense. Some are under systems, some under set, some under show. Please consider to have proper menu. Copy command-line style from other vendors. Now cli does not make sense
  • Delete objects: to delete an object, still need to understand where the object is used. Imagine with hundreds of rules...
  • DHCP and DNS mapping

The list can be lenghty with other small improvements but in my case, this is the desired list and the features that people, partners are waiting for. For other improvements like Kerberos, NAT (to be reviewed), DKIM, BATV and other small improvements, well done. I am very critical, you know but when I have to say "well done"  I am the first.

Hope for a better collaboration from Sophos staff and specially PM, keep going.

@Community users: add your own comments.

Thanks

  • Logging is just bad, no way around it and it wastes more time than necessary.  I think we were all hoping this release would help fix that with all the talk of "core rebuild from scratch".  HA!

    Just yesterday I got to enjoy a two hour hunt for logs that didn't exist.  Never use the Email protection but thought I'd try to solve a problem by using the firewall as a relay for an O365 customer.  Nothing in the log viewer that gave me the full smtp connection log, OK, will drop down to cli.  No awarrenmta.log at all.  Oh, looks like it's actually smtpd_main.log or reject, or error, or???  None of those had the information I was looking for.  So where the heck was the small bit of info we see in the gui email log actually coming from?  Couldn't figure it out and moved on.  Waste of time for such a trivial task.

    I'm not one to wank.  I actually really like the product and it's potential.  Like most though, I think Sophos has to nail v18 to fix customer relations.  Unfortunately, the early returns on v18 EAP so far have been constant threads like this from the same 7-8 users who aren't shy to voice their opinions.

    Maybe next time Sophos could get Luk et al in on the dev payroll!

    OK.  I will stop ranting.

    Features I would like to see improved (not necessarily re-engineered):

    * Fully object based like UTM. This was one of my expectations that just isn't there in this early stage.  I hope it's something that is simple to add in a future MR.

    * Unified Connect VPN client (both SSL and IPSec).  Also was hoping for better management of the policies in this release, but looks like that will be a future MR or even moved to Central.

    * XG to XG RED interface priority/failover.  I'd like for the extra functionality we get when defining the type as a RED15 or RED50 to be available in an XG to XG deployment (so Firewall RED Client type).  Essentially, allow us to define in the RED config the primary and secondary IP's the client will connect on and how those will be used (failover or load balancing).

  • axsom1 said:

    Maybe next time Sophos could get Luk et al in on the dev payroll!

    Well, in my list was to try to be engaged by Sophos for my Computer Engineering Thesis work (Secure SDLC and OWASP) but I am sure getting a week in Sophos could be difficult for them. I sent just 2 letters to 2 big companies and one accepted the request. This company does not produce Firewall or Anti-malware products but until few years ago it was in the Gartner and Forrester.

    I am always available to provide feedbacks. Sharing and comparison are the power to augment your knowledge. This is my spirit!

    Sorry for these personal words! Thanks

  • Whats so frustrating about logging is that I don't think sophos sees it as a problem. Every time I bring up logging they say pcap. One has nothing to do with the other. I can't tell the user to send me email again so I can capture their packets. To me pcap capture is the last thing I ever want to do. Nice detailed logging solves 99.9% of the problems very easily. Logging improvements have been discussed to no end on these forums. I am sure the decision not to prioritize logging and reporting is something internal that we are not aware of.

    I am not going to say too much on the complete rewrite of XG as I don't know who started the complete rewrite "NEWS" nor am I going to comment on the new NAT enhancements. NAT is not something we should be discussing in 2019 on a linux firewall is all I am saying on the topic. 

     Thats why you are the terminator. You keep on going and never give up. Some of us are not as persistent and we can only give the same feedback so many times (some of which is being deleted lately). Only sophos can decide where they see themselves as a company in the next few years.

  • Thank you very much for very crisp feedback.

    Based on our partners, customers and community feedback, we have been improving log viewer with every release - storage of logs, structured filter and free text search, raw logs, flexible column selection, actionable logs are series of capability and usability enhancements we have implemented in last few releases. Plus, syslogs in XG v18 are now standardized and completely redone. Underlying logging module improvement is pretty high on the priority and is on our immediate roadmap.

    XG v18 brings Central Firewall Reporting that will further enhance reporting capability for XG firewall.

    Improvements in command line, DHCP-PD, Object Searching (global search and based on Object value) and Object referencing are also high on the priority and on our roadmap.

    Thank you. Parth.

  • Thanks ,

    for replying here. I hope you understand what we are trying to saying about logging. We need all the logging we have through the command line with tail, conntrack and so forth, in the GUI.

    I hope it is CLEAR and if it is not, feel free to contact me and discuss about. Now logging through UI is 90% useless.

  • For me coming from both Cisco ASA and Sonicwall (previous companies I worked for), the logging in XG is a disaster. I recommended some UI enhancements here.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/39048526-major-xg-log-improvements

     

    ~Mike

  • Thanks Mike to add your comment and more important your "migration experience".

  • Believe it or not, not having DHCP/ automatic DNS mapping (reverse DNS etc) is one reason I recently stopped installing Sophos XG at new small business customers of mine. I skipped two new office installs which Sophos could have had recurring revenue on just because of this last month. Went with a competitor.

    Embarrassing to install something, but that doesn't offer this incredibly basic feature that even free routers from home ISP come with it.

    Imagine my predicament, I install firewalls, and I need to run vulnerability scans once in a while at lots of small businesses networks. The scanners could not reverse resolve hostnames via the XG so I went with competitor firewalls. I even tried v18 but even then it's not in there.

  • Hello apalm123,

    could you inspire us please, what firewall competitor did you use?

    Regards

    alda

  • Honestly untangled it. It does absolutely all the basics that Sophos doesn't cover because Sophos is so focused on "BLEEDING EDGE YAH!" and oh yeah it does IPS, Web Filtering, and all the other basics that small businesses really just need. And i don't have to baby it with little commands all the time to fix basic things from breaking like DHCP. For me it's saved me a ton of time, but I'm still keeping my eyes on Sophos but I've pushed it way to the back burner now that I'm untangling until Sophos maybe gets their act together. Still love the Sophos Intercept-X etc.