Which fundamental features need to be re-engineered on Sophos XG

DPI feature is a step forward. Nothing to say about. Well done to the Sophos unit that worked hard on that. Appreciated it! From my point of view Sophos is putting features and features on top to stay updated with the market but we need that some pillars work. I would say:

  • Logging. Logging module is very bad. Compared to other competitors and to Sophos UTM, in most cases, tcpdump and drop-packet-capture are still needed.
  • Reporting: still reporting is bad. Check the reports you can generate on UTM9 compared to XG and you see the difference
  • Screen resolution: trial the product with an IT manager in his room where a big screen is installed and you lose already points to convince him
  • Proper command line: when admins go in the console or they need to access the advanced shell, commands are spread around without sense. Some are under systems, some under set, some under show. Please consider to have proper menu. Copy command-line style from other vendors. Now cli does not make sense
  • Delete objects: to delete an object, still need to understand where the object is used. Imagine with hundreds of rules...
  • DHCP and DNS mapping

The list can be lenghty with other small improvements but in my case, this is the desired list and the features that people, partners are waiting for. For other improvements like Kerberos, NAT (to be reviewed), DKIM, BATV and other small improvements, well done. I am very critical, you know but when I have to say "well done"  I am the first.

Hope for a better collaboration from Sophos staff and specially PM, keep going.

@Community users: add your own comments.

Thanks

  • Untangle has a very nice reporting that Sophos could copy from.

  • Was the only reason you went with untangle because the XG didn't do reverse dns entries for host name based off of DHCP?

    Did the Customer not have a DHCP capable domain controller?

    What other reasons did you have?

    Emile

  • Where I'm at, there's lots of small businesses and I like putting my firewall/SOHO router of choice in, so when I drop it in, that's really the only device they need. I want to be able to walk away, go to my next customer, and drop another network in there. No messing with servers.

    Most small businesses starting up, at least in the San Francisco Bay Area, CA, have ZERO on-prem equipment except a switch. This is the NEW NORM for modern businesses, especially where I live and work. It should be 100% capable of being a standard SOHO router, before being an NSA secure cyber device in my opinion. Sophos needs to establish a target market and if it's not going to be small businesses in the cloud-age, it needs to focus on enterprise. Because no one is installing servers here, not even windows DC, it's been this way for 5 years already.

    Yes if I worked for a business, single business only, I'd be able to implement a separate DNS server and this wouldn't be an issue, but that's not how things are done for small business in the Bay Area, every small business uses an outsourced IT provider like myself. And Sophos isn't thinking about this at all. They did well with the whole MSP monthly subscription model, and I do use that for AV. But XG just isn't a SOHO, it's trying to be something totally different, and missing the mark that I need.

  • Is it just reverse DNS lookups as part of your pen test/vulnerability scanning that was the deciding factor though?

    Discounting all that's discussed about what the XG is or isn't trying to be, i want to understand the reason for going with an untangle and whether it was just that feature.

    Emile

  • Yes that was the final straw. That missing feature alone. Let's say I'm building a business where I scan all of my customers networks 4 times a year. You can see how reconciling 40x device IP to hostnames for a simple report manually, 4 times a year, for 15 customer locations, is a huge waste of time.

    Same with the reporting/logs, where are the hostnames? Sophos has said this is possible for 3 years, and shot down the feature request, but everyone in the comments says otherwise.  https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/16036801-resolve-private-ip-addresses-in-reports-to-hostnam

  • See this thread for ongoing frustrations and over 100 upvotes for that feature as well. I am not the only one. https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13893411-sync-dns-with-dhcp-leases?tracking_code=080bde06f73387ab00816c9910d5d57c I was waiting for v18 and had 3 deals in the pipeline where customers needed firewals but after v18 came out with no mention of it in any release notes, for the next 3 versions, I dropped XG. Not sure how they can overlook this issue. To be fair, someone from Sophos did reach out to me in a PM and they are adding it to the roadmap now.

  • Thanks Apalm123 for your input. The feature requests expressed here should not require a lot of time in the development phase (if the design is rock solid). Testing require times but all of these features must be included into 18.5.

    If you think that interface port rename is just a new column inside the psql table and the port name is still not used in firewall rules or other XG sections. Linking table through primary keys is not so difficult.

    In the dns case, I am not sure that a dhcp table exists while the dhcp leases are in /tmp folder. I will investigate!

    Regards

    Regards

  • Selecting objects in rules is still a pain. My customers got most more than 200 objects. I can only view 5 objects at a time. Using the small scrollbar and the "Search" function without a substring search is a punishment for a administrator.

    This could be simple changed with some web programming!

  • I guess this is something that XG will fix when they will move from the current UI framework to a new one.

    Thanks for your input, Christian. My customers have the same frustrations. The search shall work like *somethingtosearch* otherwise remembering all objects created is very difficult.

    Thanks again.

  • I haven't used XG in about a year so it was not completely new to me but still the GUI is too confusing. I think a GUI upgrade is probably coming in the next version or two. I would like to see the basics fixed. Like kb and KB used correctly. kb as kilobits is always used when measuring throughput like the speed of my internet connection is in kb (or megabit not in KB or megabytes).

    Along with logging improvements, maybe we can reassess the way the logs are presented. I don't mind the full screen layout, I don't like the fact that if you use a filter to lets say look for a certain IP address for example 8.8.8.8 you can't edit that filter and have to remove the filter and have to retype the whole IP for example 8.8.4.4.

    I don't like the way the logs are updated. They should be available quickly like UTM when you are looking at live log as soon as the packet is processed without refreshing. I also don't like that we still have to use refresh rates when looking at diagnostic->connection list. The whole current activities section needs to be redone with dynamic updating and not static refreshing. 

    The main dashboard gives a lot of info but its old and stale info. What categories and apps that were used a while back are not as important as who is using them currently. I want something that shows the current bandwidth on each interface and maybe the top users/ firewall rules using that bandwidth that I can then click on and see more info on what applications and web categories are being utilized.

    Looking forward to most of the basic stuff being corrected that is being asked in this thread and also on ideas website.