Restricted Advance Shell - examples of challenges

Hi Community contributors,

We are going through each example that you have highlighted due to this change (WAF logs, WAF file size limit, SMTP log, IPSec VPN debug, top/ iftop commands, etc).

Thank you for your feedback. Please continue sharing if you have more such points.

There is no no commercial or sales reasoning behind this change. Your feedback has been very helpful and we will consider improving those points in the future.

Sincerely,

Sophos Firewall Product Team

Hi Community contributors,

We are going through each example that you have highlighted due to this change (WAF logs, WAF file size limit, SMTP log, IPSec VPN debug, top/ iftop commands, etc).

Thank you for your feedback. Please continue sharing if you have more such points.

There is no no commercial or sales reasoning behind this change. Your feedback has been very helpful and we will consider improving those points in the future.

Sincerely,

Sophos Firewall Product Team

"There is no no commercial or sales reasoning behind this change."  I'm left to wonder then, what was the reasoning behind the change?  You guys didn't have anything better to do?  I don't think anybody is buying the whole "in-line with industry best practices" excuse.

Bill, I think that the direction is to reduce the attack surface and lock down the cli. The approach could be: "let's close the advanced shell to home users and analyze feedbacks, results, challenges, constraints and so on. Once everything is clear and fixed, advanced shell will be closed to appliances with licenses. Nothing against that, but before they can really do that, they need to build a strong and reliable logging capabilities on XG as UTM was. In 5 years of production experience on UTM, I accessed the console maybe 10 times for cc commands.

Just giving my 2 cents....

I think the decision to cut off that feature has been made and they will not pull back from it.

"Der Drops ist gelutscht" like we use to say here in DE.

I'm sure, Sophos community will suffer badly from this decision. Maybe  is interested for the community part of it?

I care most for the community part. As commercial support is so bad from Sophos this forums are vital for paid customers. Cannot count how often - while still waiting for answers of tech support for days or weeks - I got useful help from users here like rfcat_vk or Prism or some of the guys already posted to this topic which I believe have most of their experience from their home lab machines. I don't want to miss their experience and I'm looking forward to new experienced users to come.

Who need shell still has alternatives. Bought a new hardware for my home net FW this week. As I stumbled over this thread, guess if I chose Sophos for my home FW?

UTM was my edge firewall for years till it was abandoned by sophos. I moved to the choice you have made a few years ago and never even log in to my firewall. It just works, is secure, no remote execution problems, gui is really fast, my suricata and snort rules are tailored for me, I can choose how aggressive my blacklists are for ad blocking etc. IPv6 works, only negative would be QoS which is not as polished as linux distros and is hard to tune.

As Bill Roland pointed out, the decision had already been made and this thread was just a place holder. lferrara I agree that a stable firewall you hardly ever need cli but XG is far from it. If they wanted to close linux cli access, they needed to expand their own console OS to keep up with industry standards but they haven't done that either.   

They keep on pushing the community away and never listen to any feedback. Add aggressive deletion of posts that they don't agree with and that is what we have.

Regards.

Oh I almost forgot, they just added WAF to opnsense so check that out also when you evaluating.

I'll personally never use pfSense because of the vindictive, out-of-control behavior they demonstrated during the opnsense break. And I won't use opnsense because they're replacing their entire foundation at this point. Glad it works for you.

I also like getting updated rules on perhaps an hourly basis. If you're willing to wait a month, Snort is fine. (Suricata has no real advantages over the latest Snort, as far as I can tell.) You can get Snort updates more often, but it's not cheap.

And to really have a stable pfsense, you have to use your own hardware, which some of us have sitting around and enjoy as a part of our hobby and some of us do not.

Yep, Sophos has issues, and I've come late to the table so don't have the painful scars that some have. But it does feel like the 18 - 18.5 - 19 progression is making rapid progress, and that perhaps they needed to go to XG (over the more featureful UTM) in order to move to a multi-plane architecture. Which they had to do if they were going to be peers of all the other multi-plane firewallls.

Snort rules are not released on an hourly basis. Snort community rules are free for home users and are released every day and are not 30 days behind. Regardless, I am not arguing against the benefits of having a full featured firewall doing everything for you and thats what made sophos/astaro so great for most of us home users. And as much as I have appreciated their full featured firewall free for home use, I am tired of their constant disregard and sometimes hostile stance against certain community members. 

Suricata has definite benefit over old snort version that is used in XG and SG. Only reason they stuck with snort is OpenAppId which is a logical choice for layer 7/nextgen firewall. As far as the netgate/pfsense employees behavior and their failures on certain releases, its well documented on reddit etc. and I am by no means advocating what any users should use here. In fact till a few years ago, it was a no brainer to run sophos software for free at home and if it still fulfills your needs, by all means use what you like.

I understand that Snort rules aren't released on an hourly basis. However Sophos checks for pattern updates on an hourly basis which means I could get them as soon as an hour after release. If you get your Snort rules for free, they are in fact delayed 30 days. That's one of the things they offer you for your shopping dollar: "get updates 30 days sooner".

I'm not sure if they offered the personal ($30/year) plan when I researched it before buying Sophos. All I remembered was the $400/year Business plan. (Though when I just looked at their website, they do still seem to differentiate the extent of rules they make available to personal versus business.)

Yes, Sophos uses old Snort, just running multiple copies because it isn't multithreaded. Which was Suricate's claim to fame. Which has apparently been negated with the latest Snort. Not saying Sophos' use case is better, just saying that Suricata has seemingly lost its main claim to fame (being multi-threaded) as an advantage. Seems to me that if you're not locked into a commercial vendor, why use Suricata?

PMParthwhilst I understand what you are trying to do here, I think your time (and our sanity) would be better spent by taking on board the frustration and anger of the posts here regarding the overall state and speed of XG development and focus on engaging with your customers properly

It's all very well asking us what we need when you take away console access (a decision you still haven't explained) but quite frankly, Sophos have a lousy record of implementing what customers want/need, so why should this be any different?

Let's have a quick look at the requested features - https://ideas.sophos.com/forums/330219-xg-firewall/filters/top. Sophos's dumping ground for customer needs.

Most requested feature - 1227 votes Let's Encrypt Integration
First requested in 2016, still not implemented

Second most requested feature -1002 votes Scheduled Installation of the AV Updates and Firmware Installation
First requested in 2016, still not implemented
If you have a 100 series XG, an update can cause the router to drop all connections for up to two minutes, everything blocked. Second line support agree this is completely unacceptable and their manager escalated this to product development asking them to make it a priority. This was about 18 months ago. I can't believe that implementing this as a scheduled task is difficult, it causes major issues but we are still waiting for it to be implemented.

677 votes Can we have live Bandwidth speeds for Interfaces?
First requested in 2015, Comment by Sophos This feature is under consideration for a future release in 2018
Still not implemented

660 votes Enable/Disable Interface
First requested in 2015, Comment by Sophos This is a high priority feature, and will likely be targeted as soon as possible after v17 ships
Still not implemented

Need I go on? IS ANYBODY AT SOPHOS LISTENING TO THEIR CUSTOMERS?!

I also have to wonder about the XGS hardware development and how much that is sapping development time for things we really need. The nerd in me says "this is cool" a dedicated Xstream Flow Processor for intelligent application acceleration. The businessman in me says "what is this going to give me that I can't get now?". As I understand it, this is about improving performance. But I can get better performance by buying a bigger firewall. Yes, that is at a cost, but at least I have an option. What I don't have an option about is the features that I need and don't have now. I would rather you spent your development time on features I need, not rewriting code for your "hot" new processor to do what the XG already does, just faster.

Lastly, I would just like to say that I think some people's frustration has been unfairly directed at LuCar Toni. He's here to deal with technical issues, he is not, as far as I know, responsible for product development. I am personally very grateful for the assistance he provides here which I have often found very useful.

That's actually the problem of XG(S).
Sadly sophos seems to ignore customer- and partner-requests, focusing on marketing and new features instead of improving essentials basics. ...but that will probably not change before UTM is EOL and more customers leaving...

It's great to have an visionary product - but an essential featureset and usability should not be discussed.

What about taking ideas.sophos.com offline as it's actually useless?