Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 34663 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • 0

    Hi Community contributors,

    We are going through each example that you have highlighted due to this change (WAF logs, WAF file size limit, SMTP log, IPSec VPN debug, top/ iftop commands, etc).

    Thank you for your feedback. Please continue sharing if you have more such points.

    There is no no commercial or sales reasoning behind this change. Your feedback has been very helpful and we will consider improving those points in the future.

    Sincerely,

    Sophos Firewall Product Team

  • 0 in reply to PMParth

    whilst I understand what you are trying to do here, I think your time (and our sanity) would be better spent by taking on board the frustration and anger of the posts here regarding the overall state and speed of XG development and focus on engaging with your customers properly

    It's all very well asking us what we need when you take away console access (a decision you still haven't explained) but quite frankly, Sophos have a lousy record of implementing what customers want/need, so why should this be any different?

    Let's have a quick look at the requested features - https://ideas.sophos.com/forums/330219-xg-firewall/filters/top. Sophos's dumping ground for customer needs.

    Most requested feature - 1227 votes Let's Encrypt Integration
    First requested in 2016, still not implemented

    Second most requested feature -1002 votes Scheduled Installation of the AV Updates and Firmware Installation
    First requested in 2016, still not implemented
    If you have a 100 series XG, an update can cause the router to drop all connections for up to two minutes, everything blocked. Second line support agree this is completely unacceptable and their manager escalated this to product development asking them to make it a priority. This was about 18 months ago. I can't believe that implementing this as a scheduled task is difficult, it causes major issues but we are still waiting for it to be implemented.

    677 votes Can we have live Bandwidth speeds for Interfaces?
    First requested in 2015, Comment by Sophos This feature is under consideration for a future release in 2018
    Still not implemented

    660 votes Enable/Disable Interface
    First requested in 2015, Comment by Sophos This is a high priority feature, and will likely be targeted as soon as possible after v17 ships
    Still not implemented

    Need I go on? IS ANYBODY AT SOPHOS LISTENING TO THEIR CUSTOMERS?!

    I also have to wonder about the XGS hardware development and how much that is sapping development time for things we really need. The nerd in me says "this is cool" a dedicated Xstream Flow Processor for intelligent application acceleration. The businessman in me says "what is this going to give me that I can't get now?". As I understand it, this is about improving performance. But I can get better performance by buying a bigger firewall. Yes, that is at a cost, but at least I have an option. What I don't have an option about is the features that I need and don't have now. I would rather you spent your development time on features I need, not rewriting code for your "hot" new processor to do what the XG already does, just faster.

    Lastly, I would just like to say that I think some people's frustration has been unfairly directed at . He's here to deal with technical issues, he is not, as far as I know, responsible for product development. I am personally very grateful for the assistance he provides here which I have often found very useful.

Reply
  • 0 in reply to PMParth

    whilst I understand what you are trying to do here, I think your time (and our sanity) would be better spent by taking on board the frustration and anger of the posts here regarding the overall state and speed of XG development and focus on engaging with your customers properly

    It's all very well asking us what we need when you take away console access (a decision you still haven't explained) but quite frankly, Sophos have a lousy record of implementing what customers want/need, so why should this be any different?

    Let's have a quick look at the requested features - https://ideas.sophos.com/forums/330219-xg-firewall/filters/top. Sophos's dumping ground for customer needs.

    Most requested feature - 1227 votes Let's Encrypt Integration
    First requested in 2016, still not implemented

    Second most requested feature -1002 votes Scheduled Installation of the AV Updates and Firmware Installation
    First requested in 2016, still not implemented
    If you have a 100 series XG, an update can cause the router to drop all connections for up to two minutes, everything blocked. Second line support agree this is completely unacceptable and their manager escalated this to product development asking them to make it a priority. This was about 18 months ago. I can't believe that implementing this as a scheduled task is difficult, it causes major issues but we are still waiting for it to be implemented.

    677 votes Can we have live Bandwidth speeds for Interfaces?
    First requested in 2015, Comment by Sophos This feature is under consideration for a future release in 2018
    Still not implemented

    660 votes Enable/Disable Interface
    First requested in 2015, Comment by Sophos This is a high priority feature, and will likely be targeted as soon as possible after v17 ships
    Still not implemented

    Need I go on? IS ANYBODY AT SOPHOS LISTENING TO THEIR CUSTOMERS?!

    I also have to wonder about the XGS hardware development and how much that is sapping development time for things we really need. The nerd in me says "this is cool" a dedicated Xstream Flow Processor for intelligent application acceleration. The businessman in me says "what is this going to give me that I can't get now?". As I understand it, this is about improving performance. But I can get better performance by buying a bigger firewall. Yes, that is at a cost, but at least I have an option. What I don't have an option about is the features that I need and don't have now. I would rather you spent your development time on features I need, not rewriting code for your "hot" new processor to do what the XG already does, just faster.

    Lastly, I would just like to say that I think some people's frustration has been unfairly directed at . He's here to deal with technical issues, he is not, as far as I know, responsible for product development. I am personally very grateful for the assistance he provides here which I have often found very useful.

Children
  • 0 in reply to JasP

    That's actually the problem of XG(S).
    Sadly sophos seems to ignore customer- and partner-requests, focusing on marketing and new features instead of improving essentials basics. ...but that will probably not change before UTM is EOL and more customers leaving...

    It's great to have an visionary product - but an essential featureset and usability should not be discussed.

    What about taking ideas.sophos.com offline as it's actually useless?

  • 0 in reply to JasP

    scheduled firmware installation is already avaliable using sophos central since 2020 (see https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-central-xg-firmware-updating).

    But in fact that shows how good ideas.sophos.com is maintained... as status of this request is not updated by now...

  • 0 in reply to FFin

    Only scheduled firmware installations are available.

    The main issue is on the pattern updates, if the AV pattern gets updated on a low-end appliance - some traffic will either be dropped or blocked until the pattern is fully updated; By not being able to set a time schedule when those pattern updates should happen, anytime the AV pattern gets update you will have downtime depending on the appliance.

    For me this was unnoticeable on my home appliance which had a Ryzen 3300x, but now I'm using a XG115w Rev.3 and It's really noticeable when the AV or IPS pattern gets updated.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    As I said, this was taken up with Product Development by a senior Technical Support Manager and still it hasn't been sorted. Sophos Product Development don't even seem to listen to their own staff, what hope have we got?!

  • 0 in reply to FFin

    As Prism has pointed out, I am talking about pattern updates, not firmware updates. As I said the extra coding can't be much. They already have scheduled tasks, we just need them to add that capability to the pattern updates. Can you imagine explaining to a customer that their phone calls all drop every time there is a pattern update because that is the way it is designed?!

  • 0 in reply to JasP

    So you starting to mix up different things. A pattern scheduler cannot be a solution for such an issue. The fix should be to find the core issue and figuring out why the IPS dropping those packets in the first place. 

    BTW: The workaround to disable the fastpath on affected appliance (XG/SG) seems to be very affected. I could not notice this issue on XGS hardware at all. And as far as i know, there are already fixes for this issue in place for V18.5 MR2. 

    But if you want to continue to discuss this issue, i feel this thread is not the correct place. 

    __________________________________________________________________________________________________________________

Unfiltered HTML