Hi everyone, this is my initial Beta feedback on XG v17 Beta-1. A bit of background first to put some context into some of my comments, I have been working with the XG since the early Copernicus versions in August 2015 and have been aligned very closely with it ever since. I was the first XG architect in the UK due to happenstance and have been installing at least two XGs a week since January 2016. At some points up until v16.5 I felt like (and it was commented on by Sophos) that I was the only person in the UK who actually liked the XG/SFOS and could see how interesting and big it could become. I was extremely pleased with v16 and v16.5, they provided a massive leap in functionality and really cleared up some glaring issues with v15 that I won’t highlight upon too much because I’ve burnt those memories out of my brain.
I’ve spent quite a bit of time with v17 beta, I’ve gone through all of the options and comparing them to v16.5, comparing them to a list of issues I was asked for and sent into Sophos for consideration. On top of this I bore in mind the consistent “wait for v17” that I was told about many problems in usability and functionality that I encountered both in my personal findings and while I was committing installs for Customers. V17 had been promised as “Feature Parity Plus” whereas v16.5 was (a shaky) “Feature Parity” so just by that moniker alone our organisation was excited to work with it.
However, after looking through this Beta 1, and considering that the GA release is coming in the next few weeks, v17 is actually feeling like v16.6. I don’t want to make such a miserable comment such as that as I don’t want to insult the good people in Sophos working on this project however since v16.5 there have been no major feature additions and the actual release of v17 was pushed back from May/June of this year to end of August/September and now October. So that is a phenomenal length of development time with the very large team that have come from Cyberoam.
I appreciate that a lot of v17 was focused on coding improvements to clean it up and increase performance but the XG already performed well in SMBs (its target until v18) and it appears the multitude of gripes and missing features from the UTM Feature Parity that lead to big problems have not been focused on.
So, enough exposition I suppose I had better put some solid to my claims above:
- High Availability Preferred Master – A substantial number of customers need this feature because they stretch their HA pairs across a business link to their DR site. The XG is a complete nonstarter without this for at least 3 of our major customers. This isn’t a particularly hard issue to resolve either, the XG currently Master checks if its Serial is the one that was check boxed as the Preferred Master, if it isn’t then it performs a failover by reboot. Why was this not a consideration for v17? HA was promised to have a large improvement
- Email filtering on the XG is a sub-par feature – It was promised that XG v17 would literally have the functionality of the Email Appliance lifted and dropped into the XG as a straight replacement. Right now I cannot in good conscience sell the XG as an Email filter because it cannot perform basic core functions like Blacklisting and a granular Whitelist. These missing elements alone kill the XG as an email filter and right now we are selling XG appliances and a 10IP UTM license with just Email Protection if the Customer wants to continue. That is a fundamental failure. If the Customer does not have the ability to actively block incoming email domains then they cannot protect themselves against legitimate senders that have been infected. Granted we now have Greylisting but where’s SPF/BATV checking and Expression Filtering? These are little things that add up to a big a problem for a Customer when comparing solutions leading to a lost sale
- Reports look good but missing key features – The reports look fantastic and are exceptional when you’re doing pre-sales but when you get into the meat of the matter they can actually be somewhat useless. I cannot make a report for blocked websites with detail of when it happened and who tried to go to it. These reports can only be done via the pie-chart reports which are great for general overview but useless for granularity. Application filtering, I cannot create a report for blocked apps and when they were blocked to try and track any outbreaks and issues or even just to diagnose a problem app. The reports system needs to have a good hard look at it to establish what is missing. V17 was touted as having a large improvement to reporting
- Reports can only be done on a single User – In the UK (for those that don’t know) we have the Prevent legislations which for educational and government bodies all web access needs to be recorded and certain categories must be blocked. These categories also need to be tracked for access in education so that Child Protection Officers can reach out to a minor who could be vulnerable and help them. The UTM has the great feature of generating reports for specific departments (groups of users) and sending that report to a specific person/group of people. This is perfect for education because there are generally Child Protection Officers for specific years or groups of students and allows Schools to perform their requirements by the regulating bodies with ease and little pain. The XG has nothing anywhere near this and with the addition of Search term groupings this feature is even more important to the massive education sector. Again, something said as to look out for v17. It can do groups on the Custom reports but it is only on the Firewall Group Members not AD Group members, everywhere else cannot be filtered on a group. If this can be done then a certain competitor in the education sector will be shotgunned in the kneecaps
- Mass importing and exporting lists – In the UTM, everywhere that you can enter in multiple lines of data (Exceptions, URL lists etc.) there is an import and export function that makes filling in the data a 5 second job. Some Customers have exceptionally large lists of URLs or lines of data to enter in on migration or throughout the usage of the appliance. For instance on my installs, if the customer is using Office 365 I have a list of Regular Expressions I have created from Microsoft URL Lists that I enter to prevent issues with Office 365. There’s 90 lines I have to manually copy and paste wasting Customer time and money. It looks unprofessional and it is always commented on and I’m running out of jokes about it. Simple thing that a single engineer should be able to jump on?
- DHCP Options are still problematic via CLI – DHCP Option requirements are becoming asked for quite consistently on my installations and pre-sales and this is due to Terminal Services and Citrix environments. An example of this are the use of IGEL appliances which are thin clients that use DHCP option codes to provide the Citrix Receive target information. That’s a feature gap and can put the XG in a bad light when selling to a multi-site Citrix environment. Thin Clients and Terminal Services/Citrix environments are not going to go away and in a lot of verticals are only going to get bigger.
- Captive Portal is still IP based – This is a big problem for Environments where they want to use a browser based authentication system without the ability to deploy a trusted certificate. You cannot purchase publicly trusted certs for IP addresses so therefore it’s unsuitable to use an HTTPS portal because of the difficulties arising from HSTS and help desk issues causing an increase in tickets regarding untrusted websites. The UTM got around this by having a Certificate for End User Pages so why is there not a similar system in the XG. I appreciate and understand that the Captive Portal is bound to each interfaces IP address and that is how the re-direct occurs but maybe there needs to be something halfway to allow this functionality. And we absolutely cannot use an HTTP portal due to security implications. Some customers are moving to Google environments using Chromebooks, hard sell if there are permanent issues
- SSL VPN port cannot be changed – Unprofessional and ridiculous, I have found all the files pertaining to the Open VPN configuration and cannot even change them there. When I go to certain hotels or customers sites I cannot VPN to work, I cannot do my job if I cannot get enough signal to hotspot my phone. Again, a feature promised for v17 and let down
- Traffic shaping is only designed for a single internet connection – Can only configure a single figure for maximum available bandwidth and not a figure per interface. If the Customer has multiple links in Backup/Active configuration then any shaping cannot be trusted as the figure will be distorted by multiple links, especially in a backup link configuration if it is a slower link
- Drag and Drop system for Firewall rules – I dread large installs with over 50 Firewall rules if one must be moved. Drag and Drop is “Next Generation” but is impractical and would be better alongside a numerical ordering system. I did an install where I migrated and compressed over 400 FW rules into about 120, then I had to move one…
- XG is using KiloBytes as a metric – Who made this decision and why considering 90% of all other systems using (kilo)bits? Impractical and ridiculous having to tell a customer that for all of their other bandwidth metrics they will have to divide them by eight. It’s not a big ask but it has caused several problems migrating and in usage
- Interfaces still perma switched on - If you wanted to create an interface, you must do it as you are about to use it which is dangerous. This is down to if you are preparing for a switchover and are migrating subnets over gradually you cannot define it’s connection on an interface ready for switchover and have static routes in place for the existing setup. This would create anomalous activity. On the UTM, if you had an interface switched off it practically didn’t exist in the routing system, in the XG all interfaces are active regardless of what has been set up.
Some of these are little gripes that consistently come up install to install but some of them are very large especially HA, Email and Reporting. I guess I may have been riding the hype train like a Fremen worm riding Shai-Hulud on Arrakis (may his passing cleanse the world) and therefore seeing so many promises not happening has really deflated me for v17.
Application sync is fantastic and is a launchpad for some amazing things in the XG and Central providing an insight that exactly 0% of competitors can do to the same level. But having one big awesome feature does not make up for so many smaller missing ones. It’s like a death by a thousand cuts for me. I’m going to be coming back from paternity and continuing doing at least 2 XG installs a week and instead of saying “wait and see for v17” I’m going to be saying “wait and see for v17.5”. The major two areas so far which have been resolved (thank the lord) are Business Application rules being Service based rather than text based and Logging retaining data. However I will hold out judgement on logging retaining data because it was omitted from Beta1 as it wasn’t ready so I will try to keep faith.
We could be losing Customers over features like High Availability missing key elements of its functionality from the UTM. Because the UTM and XG are still not feature parity, we still have reasons to sell the UTM which definitely did not want to do. The UTM is a fantastic product, my father has been installing Astaro since v4 but it is far too mature and needs to be replaced by the new kid on the block. Sadly, it feels like we potentially have another year of the UTM being relevant unless v17.5 kills it off.
Considering that these a vast majority split of development between XG and SG UTM, the number of features that have been included on XG and idea/requests fulfilled are almost the same. Which is a little difficult to work with in my head having experienced development and man hours being applied in programming/testing.
Everything I have said above is a reflection of my personal opinion and I wanted to share it with the community to gather thoughts on what I’ve said and for people to present their own thoughts on the above.
