UTM 9.7 ?

The fact that ikev2 is not being released in 9.7 likely means that it never will.  They have made it very clear that SG is the past and XG is the future.  There is no benefit to Sophos to support both, it simply increases their support/development costs.  

It is the XP/Windows 7 issue all over again.  Even with mounting vulnerabilities due to old core technology, XP (and now Windows 7) were just so good and stable that users didnt want to upgrade.  But at least with these (especially Windows 7 to 10) there WAS an upgrade.  SG to XG offers no simple upgrade path.  The migration tool (hidden behind the partner firewall) doesnt provide 100% conversion of the configuration.  Which means that even after the downtime associated with converting the SG to XG, you still have configuration that must be completed increasing the amount of downtime.  The upgrade scenario looks a bit better if you happen to have an HA pair you can split, but with firewall configuration complexity and a less than 100% configuration migration the potential for prolonged downtime is high. And there are still reports of many bugs (many releases and lots of bugfixes each release) and a lack of feature parity with SG.  All in all the migration from SG to XG is NOT trivial, expensive in terms of manpower (steep learning curve, feature validation, configuration, testing, etc..), and full of risk.      

So Sophos needs something to drive customers towards XG and as it stands (at least from my perspective) there really is no benefit or compelling reason outside of ikev2 (an industry standard proposed in 2005, revised in 2010, and standardized in 2014).  So it is probably not coming.  I would love to be wrong, however the fact that it was planned and pulled from 9.6, not in 9.7, and not on a roadmap...  it doesn't look good.  It appears that Ikev2 will be used as leverage to twist the arms of customers and force them to switch from SG to XG.

And even if ikev2 is coming in 9.8, that likely won't be until late 2020/early 2021 and by that time we will have moved on. At this point the loss of trust in Sophos is too great to continue with them.  We will probably ride out our current solution (opensense as VPN endpoints and SG as firewall) another year and then start planning a switch to something else (Checkpoint, Palo Alto?). 

The fact that ikev2 is not being released in 9.7 likely means that it never will.  They have made it very clear that SG is the past and XG is the future.  There is no benefit to Sophos to support both, it simply increases their support/development costs.  

It is the XP/Windows 7 issue all over again.  Even with mounting vulnerabilities due to old core technology, XP (and now Windows 7) were just so good and stable that users didnt want to upgrade.  But at least with these (especially Windows 7 to 10) there WAS an upgrade.  SG to XG offers no simple upgrade path.  The migration tool (hidden behind the partner firewall) doesnt provide 100% conversion of the configuration.  Which means that even after the downtime associated with converting the SG to XG, you still have configuration that must be completed increasing the amount of downtime.  The upgrade scenario looks a bit better if you happen to have an HA pair you can split, but with firewall configuration complexity and a less than 100% configuration migration the potential for prolonged downtime is high. And there are still reports of many bugs (many releases and lots of bugfixes each release) and a lack of feature parity with SG.  All in all the migration from SG to XG is NOT trivial, expensive in terms of manpower (steep learning curve, feature validation, configuration, testing, etc..), and full of risk.      

So Sophos needs something to drive customers towards XG and as it stands (at least from my perspective) there really is no benefit or compelling reason outside of ikev2 (an industry standard proposed in 2005, revised in 2010, and standardized in 2014).  So it is probably not coming.  I would love to be wrong, however the fact that it was planned and pulled from 9.6, not in 9.7, and not on a roadmap...  it doesn't look good.  It appears that Ikev2 will be used as leverage to twist the arms of customers and force them to switch from SG to XG.

And even if ikev2 is coming in 9.8, that likely won't be until late 2020/early 2021 and by that time we will have moved on. At this point the loss of trust in Sophos is too great to continue with them.  We will probably ride out our current solution (opensense as VPN endpoints and SG as firewall) another year and then start planning a switch to something else (Checkpoint, Palo Alto?). 

We're trying it with XG ... but it's not an option for us and most of our clients right now.
If Sophos abandons the SG or continues to refuse to include simple features just to push the XG, we need to look for a more reliable partner.

Dirk

9.7 Beta out now!

Up2Date 9.670004 package description:

Remarks:
 System will be rebooted
 Configuration will be upgraded
 Connected REDs will perform firmware upgrade
 Connected APs will perform firmware upgrade

News:
 Feature Release
 .
 Support for new APX AccessPoints
 Certificate Chain support for WebAdmin and UserPortal
 Certificate Chain Support for WebProxy
 New RED Site 2 Site Protocol
 Retirement of UTM Endpoint Management

Bugfixes:
 Fix [NUTM-10804]: [Access & Identity] strongSwan vulnerability fix (CVE-2010-2628, CVE-2018-17540)
 Fix [NUTM-10745]: [Email] Quarantine mail older than 14 days are not getting removed
 Fix [NUTM-10958]: [Email] Quarantined SPX Mails which are released are still available on UTM
 Fix [NUTM-10454]: [WAF] SAVI integration doesn't support scanning files larger than 2GB
 Fix [NUTM-10873]: [WAF] Underscore in DNS-Hostname makes WAF unusable

RPM packages contained:
 libapr-util1-1.6.1-0.gd09a905.rb2.i686.rpm        
 libapr1-1.6.5-0.gdb882c9.rb2.i686.rpm             
 libsaviglue-9.70-35.g5c778eb.rb2.i686.rpm         
 cm-nextgen-agent-9.70-6.gac30f9d.rb2.i686.rpm     
 dehydrated-0.6.5-0.g6d4140c.rb2.i686.rpm          
 firmwares-bamboo-9400-0.328884155.gcf6a697.rb2.i586.rpm
 hostapd-2.2-1.0.287145451.ga02be97.rb8.i686.rpm   
 modauthnzaua-9.70-270.gcb78b67.rb57.i686.rpm      
 modauthzblacklist-9.70-345.gb8b010d.rb9.i686.rpm  
 modavscan-9.70-359.g793e6f1.rb5.i686.rpm          
 modcookie-9.70-0.247140156.g8f24856.rb54.i686.rpm 
 modcustomblockpage-9.70-279.gbe16bc0.rb52.i686.rpm
 modfirehose-2.5_SVNr1309567-14.g4ab2622.rb57.i686.rpm
 modformhardening-9.70-252.g1471b81.rb62.i686.rpm  
 modpcap-9.70-0.142961807.g994d6f0.rb57.i686.rpm   
 modproxymsrpc-0.5-121.gc7f8565.rb65.i686.rpm      
 modproxyprotocol-0.1-30.gac71dfd.rb29.i686.rpm    
 modreverseauth-9.70-0.253882348.g852e9e5.rb59.i686.rpm
 modsecurity2-2.9.1-266.g649c52a.rb61.i686.rpm     
 modsecurity2_beta-2.9.0-460.g62b8fdb.rb61.i686.rpm
 modsessionserver-9.70-0.247653793.g4179dcf.rb60.i686.rpm
 modurlhardening-9.70-252.g1471b81.rb60.i686.rpm   
 modwafexceptions-9.70-322.gd203205.rb13.i686.rpm  
 modwhatkilledus-2.01-0.258193062.g46092ac.rb61.i686.rpm
 navl-tools-4.6.0.50-0.316899012.g8b86fac.rb3.i686.rpm
 oculusd-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm   
 oculusd-dlz_oculus-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
 oculusd-highmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
 oculusd-lowmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
 perf-tools-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
 python-PyYAML-3.12-1.0.317998409.gab3cfdd.rb2.i686.rpm
 python-argparse-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-awscli-1.11.36-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-awscli-cwlogs-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-botocore-1.4.93-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-colorama-0.3.7-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-dateutil-2.6.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-docutils-0.13.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-futures-3.0.5-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-jmespath-0.9.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-ordereddict-1.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-pyasn1-0.1.9-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-rsa-3.4.2-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-s3transfer-0.1.10-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 python-simplejson-3.3.0-1.0.317998409.gab3cfdd.rb2.i686.rpm
 python-six-1.10.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
 red-unified-firmwares-9600-0.327764422.g822529a.rb2.i586.rpm
 uma-9.70-1.gdb43019.rb2.i686.rpm                  
 waf-ruledumper-1.0-0.318338720.g4e2e015.rb3.i686.rpm
 xorg-x11-Xvnc-7.4-27.114.2.1931.gddf9adc5.rb1.i686.rpm
 ep-reporting-9.70-39.gd06e9bb.rb5.i686.rpm        
 ep-reporting-c-9.70-158.g439c02e.rb4.i686.rpm     
 ep-reporting-resources-9.70-39.gd06e9bb.rb5.i686.rpm
 ep-aua-9.70-9.gd6fadd4.rb4.i686.rpm               
 ep-awed-9.70-20.g6a8dbc3.rb2.i686.rpm             
 ep-branding-ASG-afg-9.70-37.gfc00437.noarch.rpm   
 ep-branding-ASG-ang-9.70-37.gfc00437.noarch.rpm   
 ep-branding-ASG-asg-9.70-37.gfc00437.noarch.rpm   
 ep-branding-ASG-atg-9.70-37.gfc00437.noarch.rpm   
 ep-branding-ASG-aug-9.70-37.gfc00437.noarch.rpm   
 ep-confd-9.70-588.g774f67a3f.i686.rpm             
 ep-confd-tools-9.70-470.gd129d9cd.rb11.i686.rpm   
 ep-init-9.70-9.g7905afa.rb4.noarch.rpm            
 ep-libs-9.70-12.g653adc3.rb4.i686.rpm             
 ep-localization-afg-9.70-37.gf4fd729.i686.rpm     
 ep-localization-ang-9.70-37.gf4fd729.i686.rpm     
 ep-localization-asg-9.70-37.gf4fd729.i686.rpm     
 ep-localization-atg-9.70-37.gf4fd729.i686.rpm     
 ep-localization-aug-9.70-37.gf4fd729.i686.rpm     
 ep-mdw-9.70-635.g15b10bc2.rb4.i686.rpm            
 ep-red-9.70-35.g94b4ce2.rb2.i686.rpm              
 ep-screenmgr-9.70-2.g224e1a8.rb3.i686.rpm         
 ep-tools-9.70-23.gb44eb11.rb3.i686.rpm            
 ep-tools-cpld-9.70-23.gb44eb11.rb3.i686.rpm       
 ep-up2date-9.70-15.g85f07d4.rb5.i686.rpm          
 ep-up2date-downloader-9.70-15.g85f07d4.rb5.i686.rpm
 ep-up2date-pattern-install-9.70-15.g85f07d4.rb5.i686.rpm
 ep-up2date-system-install-9.70-15.g85f07d4.rb5.i686.rpm
 ep-webadmin-9.70-643.gbc4ac8ef3.i686.rpm          
 ep-webadmin-contentmanager-9.70-29.gf8059bd.i686.rpm
 ep-chroot-httpd-9.70-18.gadbf8aa.rb2.noarch.rpm   
 ep-chroot-smtp-9.70-48.ga28fdc6.rb3.i686.rpm      
 chroot-httpd-2.4.18-10.g0c2e255.rb2.i686.rpm      
 chroot-ipsec-9.70-84.g84a2fe5.rb2.i686.rpm        
 chroot-reverseproxy-2.4.39-28.g4c96516.rb3.i686.rpm
 ep-httpproxy-9.70-233.g5ff38467.rb3.i686.rpm      
 kernel-smp-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
 ep-release-9.670-4.noarch.rpm                     


ftp.astaro.com/.../u2d-sys-9.605001-670004.tgz.gpg

Hi Martin,

that link fails firewall security check, CA issues.

Ian

Hmm..works fine here but try with:

ftp://ftp.astaro.com/UTM/v9/beta/u2d-sys-9.605001-670004.tgz.gpg

https://community.sophos.com/products/unified-threat-management/unified-threat-management-beta/sophos-utm-9-7-eap/f/sophos-utm-9-7-public-eap/114939/welcome-to-the-utm-9-7-early-access-program