I´ll tell you our experiences as sophos gold partner and we still prefer UTM... We also migrated a few customers from XG back to UTM (projects of other sophos partners) because VPN performance was too bad or other issues - Same devices with UTM customer was happy and asked why sophos offers such a frustrating product...
There is no and there will be no 100% feature parity for UTM and SFOS! That´s what I learned the last years - Sophos already told something about feature parity in 2015/2016...
The so called migration tool is completely useless - you´ll have to check and alter a lot of migrated rules because the rules will be missed totally - but no information about that - or there will be a lot of "any"-things in your migrated rules. Some other things also can´t be migrated. The only useful way would be export/import just objects and create your rules manually.
So now our impressions with SFOS (19) - maybe there are things that will work and we just don´t know how to do that with SFOS...(I would be happy for hints):
Dashboard - GREAT!
UI - get´s better and is more and more usable also the Logviewer / Search
Structure of UI - maybe could be more logical at some points
Missed / unkown things:
(re)-flashing devices: more complicated - also no vga/hdmi connection port at xgs devices
Let´s Encrypt: not a show stopper and you can do that with shell but why nobody at Sophos could implement that just in UI (since years)? Because Sophos expects there will be no more on premise web servers in the future?
There are no availability groups anymore: how to implement redundant AD- or DNS-Servers? How to check if the servers are online?
There seems no option for time sheduled firmware updates?!?
XStream will not work for terminal servers without interceptX because of the client authentication - so you can just use the web proxy function for terminal servers
The only way to download the VPN-Client/config is the user portal - no option to download VPN packages for users as admin with webadmin - every user have to do that in user portal.
Import of AD-Groups - AD is sorted alphabetical without structure?!?
If you use multiple additional IPs for interfaces you can only delete 1 of these IPs at once
proxy/xstream only works as transparent proxy - no standard mode and also no option for wpad.dat (automatic proxy search) - How to avoid proxy completely and access a special website with a firewall rule instead of proxy?
No possibility to use a parent web proxy just for the sophos web proxy (you can just use a parent proxy for firewall & web proxy together but not just for web proxy) - we use this for some government implementations - show stopper in this case.
With UTM you can use a https proxy for SSL VPNs - not possible with SFOS - we use this for some government implementations - show stopper in this case.
S/MIME not implemented for E-Mail - we use this on UTM for a lot of customers to force S/MIME encryption for e-mail communication to some other companies -> Will 100% not be implemented in SFOS because sophos have Central E-Mail...- show stopper in this case.
That are our impressions and maybe something will work in a way we just don´t know...
Thanks Steve, this is very helpful. Of course our partner hasn't mentioned any of these issues and hasn't asked if use them. I am wondering now if we should move away from UTM at all.
Thanks Steve, this is very helpful. Of course our partner hasn't mentioned any of these issues and hasn't asked if use them. I am wondering now if we should move away from UTM at all.
