This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does any one know if XG is roughly at feature parity with the UTM yet?

Does any one know if XG is roughly at feature parity with the UTM yet?

Thanks

Richard.



This thread was automatically locked due to age.
Parents
  • I´ll tell you our experiences as sophos gold partner and we still prefer UTM... We also migrated a few customers from XG back to UTM (projects of other sophos partners) because VPN performance was too bad or other issues - Same devices with UTM customer was happy and asked why sophos offers such a frustrating product...

    There is no and there will be no 100% feature parity for UTM and SFOS! That´s what I learned the last years - Sophos already told something about feature parity in 2015/2016...

    The so called migration tool is completely useless - you´ll have to check and alter a lot of migrated rules because the rules will be missed totally - but no information about that - or there will be a lot of "any"-things in your migrated rules. Some other things also can´t be migrated. The only useful way would be export/import just objects and create your rules manually.


    So now our impressions with SFOS (19) - maybe there are things that will work and we just don´t know how to do that with SFOS...(I would be happy for hints):

    Dashboard - GREAT!

    UI - get´s better and is more and more usable also the Logviewer / Search

    Structure of UI - maybe could be more logical at some points


    Missed / unkown things:

    (re)-flashing devices: more complicated - also no vga/hdmi connection port at xgs devices

    Let´s Encrypt: not a show stopper and you can do that with shell but why nobody at Sophos could implement that just in UI (since years)? Because Sophos expects there will be no more on premise web servers in the future?

    There are no availability groups anymore: how to implement redundant AD- or DNS-Servers? How to check if the servers are online?

    There seems no option for time sheduled firmware updates?!?

    XStream will not work for terminal servers without interceptX because of the client authentication - so you can just use the web proxy function for terminal servers

    The only way to download the VPN-Client/config is the user portal - no option to download VPN packages for users as admin with webadmin - every user have to do that in user portal.

    Import of AD-Groups - AD is sorted alphabetical without structure?!?

    If you use multiple additional IPs for interfaces you can only delete 1 of these IPs at once

    proxy/xstream only works as transparent proxy - no standard mode and also no option for wpad.dat (automatic proxy search) - How to avoid proxy completely and access a special website with a firewall rule instead of proxy?

    No possibility to use a parent web proxy just for the sophos web proxy (you can just use a parent proxy for firewall & web proxy together but not just for web proxy) - we use this for some government implementations - show stopper in this case.

    With UTM you can use a https proxy for SSL VPNs - not possible with SFOS - we use this for some government implementations - show stopper in this case.

    S/MIME not implemented for E-Mail - we use this on UTM for a lot of customers to force S/MIME encryption for e-mail communication to some other companies -> Will 100% not be implemented in SFOS because sophos have Central E-Mail...- show stopper in this case.


    That are our impressions and maybe something will work in a way we just don´t know...

    PS: The Sophos Connect Clients also still lags on some features:
    community.sophos.com/.../sophos-connect-2-1-20-with-support-for-ssl-vpn-still-doesnt-allow-multiple-connections-via-the-gui


    Best regards
    Steve

  • Let me rephrase most of those points: 

    Missed / unkown things:
    (re)-flashing devices: more complicated - also no vga/hdmi connection port at xgs devices

    SFOS can flash without display. The appliances indicate a flashing with LEDs. See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareReimageXGFirewall/index.html#reimage-sophos-firewall_1 
    There are LED Codes for the older appliances as well. (This will be documented soon). In the rare case of a failure of installations, you can use the USB console cable, which is in the package, but mini USB to USB cable will work too. 


    Let´s Encrypt: not a show stopper and you can do that with shell but why nobody at Sophos could implement that just in UI (since years)? Because Sophos expects there will be no more on premise web servers in the future?

    It is true, the movement is against on premise servers. But the movement is more likely coming to ZTNA than WAF in the future. ZTNA is a better way to approach internal resources. So let rephrase the use cases, WAF is being used: Internal resources and external resources (Webshops) - Or better known to: You know the person wanting to access your resource and you do not know the person browsing your resource. Last case (webshops etc.) is something, rarely used within a company nowadays. Nobody wants to install a webshop in there on prem because they cannot scale as good as a cloud provider can do. So this is not a focus anymore for most customers. Therefore lets look at the part "You know the person accessing your resources" - And there is ZTNA a way better way to implement the access to your servers. ZTNA supports http/s clientless over browser and agent based with all ports. So you can replace VPN and WAF with ZTNA as a singe product in a secure manner, which the WAF was not capable before. I can go in more depth on this, but if you look into the architecture of ZTNA and ZTNAaaS, you will see, no need to do WAF anymore. 


    There are no availability groups anymore: how to implement redundant AD- or DNS-Servers? How to check if the servers are online?
    That is correct. SFOS does not offer this kind of service to check for Servers. But basically you can create all your AD servers and add them to your config. You cannot do one single config and add two servers and let the SFOS failover. 



    There seems no option for time sheduled firmware updates?!?
    You can do this with Central Management as a Partner for all your customers or you can do this as a customer in Central for all your firewalls. No need to do this or implement it on the firewall itself. BTW: You can even do this via Partner API. 



    XStream will not work for terminal servers without interceptX because of the client authentication - so you can just use the web proxy function for terminal servers
    You can do both ways. Use the intercept X client, which most customers are doing. If you are not using Intercept X, you can use the direct proxy and integrate it (Same way UTM does authentication via Kerberos). 



    The only way to download the VPN-Client/config is the user portal - no option to download VPN packages for users as admin with webadmin - every user have to do that in user portal.
    As Sophos Connect supports .pro Files, you can do this with Connect Provisioning FIles. See: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSConProvisioningFile/index.html 



    Import of AD-Groups - AD is sorted alphabetical without structure?!?
    I am not sure, what you mean by this? The import tool? 
    Looking at my imports, there is a structure.



    If you use multiple additional IPs for interfaces you can only delete 1 of these IPs at once
    You could do this via Import/export, if you want. But it is correct, you can delete them one per time. If you want to flush the interface, you can unbind the interface, which will delete the config. As well as you can export alias interfaces with import/export, flush the interface and only create the needed interfaces/alias interfaces. 



    proxy/xstream only works as transparent proxy - no standard mode and also no option for wpad.dat (automatic proxy search) - How to avoid proxy completely and access a special website with a firewall rule instead of proxy?
    The xStream architecture works only for transparent, because it is not a proxy. Proxy is a old technology and is not capable of doing TLS1.3. It could be actually die or run into issues in the future. The point is: Transparent is not xStream. It looks the same, but it is different. The packet is send from Client to Server and SFOS is copy pasting the packets on the fly. You can see this in a tcpdump. Proxy (transparent and direct) is "Sending the request to the proxy, and the proxy is getting your website". So you will never get the benefit of a xStream architecture in a standard/direct proxy mode. And about your second points: Why? The xStream Architecture is the entire firewall. You cannot bypass this, as such a "bypass" would decrease the performance of the firewall. 



    No possibility to use a parent web proxy just for the sophos web proxy (you can just use a parent proxy for firewall & web proxy together but not just for web proxy) - we use this for some government implementations - show stopper in this case.
    There is actually some research ongoing, how to resolve this. But the problem is the technology. Government customers with parent proxies are working on old tech. So to speak, you see dead tech walking. There is an idea to resolve this with WPAD and do the web proxy (8080/3128) only for the government pages. We see more and more customers moving away from this approach of using the government networks. Feel free to talk to your Sophos public government sales rep about ways to interact with this setup. 



    With UTM you can use a https proxy for SSL VPNs - not possible with SFOS - we use this for some government implementations - show stopper in this case.
    This is the first time, i am hearing/reading this. What do you mean by https proxy for SSLVPN? 



    S/MIME not implemented for E-Mail - we use this on UTM for a lot of customers to force S/MIME encryption for e-mail communication to some other companies -> Will 100% not be implemented in SFOS because sophos have Central E-Mail...- show stopper in this case.
    Central Email is the better solution compared to both products. SFOS and UTM. It brings more tech onboard. 

    __________________________________________________________________________________________________________________

  • Thanks for some hints and clarifications but...

    SFOS can flash without display. The appliances indicate a flashing with LEDs.

    -> I don´t know if I have to press a key for flashing when booting device from USB with SFOS-image? I have to press a key after flash is successful for a reboot or blind typing y if LED indicates successful? Sorry this is not useful this way and a pain compared with UTM

    WAF:

    For UTM you can use pre-authentication to stop "Backend-Browsing" for unknown people - Our best practice for UTM and what about ActiveSync for on premise Exchange and ZTNA...?

    AD/DNS-Server redundancy:

    But basically you can create all your AD servers and add them to your config -> What happens if the first AD-Server in this list is offline (e.g. Windows Updates) or just DNS service is down (when also used for DNS) and Server is still online?

    AD-Groups:

    Nice screenshot and nice mixed AD-Objects - maybe you can sort this in alphabetical order? - Nobody wants to scroll down the whole liste to search the correct object because it is not sorted anyway.

    SSL-VPN with https-proxy:

    We use this for a VPN to Government-Services in a governmental infrastructure - Government don´t allow any physical connections to their infrastructure / between networks but they offer a webproxy inside their infrastructure - so we can use this webproxy to build an ssl tunnel to a device inside the government infrastructure and include routing... on the other vpn device - now everybody can use the government services over a vpn without buiding a physical connection between the networks. It´s tricky and I also had to build this in a lab to be sure it will work.... But for this customer it was the decisive factor for UTM...

  • -> I don´t know if I have to press a key for flashing when booting device from USB with SFOS-image? I have to press a key after flash is successful for a reboot or blind typing y if LED indicates successful? Sorry this is not useful this way and a pain compared with UTM
    So if you have to flash, you do not have to do anything. Simply plugin the USB stick, start the appliance. Wait until the Status LED is not blinking anymore and unplug the power plug. And yes - the LED will indicate the same like the display would do. I did this now for roughly 50 appliances and could not complain. 

    WAF:

    For UTM you can use pre-authentication to stop "Backend-Browsing" for unknown people - Our best practice for UTM and what about ActiveSync for on premise Exchange and ZTNA...?
    ActiveSync and other Links like OWA are supported. But none of my ZTNA projects still uses Exchange on prem. But this is a Microsoft discussion. 

    AD/DNS-Server redundancy:

    But basically you can create all your AD servers and add them to your config -> What happens if the first AD-Server in this list is offline (e.g. Windows Updates) or just DNS service is down (when also used for DNS) and Server is still online?
    UTM uses TCP (or Ping) to check the server. SFOS uses the service. So if the server is online on TCP but LDAP is unreachable, SFOS will move to the next server. So this is actually the better way to implement. 

    AD-Groups:

    Nice screenshot and nice mixed AD-Objects - maybe you can sort this in alphabetical order? - Nobody wants to scroll down the whole liste to search the correct object because it is not sorted anyway.
    This is the first time, i hear this complain. But i can understand in bigger setups, this could potentially be a problem. But it is a one time import problem. BTW: you could create the group manually as well by using the name. No need to actually import, if you have a big setup. 

    SSL-VPN with https-proxy:

    We use this for a VPN to Government-Services in a governmental infrastructure - Government don´t allow any physical connections to their infrastructure / between networks but they offer a webproxy inside their infrastructure - so we can use this webproxy to build an ssl tunnel to a device inside the government infrastructure and include routing... on the other vpn device - now everybody can use the government services over a vpn without buiding a physical connection between the networks. It´s tricky and I also had to build this in a lab to be sure it will work.... But for this customer it was the decisive factor for UTM...
    Interesting. Nobody actually reported this behavior / setup to me/us in the last 5 years. Is this common to use in such deployments? It sounds like you actively workaround/expose something, it should not be exposed? 

    __________________________________________________________________________________________________________________

Reply
  • -> I don´t know if I have to press a key for flashing when booting device from USB with SFOS-image? I have to press a key after flash is successful for a reboot or blind typing y if LED indicates successful? Sorry this is not useful this way and a pain compared with UTM
    So if you have to flash, you do not have to do anything. Simply plugin the USB stick, start the appliance. Wait until the Status LED is not blinking anymore and unplug the power plug. And yes - the LED will indicate the same like the display would do. I did this now for roughly 50 appliances and could not complain. 

    WAF:

    For UTM you can use pre-authentication to stop "Backend-Browsing" for unknown people - Our best practice for UTM and what about ActiveSync for on premise Exchange and ZTNA...?
    ActiveSync and other Links like OWA are supported. But none of my ZTNA projects still uses Exchange on prem. But this is a Microsoft discussion. 

    AD/DNS-Server redundancy:

    But basically you can create all your AD servers and add them to your config -> What happens if the first AD-Server in this list is offline (e.g. Windows Updates) or just DNS service is down (when also used for DNS) and Server is still online?
    UTM uses TCP (or Ping) to check the server. SFOS uses the service. So if the server is online on TCP but LDAP is unreachable, SFOS will move to the next server. So this is actually the better way to implement. 

    AD-Groups:

    Nice screenshot and nice mixed AD-Objects - maybe you can sort this in alphabetical order? - Nobody wants to scroll down the whole liste to search the correct object because it is not sorted anyway.
    This is the first time, i hear this complain. But i can understand in bigger setups, this could potentially be a problem. But it is a one time import problem. BTW: you could create the group manually as well by using the name. No need to actually import, if you have a big setup. 

    SSL-VPN with https-proxy:

    We use this for a VPN to Government-Services in a governmental infrastructure - Government don´t allow any physical connections to their infrastructure / between networks but they offer a webproxy inside their infrastructure - so we can use this webproxy to build an ssl tunnel to a device inside the government infrastructure and include routing... on the other vpn device - now everybody can use the government services over a vpn without buiding a physical connection between the networks. It´s tricky and I also had to build this in a lab to be sure it will work.... But for this customer it was the decisive factor for UTM...
    Interesting. Nobody actually reported this behavior / setup to me/us in the last 5 years. Is this common to use in such deployments? It sounds like you actively workaround/expose something, it should not be exposed? 

    __________________________________________________________________________________________________________________

Children
No Data