Does any one know if XG is roughly at feature parity with the UTM yet?
Thanks
Richard.
This thread was automatically locked due to age.
Does any one know if XG is roughly at feature parity with the UTM yet?
Thanks
Richard.
Let me rephrase most of those points:
Missed / unkown things:
(re)-flashing devices: more complicated - also no vga/hdmi connection port at xgs devices
SFOS can flash without display. The appliances indicate a flashing with LEDs. See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareReimageXGFirewall/index.html#reimage-sophos-firewall_1
There are LED Codes for the older appliances as well. (This will be documented soon). In the rare case of a failure of installations, you can use the USB console cable, which is in the package, but mini USB to USB cable will work too.
Let´s Encrypt: not a show stopper and you can do that with shell but why nobody at Sophos could implement that just in UI (since years)? Because Sophos expects there will be no more on premise web servers in the future?
It is true, the movement is against on premise servers. But the movement is more likely coming to ZTNA than WAF in the future. ZTNA is a better way to approach internal resources. So let rephrase the use cases, WAF is being used: Internal resources and external resources (Webshops) - Or better known to: You know the person wanting to access your resource and you do not know the person browsing your resource. Last case (webshops etc.) is something, rarely used within a company nowadays. Nobody wants to install a webshop in there on prem because they cannot scale as good as a cloud provider can do. So this is not a focus anymore for most customers. Therefore lets look at the part "You know the person accessing your resources" - And there is ZTNA a way better way to implement the access to your servers. ZTNA supports http/s clientless over browser and agent based with all ports. So you can replace VPN and WAF with ZTNA as a singe product in a secure manner, which the WAF was not capable before. I can go in more depth on this, but if you look into the architecture of ZTNA and ZTNAaaS, you will see, no need to do WAF anymore.
There are no availability groups anymore: how to implement redundant AD- or DNS-Servers? How to check if the servers are online?
That is correct. SFOS does not offer this kind of service to check for Servers. But basically you can create all your AD servers and add them to your config. You cannot do one single config and add two servers and let the SFOS failover.
There seems no option for time sheduled firmware updates?!?
You can do this with Central Management as a Partner for all your customers or you can do this as a customer in Central for all your firewalls. No need to do this or implement it on the firewall itself. BTW: You can even do this via Partner API.
XStream will not work for terminal servers without interceptX because of the client authentication - so you can just use the web proxy function for terminal servers
You can do both ways. Use the intercept X client, which most customers are doing. If you are not using Intercept X, you can use the direct proxy and integrate it (Same way UTM does authentication via Kerberos).
The only way to download the VPN-Client/config is the user portal - no option to download VPN packages for users as admin with webadmin - every user have to do that in user portal.
As Sophos Connect supports .pro Files, you can do this with Connect Provisioning FIles. See: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSConProvisioningFile/index.html
Import of AD-Groups - AD is sorted alphabetical without structure?!?
I am not sure, what you mean by this? The import tool?
Looking at my imports, there is a structure.
If you use multiple additional IPs for interfaces you can only delete 1 of these IPs at once
You could do this via Import/export, if you want. But it is correct, you can delete them one per time. If you want to flush the interface, you can unbind the interface, which will delete the config. As well as you can export alias interfaces with import/export, flush the interface and only create the needed interfaces/alias interfaces.
proxy/xstream only works as transparent proxy - no standard mode and also no option for wpad.dat (automatic proxy search) - How to avoid proxy completely and access a special website with a firewall rule instead of proxy?
The xStream architecture works only for transparent, because it is not a proxy. Proxy is a old technology and is not capable of doing TLS1.3. It could be actually die or run into issues in the future. The point is: Transparent is not xStream. It looks the same, but it is different. The packet is send from Client to Server and SFOS is copy pasting the packets on the fly. You can see this in a tcpdump. Proxy (transparent and direct) is "Sending the request to the proxy, and the proxy is getting your website". So you will never get the benefit of a xStream architecture in a standard/direct proxy mode. And about your second points: Why? The xStream Architecture is the entire firewall. You cannot bypass this, as such a "bypass" would decrease the performance of the firewall.
No possibility to use a parent web proxy just for the sophos web proxy (you can just use a parent proxy for firewall & web proxy together but not just for web proxy) - we use this for some government implementations - show stopper in this case.
There is actually some research ongoing, how to resolve this. But the problem is the technology. Government customers with parent proxies are working on old tech. So to speak, you see dead tech walking. There is an idea to resolve this with WPAD and do the web proxy (8080/3128) only for the government pages. We see more and more customers moving away from this approach of using the government networks. Feel free to talk to your Sophos public government sales rep about ways to interact with this setup.
With UTM you can use a https proxy for SSL VPNs - not possible with SFOS - we use this for some government implementations - show stopper in this case.
This is the first time, i am hearing/reading this. What do you mean by https proxy for SSLVPN?
S/MIME not implemented for E-Mail - we use this on UTM for a lot of customers to force S/MIME encryption for e-mail communication to some other companies -> Will 100% not be implemented in SFOS because sophos have Central E-Mail...- show stopper in this case.
Central Email is the better solution compared to both products. SFOS and UTM. It brings more tech onboard.
__________________________________________________________________________________________________________________