I’m documenting my numerous issues with SOPHOS Firewalls so that others can be aware of what they are getting themselves into.
Our Background:
My business is a long time customer of SOPHOS Firewalls(more than 10 years). We have 18 Firewalls and multiple RED devices, and many Access Points. Up until this year SOPHOS was our absolute favorite Firewall for a lot of reasons. But that changed this year. SOPHOS has been developing their new SFOS operating system, and this year they told us that we could not longer purchase their SG line of firewalls, and that we must move to their new XGS line of firewalls. SOPHOS is retiring the SG line of firewalls which were absolutely amazing. Their XGS(SFOS) new firewalls however are complete trash if you have any interest in being able to configure the firewall the way you desire.
I was promised the new Firewalls were great, and up to now, SOPHOS Support has been great, so we sunk well over $100,000 into a complete overhaul of our environment and SOPHOS has done nothing but treat us like garbage ever since. The have dismissed all the issues we’ve had. Every problem with the new Firewalls is ‘by design’ or ‘as intended’ and no recourse options are available. I’ve opened up 6 or more tech support issues with SOPHOS as well, and spent nearly 100 hours on the phone with SOPHOS in the last 4 months. Most cases get closed with no resolution because SOPHOS can’t find the source of the issue.
These firewalls aren’t even half baked. Any firewall in this class is supposed to be designed such that the administrator of the network can set up the firewall in the manner that they need for their business. With their new Firewalls, not-so. Sure you ‘can’ set things up the way you want, but SOPHOS builds in defects ‘by design’ to make your experience poor unless you use the firewall in the way they want you to. If you raise these issues with them, you will be dismissed and told to do it their way, or deal with the problems. It’s pretty dictatorial.
After I built the first of our 18 new Firewalls, I hired a SOPHOS consultant when we were forced to make the switch. The new Firewall is vastly different and I wanted to ensure the setup I did was a good baseline for all the other 17 firewalls I was deploying. I’ve had nothing but issues ever since. We’re stuck with SOPHOS now… at least for the foreseeable future, so I’m going to be using this time to look for another firewall to move to once our term is over. For the price… the lack of functionality is abhorrent, and the dismissiveness is really sad. SOPHOS used to be a great company and a great Firewall product. Now, if you want a flexible, configurable, and well-functioning firewall, this is no longer the product for you.
Issue # 1 - VPN Failover and WAN Interfaces
IPSEC VPNs are commonplace. Lots of businesses use them and we are no different. We’ve been using IPSEC for years on the SG firewalls and they have been great. No issues at all. I could set them up however I wanted with lots of flexibility, and they were extremely reliable.
How it was:
On the old model firewall, you had a WAN Interface Group where you’d specify the primary internet as well as one or more backup internet connections. It would keep the backup internet connection(s) disabled until the primary failed. Then it would activate and fail over to the backup internet until the primary came back online, and then fail back. Basic stuff…
Also on the old model firewall, you’d create the VPN tunnel, designate the WAN Interface Group as the internet and the VPN tunnel would establish itself over the whatever internet connection was the active one in the WAN Interface Group at the time. You could also hard set the VPN tunnel to a specific WAN interface if you preferred as well. It was easy to use, very configurable, and it worked very reliably.
How it is now:
On the new firewall, it still has a WAN Interface Group, where you specify the primary internet as well as one or more backup internet connections, and it fails over and back just like the old firewall. However, now it keeps the backup internet connection(s) enabled and active, and uses quite a lot of data to check that they are online. If you have a cellular 5G backup internet(different provider\different medium methodology)… it’s going eat up your data whether you like it or not, and if it’s pay-per-use, it will run up your bill. Even if you never fail over to it. I brought this up to SOPHOS. Answer “it’s by design” end of story. Very nice. So it’ll eat up data and run up charges forever. SOPHOS says pay the bills, or get a backup internet that does not have usage charges. “do it our way or pay the penalty”.
Moving onto the VPN… even though there is a WAN Interface Group, which should be able to used to float the VPN Tunnel to the active Internet connection, you can’t use it that way. I told them the old Firewall did this, and asked how to do the same… however, this is “by design”, end of story. So now we need to set up two or more VPN tunnels(one per internet connection). More time and more complicated than necessary, but it’s “by design” so it’s non-negotiable. Anyhow… after you create your multiple VPN connections(all identically set up, just with the WAN interface different), you then need to create a Failover Group, which is a new configuration that determines which VPN Tunnel is primary, and which is backup. This is all so that when the primary internet goes down in the WAN Interface Group, and the backup internet becomes active, then the Primary VPN Tunnel connection will fail as it is hard set to the primary WAN connection, and then the VPN Failover Group will bring up the backup VPN tunnel which is hard set to the backup internet connection. All this complication for the same result, “by design”.
In the Failover VPN section there is a checkbox called “automatic failback”. That’s all it says, no description. It’s supposed to automatically fail back your VPN connection when then primary internet comes back online, however I learned it only tries once. So if your ISP is doing some maintenance overnight… or there is some unexpected brief interruptions on your Primary internet, it will try once (60 seconds later) to fail the VPN Tunnel back, and if that is not successful, it will leave your VPN tunnel connected over to the backup internet permanently. Even if the Primary internet comes back online and is working correctly. So then, half a day later you notice that the VPN tunnel has been eating up your cellular data, or running up your pay-per-use data charges, and you need to manually fail it back. I opened a case with Mark Esiovwa from SOPHOS, and I bet you can guess what he said… “this is by design”. He “confirmed this from the GES team (highest level of support at Sophos)”.
So SOPHOS has purposefully created a bug, which creates issues/costs/loss for customers who choose to use an IPSEC VPN Tunnel. They won’t fix the issue they purposefully created, because they want you to use the equipment you bought their way. This is evidenced by their next statement of “While this is by design for PBVPN, we do offer an interactive RBVPN. This allows for managing route criteria based on configured polices”. Simply put, you bought this firewall, it will allow you to use an IPSEC VPN, however, if you don’t do it our way… we will manufacture consequences and issues so that you will eventually comply out of exhaustion.
This is ONE scenario and there are many more like this coming. Stay tuned. If you want SOPHOS to tell you how to run your network, right down to the settings you choose, then they’ll be happy to do that and it will probably work. However if you would like to administer your network the way you want\need\choose, don’t walk, run from SOPHOS. You won’t be happy after you spend hundreds of thousands of dollars and days of phone calls, to be told over and over… “we designed it that way”.
This thread was automatically locked due to age.
