This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Time to Move on

After many years of my time researching(even reporting a DOS inside of Astaro v4), advocacy, finally reselling, I have had to make the decision to move on due to Sophos now practically ignoring smaller partners(mostly silvers) and general lack of code quality.  I finally could not beat my head against a door of developers both on the forums and in private telling me i was wrong over and over when I could prove i was correct..even with the backing of this wonderful community.  If my reputation in this community and my track record of accuracy was not enough to get me at least a bit of cred with the devs.....

I have since moved to PfSense and now have an IPS system that doesn't need 4 ghz of cpu power and multiple simultaneous clients to have high speed traffic processing.  I am also hooking clients that need only basic firewalls(not UTM) using the Ubiquiti firewalls as well. Please hit me up on my  Facebook page or at my business blog if you want more information.  

I have enjoyed my time within this community even if Sophos made my time with them not pleasant behind the scenes.   I have let my partner software licenses(XG and SG )and Home expire and with a sad heart I saw goodbye to this wonderful community.  I hope Sophos eventually gets their act straight and I tip my hat to those who stick with it.

Sincerely,

William Warren



This thread was automatically locked due to age.
Parents
  • William

    I see your name in replies to a lot of the forum posts I have been reading recently so I value your opinion and so this is interesting to me.

    I am a long time 'IT guy' of 15+ years and have not had a huge amount to do with UTMs/Gateway devices in the past as I'm mainly a Microsoft Server specialist. My limit has basically been your typical router with port forwarding where required.

    So I have a family with kids and my home router was not up to the job (not fast enough and not enough features) so I looked around and from a long list decided to try Sophos UTM first (Untangled and PFSense were on the shortlist too).

    The more I learn about Sophos UTM the more I am concerned that this is not a good fit for my requirement. What you say above and also (here) makes me wonder if the Sophos UTM is really fit for purpose when so many workarounds are required to allow 'the modern internet' to work. For example I switched on Web Protection this weekend and immediately the kids came to me because Amazon Prime and Netflix had broken on their iPads. Sheesh. I don't want to turn this into a 'how to fix' request, I'll try some of the other threads I have bookmarked before I come back and ask here.

    My requirement is fairly typical of a home network (and also likely fits many small/medium businesses too):

    • Protection from 'the bad guys':
      • Malware 'executables' and scripts etc.
      • Phishing sites and other URLs that you don't want people to go to for whatever reason
    • Fast Internet connection with minimal interference in 'normal internet' traffic:
      • Web surfing obviously
      • Streaming media of all kinds
      • Allow fast downloads (peer to peer (legit stuff obviously), Dropbox, OneDrive, Steam updates, etc.)
    • Block traffic when required:
      • Time based (stop the kids waking up in the dead of night and watching Netflix!)
      • Category based (for me this is mainly about protection from Malware)

    Beyond that I am not sure I really need anything much more complicated. For example, I am not sure I need a device that does IPS. I don't run servers on my LAN so really no traffic needs to come from WAN to LAN unless in response to outgoing request, so I am not sure what a IPS really adds.

    So I think this is on topic for the post: what can do this job for the home if not Sophos UTM? I see you recommend PFSense. I need to look at it again but I got the impression in my first look that it was just a basic firewall and that I needed to use Sophos UTM or Untangle to meet my requirements.

    Any thoughts?

    Ian

  • Hi Ian,

    you can setup the UTM for some serious protection without using all the features. Enable web protection with URL filtering or use the ATP features will give you anti-virus etc on incoming traffic.

    As a home user you don't need any of the work arounds. It does native IPv6 if interested.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Ian,

    you can setup the UTM for some serious protection without using all the features. Enable web protection with URL filtering or use the ATP features will give you anti-virus etc on incoming traffic.

    As a home user you don't need any of the work arounds. It does native IPv6 if interested.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • I will certainly not give up right away, I need to try some of the workarounds I have found so far.

    I am intrigued in your comment about IPv6, why is that important?

  • Excuse us William while we temporarily highjack your thread. Everyone gets very excited about IPv6, so I thought you should be aware.

    And you don't need work arounds on the UTM if you are a home user.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • rfcat_vk said:

    Excuse us William while we temporarily highjack your thread. Everyone gets very excited about IPv6, so I thought you should be aware.

    And you don't need work arounds on the UTM if you are a home user.

     

     

    IPV6 is still borked here on comcast with UTM.  I got tired of them telling me I was wrong when I can point to more than a few threads.  IF they have fixed it..good....they'll break it again later.  Keep in mind SG is a dying breed.  XG is the sophos future..SG is jsut a cash cow they are milking.

     

    Pfsense and IPV6=heaven.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • Mine worked well until UTM 9.5b

    Mine was working native on internode in AU. No special tricks required. Turned on IPv6 at ISP and UTM and bingo IPv6 appeared.

    About to add details to a thread in the 9.5 forum on IPv6.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • It seems like IPv6 is something that 'normal home users' should never need to worry about. At worst you might end up given an IPv6 public IP so you will need a router that can handle that, and then translating all IPv6 arriving on the edge and being translated to IPv4 for those devices on the LAN that need IPv4 (or routing IPv6 for newer devices that can use IPv6). To me it seems pointless forcing oneself along the IPv6 path, IPv4 works, ISPs won't make home users abandon it until they have decent working alternatives in place. Anyway just my 2 pence.

    I need to look more at the UTM being replaced by XG, from what I can gather from comments here is that XG is not a mature product yet. If anyone can point me at a good comparison post between them two that would be great.

    If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

  • We were using Cisco 5520's in conjunction with untangle. It worked. However, we now use the UTM's.

    I've used pFsense as well. Very good firewall although comparing it to the UTM is like comparing apples to oranges.

    As for XG, my last look at it a month ago sort of frightened me off. I can see some good things but equally, I'm not quite sure I like the GUI as it stands.

  • Hi guys,

    I have both utm and XG. Installed the XG to see what is like and be an active member of the beta environment similar to the UTM.

    Currently the XG is powered off because I am retiring shortly and cancelled my second ADSL connection.

    If you have a simple home setup and don't want any fancy firewall filters then the XG will be for you. If you have come from a UTM environment you will be very disappointed with the XG.

    I have been using the utm since 2005 and been very active in all facets of its development, so I can speak with experience on the comparisons.

    XG v20 might be good, but at this stage it is only vapourware we are still waiting for v17b to see if lives up to the hype and promised improvements.

    This is not the first time I have posted these comments.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I agree. I think it has a long, long way to go before it catches up with the UTM. I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP....

    But at the minute, the XG is just a step too far....

  • Ian B said:
    If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

    Pfsense is a great firewall and BSD flavors have always been very stable. William is looking at it from a reseller's point of view and pfsense is very robust and very competitive considering the licensing costs. Plus its mostly set it and forget it. I travel a lot and almost every other week I am at a hotel that is using pfsense as their gateway. You can't beat FREE specially when its rock stable and can do most of the UTM functions if set up correctly. I haven't tested untangle in a long time but UTM9 was a far superior product when I compared it to untangle years ago. 

    For a home user, the choice is pretty clear. If you like messing with configs and want to download packages separately from your base install... Go with pfsense or even IPFire.

    If you like everything bundled for you for free... Go with UTM or XG.

    For home use, you will mostly need filtering/av protection/ QoS/ and time quotas sometimes. I feel UTM has an edge on filtering, AV is the same for XG and UTM, QoS for home use is great in XG but UTM uses codel qdisks which is good for buffer bloat but you can always throttle XG lower than your alloted upload and buffer bloat is not a problem. Time quotas are a toss up between the two.

    If I had never used any of the sophos products, I would go with XG as that is what they are working on and is the future of sophos. If you want more robust/stable build, go for UTM9. XG gives you unlimited license compared to UTM 50 IP license so the choice is yours.

    IPv6 is the future but NAT pretty much secures IPv4 for home use in the foreseeable future. I jumped on IPv6 when it was first introduced in astaro and turned it off after using it for exactly one year. If your environment doesn't need it, you don't get anything extra by using IPv6.

    As far as exceptions/exclusions for streaming devices, you will have to do some exclusions no matter which firewall you choose. There are many KB articles that show you what URLs/IPs to exclude. I personally don't scan my streaming devices so its not a problem but I can see it being a problem on tablets/smart phones etc.

    In the end more choices is a good thing. Try them all and you will more than likely end up with XG / UTM or untangle if you are willing to pay for their nicer features. Pfsense or similar if you like stability but don't mind adding packets and tinkering with firewall rules and messy QoS setup.

     

    Louis-M said:
    I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP.... 

    Yeah but microsoft merged 95 with NT. XG is 95 in this case[:'(]

  • Thanks Billybob that is a very useful comprehensive overview, much appreciated!

    I've had a look at PFsense and IPfire and I think that, for me, there is too much command line involved in adding and configuring features (packages) that are not native. When I've done this for other devices in the past (NSLU2 etc.) I've found that these are fine when they work, but when they don't it's a beast to work out what went wrong.

    I think I will persevere with UTM9 for the moment and see how I get on, if that doesn't work out I'll give XG a spin and take it from there.