Time to Move on

William

I see your name in replies to a lot of the forum posts I have been reading recently so I value your opinion and so this is interesting to me.

I am a long time 'IT guy' of 15+ years and have not had a huge amount to do with UTMs/Gateway devices in the past as I'm mainly a Microsoft Server specialist. My limit has basically been your typical router with port forwarding where required.

So I have a family with kids and my home router was not up to the job (not fast enough and not enough features) so I looked around and from a long list decided to try Sophos UTM first (Untangled and PFSense were on the shortlist too).

The more I learn about Sophos UTM the more I am concerned that this is not a good fit for my requirement. What you say above and also (here) makes me wonder if the Sophos UTM is really fit for purpose when so many workarounds are required to allow 'the modern internet' to work. For example I switched on Web Protection this weekend and immediately the kids came to me because Amazon Prime and Netflix had broken on their iPads. Sheesh. I don't want to turn this into a 'how to fix' request, I'll try some of the other threads I have bookmarked before I come back and ask here.

My requirement is fairly typical of a home network (and also likely fits many small/medium businesses too):

• Protection from 'the bad guys':
  • Malware 'executables' and scripts etc.
  • Phishing sites and other URLs that you don't want people to go to for whatever reason
• Fast Internet connection with minimal interference in 'normal internet' traffic:
  • Web surfing obviously
  • Streaming media of all kinds
  • Allow fast downloads (peer to peer (legit stuff obviously), Dropbox, OneDrive, Steam updates, etc.)
• Block traffic when required:
  • Time based (stop the kids waking up in the dead of night and watching Netflix!)
  • Category based (for me this is mainly about protection from Malware)

Beyond that I am not sure I really need anything much more complicated. For example, I am not sure I need a device that does IPS. I don't run servers on my LAN so really no traffic needs to come from WAN to LAN unless in response to outgoing request, so I am not sure what a IPS really adds.

So I think this is on topic for the post: what can do this job for the home if not Sophos UTM? I see you recommend PFSense. I need to look at it again but I got the impression in my first look that it was just a basic firewall and that I needed to use Sophos UTM or Untangle to meet my requirements.

Any thoughts?

Ian

Hi Ian,

you can setup the UTM for some serious protection without using all the features. Enable web protection with URL filtering or use the ATP features will give you anti-virus etc on incoming traffic.

As a home user you don't need any of the work arounds. It does native IPv6 if interested.

It seems like IPv6 is something that 'normal home users' should never need to worry about. At worst you might end up given an IPv6 public IP so you will need a router that can handle that, and then translating all IPv6 arriving on the edge and being translated to IPv4 for those devices on the LAN that need IPv4 (or routing IPv6 for newer devices that can use IPv6). To me it seems pointless forcing oneself along the IPv6 path, IPv4 works, ISPs won't make home users abandon it until they have decent working alternatives in place. Anyway just my 2 pence.

I need to look more at the UTM being replaced by XG, from what I can gather from comments here is that XG is not a mature product yet. If anyone can point me at a good comparison post between them two that would be great.

If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

We were using Cisco 5520's in conjunction with untangle. It worked. However, we now use the UTM's.

I've used pFsense as well. Very good firewall although comparing it to the UTM is like comparing apples to oranges.

As for XG, my last look at it a month ago sort of frightened me off. I can see some good things but equally, I'm not quite sure I like the GUI as it stands.

Hi guys,

I have both utm and XG. Installed the XG to see what is like and be an active member of the beta environment similar to the UTM.

Currently the XG is powered off because I am retiring shortly and cancelled my second ADSL connection.

If you have a simple home setup and don't want any fancy firewall filters then the XG will be for you. If you have come from a UTM environment you will be very disappointed with the XG.

I have been using the utm since 2005 and been very active in all facets of its development, so I can speak with experience on the comparisons.

XG v20 might be good, but at this stage it is only vapourware we are still waiting for v17b to see if lives up to the hype and promised improvements.

This is not the first time I have posted these comments.

I agree. I think it has a long, long way to go before it catches up with the UTM. I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP....

But at the minute, the XG is just a step too far....

Ian B said:

If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

For a home user, the choice is pretty clear. If you like messing with configs and want to download packages separately from your base install... Go with pfsense or even IPFire.

If you like everything bundled for you for free... Go with UTM or XG.

For home use, you will mostly need filtering/av protection/ QoS/ and time quotas sometimes. I feel UTM has an edge on filtering, AV is the same for XG and UTM, QoS for home use is great in XG but UTM uses codel qdisks which is good for buffer bloat but you can always throttle XG lower than your alloted upload and buffer bloat is not a problem. Time quotas are a toss up between the two.

If I had never used any of the sophos products, I would go with XG as that is what they are working on and is the future of sophos. If you want more robust/stable build, go for UTM9. XG gives you unlimited license compared to UTM 50 IP license so the choice is yours.

IPv6 is the future but NAT pretty much secures IPv4 for home use in the foreseeable future. I jumped on IPv6 when it was first introduced in astaro and turned it off after using it for exactly one year. If your environment doesn't need it, you don't get anything extra by using IPv6.

As far as exceptions/exclusions for streaming devices, you will have to do some exclusions no matter which firewall you choose. There are many KB articles that show you what URLs/IPs to exclude. I personally don't scan my streaming devices so its not a problem but I can see it being a problem on tablets/smart phones etc.

In the end more choices is a good thing. Try them all and you will more than likely end up with XG / UTM or untangle if you are willing to pay for their nicer features. Pfsense or similar if you like stability but don't mind adding packets and tinkering with firewall rules and messy QoS setup.

Louis-M said:

I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP.... 

Thanks Billybob that is a very useful comprehensive overview, much appreciated!

I've had a look at PFsense and IPfire and I think that, for me, there is too much command line involved in adding and configuring features (packages) that are not native. When I've done this for other devices in the past (NSLU2 etc.) I've found that these are fine when they work, but when they don't it's a beast to work out what went wrong.

I think I will persevere with UTM9 for the moment and see how I get on, if that doesn't work out I'll give XG a spin and take it from there.

I am not looking at from a reseller's perspective.  BB you should know me better than that.  How many years have I advocated for Astaro/Sophos only to be told i was wrong(i wasn't) or ignored(very often)?  Now I can tell you that behind the scenes that most people do not see I am actively ignored and told even more forcefully I do not know what I am talking about.  The volumes i have written on this software and the detailed descriptions of issues I see along with the documentation I provide is not a side job in terms of the time it takes to handle this.  Ever since Sophos took this product...let go EVERYONE from the original Astaro team and the replacements are....unsatisfactory...speak volumes.  

Want to know what i resell?  One thing...anti-malware...that's it.  Everything else is a one time purchase.  I also manage a couple of Sonicwalls.  With the exception of their infuriating interface(the XG is actually BETTER here) their stuff...just works...and works well.  It is not as cheap as Sophos but at this point...i want what works.  I have found another vendor that carries SG/XG UTM devices AND Sonicwall devices.  For clients that really need UTM I'll point them to Sonicwall.  Now that I have pulled off the UTM blinders the amount of clients in my business size that really NEED utm are....nearly zero.  Proper policy, network design, and ongoing maintenance eliminate the need for and operation of a complicated UTM type device.

XG is the future but it boggles the mind..they are throwing away what was a leading security UTM for one that is widely known in the industry as a secondary player.  web a/v is really useless now with https everywhere unless you want to mess with https interception(that's shaky for anyone).  I have PFSense running here with suricata using the webUI with zero issues.  I can also EASILY hit a gigabit without having to make multiple streams go or without having to push the http proxy into overdrive to ramp up the cpu for snort to work at full speed.  I currently have 4 2.5 ghz xeon cpus dedicated to my pfsense vm with suircata and 1 gigabit happens easily as the load gets spread across all 4 cores and my cpu doesn't have to get slammed to max speed.  Sure I loose DPI(but that doesn't work properly inside of UTM so that's no big loss) and I do not have to touch the cli to get this working.  I have robust vpn services available by default and the system is rock stable.  

want to know much much i have touched the cli in PFSense for configuration?  ZERO.

Something else.  Resource requirements and ram usage.  I have 8 gigs assigned to the vm and I had 8 gigs assigned to the Sophos UTM vm. Same host machine with the same cpu allocations.  I have suricata active on 4 of my 5 interfaces.  Want to know my ram usage?  2 gigabytes out of 8 with ZERO swap.  NO MEMORY TWEAKS REQUIRED.  My now deleted UTM vm ran 2 gigs with ZERO modules active and 5 firewall rules.  

Now this is apples to oranges...in a way.  I do not have content filtering, i do not have the DPI(again doesn't work properly anyway), and I do not have web filtering.  My extensive internal testing though just going base firewall to base firewall.  PFSense ram usage...10% of 8 gigs so about 800 megs.  

I still have a couple of UTM devices deployed.  One is a fullguard machine(due to how many modules he needed it was cheaper to go FG).  This is an SG115W machine.  Using http proxy(web a/v, application control, content filtering, and snort it runs at 3.0 gigs of ram usage.  That's not telling the whole story.  This machine got into more than 50% swap as well.  Sophos thinks swapping is fine so they have no issues with it.  When the appliances were HDD based this was a huge performance hit.  Now they have SSD's in these devices which help except for the write endurance of SSd they are chewing through.  How did i "fix" this?  I had to reduce the report retention to minimum, disable web a/v and put the snort rules on a 6 month expiration.  Still showing 3 gigs of usage but with a 15% swap..still not working as planned because a properly tuned Linux machine would never swap.  The issue isn't Linux...the issue here is Sophos's code is wildly inefficient.  I long ago had to advocate for years that a 2 gig minimum  was not enough.  It took more than a year of constant reports of machines going into high swap and even totally locking up for Sophos to increase the base memory.  4 gigs for a Sophos minimum is not enough.  8 is the realistic minimum.  I have a sg105 that as we know only has two gigs of ram in it.  Sophos behind the scenes knows goo and wlel that this is unsupportable.  When I talked to them directly about this situation I was told that yes 2 gigs is not enough for both http proxy functions and ips to function.  They know this is insufficient...but so far...crickets.

I am not trying to pour sour grapes but Sophos has badly and continues to badly mismanage UTM.  My issues are with how they have totally murdered the functionality of UTM and despite their assurances to the contrary use UTM as their cash cow until they can figure out to get cyberoam(XG) from a secondary player in the market to the forefront.  Newsflash Sophos..you have a leading product already in SG.  Look at their actions.  Where do the new technologies and features go first?  XG.  I had somebody reach out to me this morning via e-mail pleading for help.  What was telling was he said he has gotten Sophos Professional Services involved(he bought an XG) and they have no idea how to make the XG work with his network.  This has been ongoing for 4 months.  He has since installed SG on it hoping to get better help.  I have pointed him to his nearest Platinum partners and told him talk to these folks and hopefully They can get it working.  I also told him if not..I would reup the sonicwall he has already working because at least not only does the appliance work but Dell's tech can keep it working well for him...it just costs more.

Now with PFSense going with suricata on 4 interfaces...20% ram usage...MAX and ZERO swap.  UTM with base firewall and snort in the same configuration...3-4 gigs usage.  That apples to apples there.  

You can see my network and the hardware i am using for my vm's here.

Oh and IPV6 works perfectly on PFSense...utm 9.x?  Nope.  When will ipv6 work on UTM9?  Who knows.  That's just another major issue that has yet to be fixed...and that is considered basic functionality in ANY firewall these days.

If Sophos was not mishandling UTM so badly and reducing it's security with unfixed problems in the proxy and other areas I would happily continue to resell it.  For me and my clients...that simply isn't the case.  I now have other products I am testing and deploying.  PFSense w/suricata is one of them...unifi/edgerouters are another.  I do not consider ipfire a serious player..that's just me.  I also tried endian, watchguard and smoothwall community before deciding on PFSense and ubiquiti.  I will check back on Sophos UTM products once SG goes away and/or XG becomes a first rate product.....It could be along wait.

One nod i will give to UTM, and others of that line(sonicwall and others) they are a deny first system.  PFSense is the opposite.  While it is easy to fix that by adding a deny any any rule and then build your rules on top of that it does take a shift in thinking to get used to.....

Wow, long post William[:D] My earlier post in reply to Ian wasn't meant as an offense to you. Ian was asking about UTM vs pfsense for home use and I offered my limited knowledge on the subject.

I have made my reasons for not using pfsense clear in my earlier post so I won't rehash their un-professionalism but you can go to their forums and read the posts by gonzo poncho (one of the owners) before he deleted his account. There is no way in hell, I would ever deal with people like that even if they were paying me to use their products.

BSD is a distro which means it comes ready to run as a complete system whereas linux is just a kernel that can be tweaked to your liking if you prefer to do so. Therefore memory management etc can't be compared between pfsense and UTM due to the different philosophies between pfsense developers and astaro/sophos developers. I know your feelings about swapping etc. but for whatever reason sophos/astaro chose the default swappiness =60 in their configurations and tried to cram huge daemons into smaller boxes that were never designed for this kind of load. 

Main shortcomings of pfsense:

They basically give you a freebsd install with a few of their own patches and gui. This gives you a basic firewall with NAT, Qos, limited logging, some router functions, and a few other things that I am forgetting right now. If you want to add anything like AV protection, suricata or snort or any of the other UTM features like http/s proxy, reverse proxy, email proxy (is it even available in pfsense?), country blocking, layer 7 application control (it used to suck before... I think now they want you to use snort[:O]), endpoint protection etc. you have to rely on third party vendors/enthusiasts that may or may not support certain thing in the next release. There is also the problem of patches. While pfsense may patch something trivial like an SSL bug immediately, the smaller daemons that some enthusiast submitted and now you are using in pfsense may run or may become unstable. This is not the norm but its definitely a possibility and it definitely happens when they update to newer versions of pfsense.

Infact you may completely lose support for some random daemon that is not mainstream because pfsense was updated. This is the number one reason people buy UTMs. They want their systems supported. You have made your feelings clear about sophos support but I can guarantee you, when I was in the rat race working for big corporations, there was absolutely no way to convince the CTO to buy something that didn't offer complete support. We could develop our in house linux solutions but if money was being spent on hardware, it had to be completely supported no exceptions.

Back to pfsense... The number one complaint that I have against sophos XG is that the logging sucks but even with the limited logging that XG has, pfsense can only dream of producing such logs. The limited logs generated by firewall are ok for a home router or a hotel where nobody cares what is going on but if you care anything about your employees in a business setting, more than likely you will be interested in logging. There probably are third party vendors that offer such capabilities but now you are adding another layer on top of pfsense.

You mentioned ubiquity, I love their access points. I don't know if pfsense has ubiquity add on or not[:P] but thats another piece of hardware being deployed that needs its own maintenance contract.

I can keep on going but to make PFsense equivalent to any of the other single box UTM offerings, you really have to do your research and hope that you get it right or your reseller knows what he is talking about. Otherwise, pfsense is not a substitute for a single box UTM appliance, all packaged together with all the basics included and supported (atleast on paper). I realize that IT budgets are tight so pfsense does fill that niche where you need stable set it and forget it mentality. I also hear about it being deployed in some data intensive situations. I have used astaro forever at home and even have their access points. A few years ago I bought an asus RT 68U. If I wasn't such a geek, I can do almost everything that a home user needs with that router. Granted its not a substitute for a complete distro, my point is the niche market is getting smaller and I don't know how much inroad Pfsense is going to make with companies that need all the features that are not part of the core install of pfsense and need third party vendors/support. 

As far as UTM being phased out while XG is still nowhere as capable, I have already written volumes here and here and some others that I have since deleted because I feel bad for bashing sophos all the time while they try their best to be completely professional and accommodating all the time atleast on this forum.

Regards

oh no offense taken at all....PFSense has a full syslog output so you can get the logs you want one way or another.  PfSense is not a full UTM and I noted that.  PfSense isn't a reselling product.  I grab a copy of it and I do the work.  The cost for PfSense is zero..nothing to resell.

I love ubiquiti's access points as well.  I am branching further into their other lines as well.  Me and you are most likely in different segments where most of my clients do not need the UTM.  For my clients that do Sophos used to the goto prodcut..it isn't now.

The packages that comes as addons are supported directly by pfsense and when there is an issue with say surcata it gets updated immediately.  Maybe in previous versions it was piecemeal..that is no longer the case.  I have updated my PfSense twice now and any upstream fixed for suricata were dutifully added into the udpates.  

If pfsense doesn't work(like they are still aholes) i can easily migrate to OpnSense which is a full fork of PfSense.  

either way I am having to look for another solution because SG and XG are a hot mess right now.  SG is being allowed to wither on the vine while Sophos tries to make a second rate product the new standard....

oh no offense taken at all....PFSense has a full syslog output so you can get the logs you want one way or another.  PfSense is not a full UTM and I noted that.  PfSense isn't a reselling product.  I grab a copy of it and I do the work.  The cost for PfSense is zero..nothing to resell.

I love ubiquiti's access points as well.  I am branching further into their other lines as well.  Me and you are most likely in different segments where most of my clients do not need the UTM.  For my clients that do Sophos used to the goto prodcut..it isn't now.

The packages that comes as addons are supported directly by pfsense and when there is an issue with say surcata it gets updated immediately.  Maybe in previous versions it was piecemeal..that is no longer the case.  I have updated my PfSense twice now and any upstream fixed for suricata were dutifully added into the udpates.  

If pfsense doesn't work(like they are still aholes) i can easily migrate to OpnSense which is a full fork of PfSense.  

either way I am having to look for another solution because SG and XG are a hot mess right now.  SG is being allowed to wither on the vine while Sophos tries to make a second rate product the new standard....

i also see the neglect in the UTM in favor of XG and it will fail. Someone high up in corporate has to realize what kind of failure XG is and put the work back on SG and planning for UTM 10 with reworked IPS and all the features the community has been asking for. But they (sophos) spend so much money on cyberroam that they can't just put it away. An SG UTM with a state of the Art DPI and fixed issues would sell like hot chocolate on a kids birthday party in december.

I am seeing some light in sophos support with a current support case that is finally catching some good momentum.

Hi Ben, I had mentioned this in one of the betas but it is complete conjecture on my part. Before Sophos went public, they wanted to expand their core AV business and realized that a UTM product would be beneficial to their portfolio and acquired astaro. During the same time, as is the nature of the acquisitions, a lot of astaro staff either left or was let go. Since they were looking for new developers, someone higher up (atleast VP level) floated the idea to acquire cyberoam and offshore the development to cyberoam. 

On paper, this seems like a win win as now they had astaro code and all the developers from cyberoam, they were going to integrate the best of astaro into cyberoam and call it copernicus and save money at the same time. There was great hype and promises were made but the initial copernicus offering underwhelmed most seasoned UTM users. However, where they went completely wrong was that someone higher up either from cyberoam acquisition or other decided to completely abandon UTM and use cyberoam API as the development platform and is still actively pushing that agenda.

This was a couple of years ago. Since then, they are having a hard time adding stuff to cyberoam due to reasons unknown. They are finally going to add SXL filtering database to XG v17 (available in UTM since late v8/9 I believe). XG uses snort for L7 categorization and people have huge bottlenecks unless they disable snort which defeats the purpose of buying a level 7 aware firewall. Other simple things like DNAT rules LAN> WAN> service NTP... DNAT to internal server can't be done in XG. Can't rename interfaces, no qos rules per interface, country blocking doesn't work as advertised, MTA integration is reinvented instead of using EXIM that has worked forever in UTM, can't change SSL VPN port etc[:#]

Why are they having such a hard time and why do they keep reinvented the wheel instead of integrating UTM daemons into XG? I have no idea but the code base has definitely suffered in XG and UTM. I used to love doing UTM betas but haven't seen anything exciting in the last two betas to even bother with them so UTM is completely dead in the water while they pour ALL their resources into XG.

Bean counters are coming, as is the nature of any business and if XG doesn't deliver soon, heads will roll along with splitting selling of UTM divisions in sophos[:|]

Its not all bad though, I had doubts about this new community board, but its still thriving. People still help each other and sophos people are mostly accommodating and professional. However the level of engagement that we had during astaro years where ALL ideas were welcome during the beta is completely gone.