Time to Move on

This is a tricky thread to jump into! it's going in several directions at once, so I'll try to respond to these different directions, with some perspective from within Sophos.

 1) William, I'm sorry to see you go. you've been a staple of this community for many years, and you'll be missed. I do wish you well, and understand your frustrations. I can't speak to your sales frustrations, but I know we have publicly disagreed on points in the past on technical matters in these forums. All I can say, is sometimes the right solution is not nearly as straightforward as it may seem. I sincerely mean it when I say good luck to you as you change path.

2) Astaro vs Cyberoam - This is such a hard topic to comment on. There's just so much to say, and not enough space to say it all. Without getting too long-winded, XG is not about preserving money spent on cyberoam (I'm pretty sure Sophos paid more for Astaro than Cyberoam), or about choosing Cyberoam over Astaro. Yes XG is in some ways, the next version of Cyberoam, but in many more ways, its far more than that. all of the core security features in XG are either taken from UTM9 directly, or at least significantly enhanced with capabilities from UTM9. I've writen on that before, and won't expand on it again, in this thread. 

Of course XG still needs some improvements that many of you consider very basic, but it's not so black and white as many of you express. There's a clear line of differentiation on opinion, depending on your background. Customers coming in from competitors firewalls typically find XG very compelling, with few or no caveats. Those who object to XG, are most commonly those who were most appreciative of UTM9's UX design. In many ways, UTM9 has superior usability on a micro level, but not on the macro level. What I mean, is that UTM9 has a better implemented object model, with fairly consistent support for enable/disable and renaming, and it has some more powerful object types, like unified hosts, and availability groups. These make a big difference in specific tasks, and when configuring specific features, but don't greatly contribute to the overall discoverability and usability of UTM9. XG's object model is still a couple steps away from what UTM9 offers, but it also solves some of the biggest usability problems UTM9 has. Config is far too spread out in UTM9. Web and app control are intimately related to each other in purpose, but in UTM9, are confusingly different. One is fully user-aware, and the other is not. They're configured in different sections, so if you want create policy relating to a web application, you may need to independently setup web and appcontrol policies, and because of the incomplete user awareness, it's very difficult to match them up completely. In XG, they're not fully equal either, but they are much closer. A single rule applying to a group of users, can apply both web and appcontrol policies per user or per group. That's one example, and there are more. UTM has its strengths, but so does XG, and the strengths in XG are growing every version. v17 will make many more improvements. many of you PM me with suggestions or comments, and I welcome your feedback on what we need to improve. I promise you, I will always give your suggestions fair consideration. 

3) Finally, does Sophos care - yes, very much so. Is your voice being heard? absolutely. It may not always feel like it, and it won't always change our company direction - especially if you're asking us to make major investments in Cyberoam or UTM9. We've said publicly many times now, that we won't. You may not like the volume of improvements in v16/16.5, but the improvements chosen in 16/16.5/17 almost entirely echo requests directly coming from this community. 

With any company, support is often the victim of blame when people feel unheard, and often, the product itself is a factor in why support is less responsive than needed. Sophos is continuing to make serious improvements both to support and to usability and quality. We've done extensive review of what is taking up support's time, and we've been putting out a steady pattern of maintenance releases this year. Each one targeting ways we can make minor improvements to help eliminate the most common reasons people contact support. You'll see some usability improvements on areas of initial setup that cause people confusion today, as well as resolving bugs in each release. For instance, in MR3, we fixed a workflow problem with registration, and also added registration deferral. In MR4, we are adding links to training and how-to videos in the product. In MR6, we will release a completely new initial setup wizard, that also further improves the registration process. These, along with the issues resolved in each MR, are measurably reducing the support costs of XG, and making support better able to help when needed. We're also continuing to increase the size of our support teams, and you should be seeing the results of these actions now. 

4) Sophos vs PFsense - Really? Sophos, no question! :) 

Hopefully, this give some friendly Sophos perspective on this conversation

Cheers,

-AT

This is a tricky thread to jump into! it's going in several directions at once, so I'll try to respond to these different directions, with some perspective from within Sophos.

 1) William, I'm sorry to see you go. you've been a staple of this community for many years, and you'll be missed. I do wish you well, and understand your frustrations. I can't speak to your sales frustrations, but I know we have publicly disagreed on points in the past on technical matters in these forums. All I can say, is sometimes the right solution is not nearly as straightforward as it may seem. I sincerely mean it when I say good luck to you as you change path.

2) Astaro vs Cyberoam - This is such a hard topic to comment on. There's just so much to say, and not enough space to say it all. Without getting too long-winded, XG is not about preserving money spent on cyberoam (I'm pretty sure Sophos paid more for Astaro than Cyberoam), or about choosing Cyberoam over Astaro. Yes XG is in some ways, the next version of Cyberoam, but in many more ways, its far more than that. all of the core security features in XG are either taken from UTM9 directly, or at least significantly enhanced with capabilities from UTM9. I've writen on that before, and won't expand on it again, in this thread. 

Of course XG still needs some improvements that many of you consider very basic, but it's not so black and white as many of you express. There's a clear line of differentiation on opinion, depending on your background. Customers coming in from competitors firewalls typically find XG very compelling, with few or no caveats. Those who object to XG, are most commonly those who were most appreciative of UTM9's UX design. In many ways, UTM9 has superior usability on a micro level, but not on the macro level. What I mean, is that UTM9 has a better implemented object model, with fairly consistent support for enable/disable and renaming, and it has some more powerful object types, like unified hosts, and availability groups. These make a big difference in specific tasks, and when configuring specific features, but don't greatly contribute to the overall discoverability and usability of UTM9. XG's object model is still a couple steps away from what UTM9 offers, but it also solves some of the biggest usability problems UTM9 has. Config is far too spread out in UTM9. Web and app control are intimately related to each other in purpose, but in UTM9, are confusingly different. One is fully user-aware, and the other is not. They're configured in different sections, so if you want create policy relating to a web application, you may need to independently setup web and appcontrol policies, and because of the incomplete user awareness, it's very difficult to match them up completely. In XG, they're not fully equal either, but they are much closer. A single rule applying to a group of users, can apply both web and appcontrol policies per user or per group. That's one example, and there are more. UTM has its strengths, but so does XG, and the strengths in XG are growing every version. v17 will make many more improvements. many of you PM me with suggestions or comments, and I welcome your feedback on what we need to improve. I promise you, I will always give your suggestions fair consideration. 

3) Finally, does Sophos care - yes, very much so. Is your voice being heard? absolutely. It may not always feel like it, and it won't always change our company direction - especially if you're asking us to make major investments in Cyberoam or UTM9. We've said publicly many times now, that we won't. You may not like the volume of improvements in v16/16.5, but the improvements chosen in 16/16.5/17 almost entirely echo requests directly coming from this community. 

With any company, support is often the victim of blame when people feel unheard, and often, the product itself is a factor in why support is less responsive than needed. Sophos is continuing to make serious improvements both to support and to usability and quality. We've done extensive review of what is taking up support's time, and we've been putting out a steady pattern of maintenance releases this year. Each one targeting ways we can make minor improvements to help eliminate the most common reasons people contact support. You'll see some usability improvements on areas of initial setup that cause people confusion today, as well as resolving bugs in each release. For instance, in MR3, we fixed a workflow problem with registration, and also added registration deferral. In MR4, we are adding links to training and how-to videos in the product. In MR6, we will release a completely new initial setup wizard, that also further improves the registration process. These, along with the issues resolved in each MR, are measurably reducing the support costs of XG, and making support better able to help when needed. We're also continuing to increase the size of our support teams, and you should be seeing the results of these actions now. 

4) Sophos vs PFsense - Really? Sophos, no question! :) 

Hopefully, this give some friendly Sophos perspective on this conversation

Cheers,

-AT

AlantT: thank you for the lengthly write about SG/XG. My problem as a current customer with 2 full guard subscriptions (1 since 2009) is that i don't see XG coming out as a replacement for UTM in the next 2-3 years (at the current development pace), the lack of commitment to UTM since announcement of the XG was a major point in looking for alternatives. Currently me and my collegues see the Sophos UTM as the best product for our user case if we can combine it with a "next gen" packet filter / DPI product (two level firewall)

While i think it is healthly as a technical product manager for sophos to believe in the future of a product you spend alot of money and time on, one has to admit that the current state of XG does more damage to your reputation as a security company than good. If sophos were to go EOL in the next 12 month i can assure you 100% that the decision will not go towards XG. I know a lot of SG UTM users and professionals who think the same, even the Sophos UTM Partners we are working with all more or less say the same. If you look over the community forum with open eyes you will notice that there isnt really anyone who would remotely consider moving to XG, not just because of the lack of features, but also for the fact of the XG having one of the worst user interface experiences.

If you are saying XG will get there ill take your word for it at the moment if you give us a roadmap for the next 3-4 years and invest heavily into development.

But we don't have the luxery of beeing able to hold on that long and nobody wants to switch to the XG currently. So, you should consider properly investing and developing in the UTM and listening to those who still choose to buy your products. (just renewed/bought 3 years full guard for both machines) As your customer understand that i don't want the XG (not even remotely) unless there will be a major rewrite and not these bi-annual small steps that MIGHT get us somewhere in a few years when it will be technical old.

We are allready paying for old solutions in regards to e-mail security and IPS (DPI), application control thanks to new innovative Web technology is only partly reliable these days on sophos UTM, yet there is no effort beeing made, so why charge money for that? You allready charge extra for sandstorm which SHOULD be a feature of full guard just to - please excuse the expression - milk more money out of the UTM, yet according to people who use it its not as good as advertised. UTM is a Firewall with a great UI just right for small and middle sized companys.

What i am trying to say is, a large base of your customers tells you what we want, either you deliver or you won't get our business some day. The UTM in the current form is the reason for business currently, but we expect more investment in it than simple bugfixing and not putting that money into the XG if we pay the full full guard subscription and you want us to renew in 3 years. If i wanted a next gen firewall with state of the art DPI it would probably be one with a fish name or that of a famous u.s. tech town.

Ben has concisely and elegantly explained what I have been babbling about since v15 beta. I get your perspective and the vision that you may have going forward but it provides no comfort to current users that see UTM as a stable workhorse that  mostly just works while XG is still struggling to add basic features that should be expected from  sohos' flagship product.

What you have explained as great accomplishmnets in the web tab of XG interface bringing Webfiltering/ IPS/ QoS/ App Control/ NAT all grouped in one tab is indeed powerful and proud moment for sophos devs but to outsiders, UTM was already doing that years ago maybe not in such a concise way, but definitely not something that would make you switch from a UTM9 to XG. I also understand that its easy to criticize what sophos does and what our expectations are but you guys set the high bar for yourself by promising next gen firewall.

I have said it before and I will say it again... if sophos had spent even half the effort revamping UTM9 as they keep on spending on XG, I wonder where UTM9 would have been today. Completely abandoning your flagship product while putting all your eggs developing XG has always made me scratch my head.

Ben, I understand your skepticism, and thank you for an honest reply. I will try to be as candid in return. In this community, there is a definite opinion slant against XG, so I understand how you might believe that is an accurate sample of our users in general - but it's not. While being mindful that we are a public company, and it is difficult to speak bluntly on financial futures, I can say that your statement that "nobody wants to switch to the XG currently", just doesn't hold up. With strong sales, we also see a significant percentage of XG firewalls today are migrated from UTM9, and the biggest hurdle to that growing further, is an automated migration path, not a lack of features or functionality. 

"What i am trying to say is, a large base of your customers tells you what we want, either you deliver or you won't get our business some day."

You're absolutely right, and we are all very mindful of this, every day.  Please don't take this to imply that we don't care about bringing UTM9 customers forward. we do, very much care about that, and I still plan to bring every valuable nice-to-have bit from UTM9 into XG. Even drag-and-drop will likely make a re-appearance in v18 :) We won't ever publish a 3-4 year roadmap, for many reasons, but we are investing heavily in development, and will deliver the features that our users are asking for, and I hope you'll be positively surprised by the timeline. In the mean-time, whether you agree with me or not, XG has proven itself to be a viable alternative to UTM9 in most cases. 

Hi Alan,

thank you for taking the time to provide a detailed look at XG compared to UTM from a Sophos business point of view.

I have using UTM for many years and the XG since v15b. New customers who have never experienced UTM would be quite happy with the XG.

Simply put, I have not found configuring the XG to achieve the same things I have done in the UTM easy, requires different thinking. But things like site blocking do not work as well as the UTM try comparing my standard test of searching for naked women in both devices, XG using the provided ATP type stuff lets most of the porn through while UTM blocks 90%, was 100% until I had to fix a google issue. Will back the google fix out because it is now the way certificates are handled and turn off https scanning for the moment, home user.

IPv6 just a failure, at least some of the functions work in the UTM and have for sometime.

Country blocking well perhaps you have read the thread on this subject

XG home user memory, a comical farce and that is being polite. The developers can't even build a home user licence in a VM in the Sophos lab, leaves a lot to be desired in instilling confidence in the development team.

This weekend I will put my XG back online and try bringing the filtering up to the UTM standard.

Ultimately the XG will be the way to go looking at other products. Hopefully v17b will be out soon.

AlanT said:

In this community, there is a definite opinion slant against XG, so I understand how you might believe that is an accurate sample of our users in general - but it's not....

...In the mean-time, whether you agree with me or not, XG has proven itself to be a viable alternative to UTM9 in most cases. 

You are seeing the sales figures so I am not going to argue for the sake of argument but have you considered the marketing campaign that boasted XG as the next gen firewall from sophos insinuating that it was better than UTM9? You can read the forums as well as I can and from what I can see, a lot of people bought in to this hype and assumed that it was an upgrade. There are posts after post that reiterate this point and some of those people feel cheated. 

On the point of drag and drop, I am not even sure if you need drag and drop anywhere in XG as I don't want a UTM9 clone. XG needs to be able to do ALL the basics that UTM9 does better than UTM9 and then has to make up for two years of development where UTM9 only got bug fixes instead of emerging technologies. Without all that and in its current form, I will definitely disagree with you that it is a viable alternative to UTM9. 

Hi everyone,

I spent almost 20 minutes to read all your point of view. This is a wonderful community and it is so nice to see different point of view on Sophos UTM vs XG vs others.

Well I would like to spend some words here too:

• first of all every product has its strenghts and weaknesses as you know. You cannot even compare a firewall vs an UTM vs a NGFW. Pay attention that they are 3 different products. Of couse Sophos UTM requires more resources than a basic firewall. UTM provides additional modules that PFsense cannot provide (ATP, Sandbox, Email Filtering, Dual AV, etc). I love and still use UTM on big installation but I already moved some small user installation to XG, because I said I want to give it a try. So everyone of us has different budgets and needs, where UTM/XG or other products can fit, but pay also attention of what security level an appliance can bring. A lot of time I see System Admin saying they are protecting because they have XXXX as their UTM, but a simple assessment demostrate that they do not even know what they are talking about. Also a single box cannot handle and remove all the security holes. Even the best UTM inside the gartner. Small customers nowdays require the same security level of a medium/large company, so a product like UTM can fit into it, support is very important and releses too. Sophos is releasing a lot of security fixes, AP are built on security first and then on usability and so on.
• I am following more the XG Community forum and I would like to share my opinion on XG here: at the beginning (v15 beta2) I have tested XG at home and since then I am still using it at home. At the first release, I was throwing XG away from the window, because UI was horrible and logging was a nigthmare. Understanding what was going on needed a magician. With v16, they improve the product but it is still not enterprise ready. Finally we have a simple place where you create firewall policy, link IPS, Application Control, Web Filtering and Traffic shaping. This is very nice. I have used UTM since v8 and with XG you have to take time and study it as a new product, but it has power. We have CLI now that is understandable compared to UTM, IPS per single rule (even if I would recommed to swith to Suricata), traffic shaping is very easy to setup (even if there are sevearl traffic shaping tabs in more than one Menu); sub-menu are missing and in some menu they should be added; logging is still a nigthmare but AlanT promised us that into v17 we will see an improving on live log and loggin in general. HB is a nice and unique technology (for the moment); and finally we have a central manager product (SFM) which uses the same UI as XG and you can see XG boxes configuration using only SFM (this is Enterprise's view).
• AlanT: astaro.org was a  nice community and compared to this one, searching was working much better; what we miss is quality on XG (you are fixing a lot of bugs) but still on existing bug, we do not have an ETA (on astaro.org developers posted when the issue was fixed and in which version). On XG, most of time even sachingurung or Aditya Patel do not know what to reply to us. RaviPatel is doing a great job instead on SFM/SCFM, so it seems they are products from a different company; Release notes: we do not have what bugs/improvements have been added to RED and AP on XG. I do like the option to update them as patterns (I upgrade an UTM with 20 RED and it took almost 1 hour to bring them back online, because of the UTM firmware version) but you should give us more details on it; You should be on community more often. sachingurung and Aditya Patel are doing a great job here but they do not have visibility on what is the future; update ideas.sophos.com feature requests: when people surf inside the XG Community and they find "this feature is missing, please create a feature request on ideas.sophos.com" and when they do on the website and read all the XG features requests (not yet implemented, completed, planned, under review) they simply escape from XG; visibility: basic features on XG are missing and we do not understand why those require so much efforts. If code is well written, it should not take so long to implement (apart the SDLC phases), so we are also scared about that. 
• Alan wrote many times to test and that XG is a different product. "We do not want to move to XG if you do not feel confident with it...." So I have to agree with AlanT on this point. I am still advicing UTM on big installation and XG on small one. Be sure to learn how each one works before saying this one is good and this one is bad.

I am sure that XG will succeed in a couple of years, because with v16 and a couple of MR, XG is very stable (many features are missing) but now XG can be used compared to first version.

Of course this is my point of view.

This is a big family and missing William Warren is a big lost. I am sure you will come back to Sophos Community soon. Good luck with your projects.

Regards

I won't be around nearly as much as I am no longer using the product at my location....IF XG ever becomes a first rate product..maybe....never say never.....

Just a quick chip in here: We came from Cisco ASA 5520's to the SG UTM's and have been happy. Took a little bit of getting used to due to all of the functionality on the UTM.

We've invested heavily in this up until 2020 so we expect to be reviewing around 2019. Keeping ahead of the curve, I try and review other FW's and XG has been no different in this case. My first look at v15 filled me with horror. My last look at 16.5 didn't overwhelm me either although I appreciate it was an improvement and it does have its strengths which I imagine will get better with time.

But as mentioned, time is the key element here for us. We have to make a decision in 2019 as to which way we are going and if the project board even get a sniff of the UTM being a done product with no perceived viable replacement, they will move on from Sophos.
I really hope that doesn't happen as we've been really happy with our purchase last year for our UTM's and endpoints. I don't think we'd be alone in this either and maybe some are at that point right now, hence the OP's post.

XG is selling due to the hard push by Sophos and the constant integration of new technologies with the XG at the expense of SG..not because XG is a superior product.