This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Retirement / EOL announced

Finally, Sophos announced the EOL of UTM. Interestingly, the EOL does not apply to Sophos UTM AWS....



This thread was automatically locked due to age.
Parents
  • For my opinion - not a smart move.
    We (me and the other sys admin) are using both - UTM and XGS.
    He use XGS and consider stop working with it, and I'm using UTM and love it (we have two different networks which each one response).
    The UTM is rock solid, and VGS suffers from a lot of issues.
    Seeing what he is going thru, when the time will come, I'm not sure if i will move to XGS or maybe  look for another brand.Worried

  • The XGS is usable so far as we can say (if you do not migrate from UTM to XGS it´s definitely a good solution for the money (also compared to other vendors).

    BUT Sophos is more and more mikling customers than just bring useful UTM features also to XGS or making things much laborious on XGS...

    Examples:

    no ntp server

    no Let´s Encrypt

    matching pattern IDs of WAF(for exceptions) only visible in XGS shell log not in GUI

    missing S/MIME in E-Mail Protection

    NO QUARANTINE for blocked extensions/MIME Types in E-Mail Protection -> blocked attachements will be cutted of the e-mail! You should use Central Mail Protection instead of XGS E-Mail Protection -> Sure...this is x 10 expensiver than XGS Mail Protection Licence - of course at the moment there is a 60% promo but the renewal after 3 years...?

    regards

  • As for us, what take me 10 minutes to fix, takes him a few hours (if he can manage),
    He work with it more than a year and still straggle alot with it.
    Something in the logic and the way it's build doesn't work as it should
    I'm trying to help him but some time even I can't.
    He also complain about the support.
    If you works in a big company, and some thing goes wrong, you need the support as soon as possible, and not "we will get back to you with in three days"…

Reply
  • As for us, what take me 10 minutes to fix, takes him a few hours (if he can manage),
    He work with it more than a year and still straggle alot with it.
    Something in the logic and the way it's build doesn't work as it should
    I'm trying to help him but some time even I can't.
    He also complain about the support.
    If you works in a big company, and some thing goes wrong, you need the support as soon as possible, and not "we will get back to you with in three days"…

Children
  • Yeah XGS has an other logic and architecture and you really have to understand that (e.g. there is not really a difference in proxy and firewall like with UTM...) - but so far we could fix all XGS issues and some things just have to be done in an other way.

    We have to say all XGS systems run stable and everything works as it should be.

    I think the main issue is if you migrate from UTM to XGS - to understand the difference and to see XGS just as an other/different firewall system. There will be no problems for new XGS customers if they never had a UTM (and expect anything like UTM)...

    And support is as bad as UTM support... the best way is you never need that support and can solve/fix issues yourself.

    Because of our experiences we have our XGS "Best Practices" and can use this for every customer.

  • Totally agree.

    My point was that it's not an a kind of upgraing to XGS.

    It's more like moving to a totally different firewall (I agree it's not bad, but at least for my opinion, not as good as the UTM), so some of us might consider checking also another options.

    About the Support -  luckily I didn't needed them for quite a few year, but  a new commercial firewall for my company without good reliable support is something I would hesitate to have. Nerd

  • Well, if you found an equal replacement for the UTM 9 , pls let me know via PM. 

    The XPS is no replacement for the UTM at all.

  • Well, if you found an equal replacement for the UTM 9 , pls let me know via PM.

    Could probably start a mailing list for those of us with the same question on our minds!!

    --Larry

  • I'll be switching to pfsense sometime in the next year.  It's a process to redo the entire firewall config from scratch.  I think feature wise it offers almost as much as utm and more in some areas.

    What I will miss is the objects/service definitions.  Those only apply for firewall rules in pf, and not in other areas. I expect there will be some learning curve, but ultimately it's a superior product with more granular configuration than utm and definitely more than xg.

    No cpu/ram limit for the home version either.  2.7.0 CE (community edition) RC just dropped with the final expected in the next few days.  23.05.1 plus is still available with the free home license as well.

  • pfSense vs. OPNsense.

    I personally leaned more towards OPNsense since it has more frequent updates, and if you prefer to use the free version of Zenarmor, it installs on OPNsense as a plugin with no registration/online signup required, unlike with pfSense.

    I did try OPNsense and Zenarmor briefly, and I suppose it would be a good alternative to Sophos, but I did not try out the other features such as Suricata IPS and pfBlockerNG, as I was underwhelmed by the feel of it, but maybe it takes some time getting used to.

    To me, the XG is just a more complete product given that the access points integrate with it and with Sophos Central. 

  • To me, the XG is just a more complete product given that the access points integrate with it and with Sophos Central

    Complete is subjective.  Considering XG doesn't even have all the features that utm had, it's hard to call it complete.  However, if it meets *your* needs, more power to you.

    pfBlockerNG is not available on opnsense, it's a pf exclusive.

    As for updates, it's a double edged sword. Too frequent updates are just as bad as too few. Somewhere in the middle is preferred. As with any update, there's a process to go through; one of which is to wait for the update to be in the wild for a few weeks-months before applying to make sure there's nothing severely wrong with it. I apply the same strategy to UTM.

    Part of the appeal of pf was getting the ear of one of the devs to code a patch for wpa_supplicant to listen on vlan0 (https://reviews.freebsd.org/D40442) for eapol traffic. This is needed on att fiber when bypassing the gateway. All I got from the opnsense dev (franco) was noise and ego.  So pass.

  • Hi. I wouldn't go for open source.
    It's nice for home users but not for a big commercial system.

    Few more things to consider out of the obvious:

    1. price - we are using a big scale system with many users.
    2. concurrent connections.
    3. Concurrent users and how its priced.
    4. UTM - more functions in one machine.
    5. good and available support - essential for Business Systems.
    6. learning curve (user friendly)
    7. available ports (SPF, 10G…)
    8. Company that listens to users in new feature aspects.
    9. Constant development
    10. Logical Graphical interface (yes. Its individual but sill…)
    11. Mature Stable FW – not many bags
  • Hi Goldy,

    open source systems are cheaper, you can choose you own preferred hardware, most of them also have great hardware support (10G SFP+ is no problem) and there are many companies which offer commercial support. For sure they have less big bugs (just compare the big exploits in the last 2-3 years on Sophos, Fortinet and PAN).

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • PFSense is based off NetGate firewall software, so it's not like Billy Bob and his inbred cousins created it from a moonshine apparatus, lol.

    Frankly, I'll take the learning curve now after experiencing the dumpster runoff of XG - after all of the troubles I've had with it just this week alone, I've had enough, and I'd gladly go to an open-source solution or other product altogether.  The attitudes of a particular couple of Sophos staff that interact with us can be atrocious at times.  I've been using this product most likely longer than they've been employed at Sophos, and it's just... mind boggling.

    I said something in another post, but this will be my last week most likely posting help here.  My new access points came in this afternoon, and I will be removing everything I have that is Sophos.

    o7.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)