Sophos UTM Retirement / EOL announced

For my opinion - not a smart move.
We (me and the other sys admin) are using both - UTM and XGS.
He use XGS and consider stop working with it, and I'm using UTM and love it (we have two different networks which each one response).
The UTM is rock solid, and VGS suffers from a lot of issues.
Seeing what he is going thru, when the time will come, I'm not sure if i will move to XGS or maybe  look for another brand.

The XGS is usable so far as we can say (if you do not migrate from UTM to XGS it´s definitely a good solution for the money (also compared to other vendors).

BUT Sophos is more and more mikling customers than just bring useful UTM features also to XGS or making things much laborious on XGS...

Examples:

no ntp server

no Let´s Encrypt

matching pattern IDs of WAF(for exceptions) only visible in XGS shell log not in GUI

missing S/MIME in E-Mail Protection

NO QUARANTINE for blocked extensions/MIME Types in E-Mail Protection -> blocked attachements will be cutted of the e-mail! You should use Central Mail Protection instead of XGS E-Mail Protection -> Sure...this is x 10 expensiver than XGS Mail Protection Licence - of course at the moment there is a 60% promo but the renewal after 3 years...?

regards

As Jay Jay suggest, yesterday I decided to have a look at pfSense.
I installed it on a VM and started playing around with it.
At first I was not impressed, but then I realized I can add many packages (Snort, Squid, pfBlockerNG, Web proxy…).
The interface is great and in no time I felt at home and familiar with it.
It has many of what you can expect from a NGFW, and it's  a software version, which for me is a big advantage.  Quite impressive.
Saying that, it lacks some functions that are essential for me.
Also,  after all, it's a standard NGFW.  (Very flexible and VERY user friendly - but still...)
Of course, since it's open source, the price will be a fraction of what I would pay for an equivalent NGFW.
Moving from Sophos UTM, I would like some extra benefit.
I didn't rule out this option though.

Goldy said:

Saying that, it lacks some functions that are essential for me.

What functions are those?

Hi Jay jay
Application control for example, WAF, Email protection, good Threat Protection...
I also had a look at Opesense. Very nice also, but since I have quite big internal net and about 1500 devices, and since all the good plugins (Zenarmor...) cost money, in the end it's not that far from commercials Brands.
Also, not sure if I can have a good reliable (I don't mind pay for it) support.
My needs:

1. 2000 users.
2. 300,000 concurrent connections.
3. 5GB firewall thruput.

I still have time, but it's nice to look around 

Hi Amodin.
I have also been using this product for many years now - since when it was still a German brand call Astaro.  Grate Product.
Solid rock and work like it should.

Keep me inform about your impression of PFSence 

Application control equivalent - ?
WAF - HAProxy
Email protection - ?

There's suricata for IPS

If you need all of those functions, pf may not be the best AIO package for your needs.

With that many users, is this not being used in a commercial environment?

It's going to be expensive to get that with any other product. For example, if you went with Untangle NG, an unlimited device subscription....is (wait for it..) $5,400 a year. 

Zenarmor starts at $50 per month but you have to contact their sales team to get a quote for for the 2,000+ users plan.

The closest thing to application control that might be free is the OpenAppID plugin for Snort.

Hi Jay Jay.

Yes for now we use UTM 

Hi Alan.
1. I couldn't find  OpenAppID plugin.
Can you tell me where it is?
2. 5,400$ sound reasonable.

I'm pretty sure the latest version of snort 3.0 has it built-in. I never used that or pfSense so I'm just going by what the snort blog says.

Yeah, $5,400 is probably a good price for a business with unlimited users. Who knows how much Sophos is a year, but at least Untangle/Arista is transparent about their pricing and you can use your own hardware and not tied to an appliance.

Well, it would be aweseome to have a mail proxy like the utm got one in the new firewall.

my dream would be, that sophos would sell the utm software to $company and the utm can go on another round.

Well, it would be aweseome to have a mail proxy like the utm got one in the new firewall.

my dream would be, that sophos would sell the utm software to $company and the utm can go on another round.