Sophos UTM Retirement / EOL announced

Finally, Sophos announced the EOL of UTM. Interestingly, the EOL does not apply to Sophos UTM AWS....

Moved to Lifecylce and Migration Forum
[edited by: Raphael Alganes at 3:02 AM (GMT -7) on 23 Jun 2023]
  • That's how things work in the corporate environment. There is a grief cycle that happens...

    1. Someone leaks some info anonymously (shock)

    2. Rumors start to spread. (disbelief)

    3. The company says the rumors are false (denial)

    4. Company finally says rumors are true, people feel lied to (anger)

    5. People attempt top plead to not let it happen (bargaining)

    6. Eventually everyone accepts it as inevitable (acceptance)

  • So lets see, which stage are we in.

    1) Check

    2) Sort of here?  We all knew it was going to go EOL sooner than later so no real shock.

    3) No official confirmation from the company (at least not in this thread). However no denial either, so..... Must be true :)


  • Well I finally transitioned to the XG. Got it all configured and working just right. UTM was nice but nothing lasts forever. Goodbye, UTM

    Some things I will miss from the UTM:

    Seeing right from the dashboard what modules are active/inactive without having to inspect the firewall rules.

    Portscan detection with email alerts, (even though it is useless).

    How simple it is to convert DHCP leases into static hosts definitions.

    How much faster it boots compared to the XG.

    The ability to drag-and-drop service and network definitions into firewall and NAT rules

    Realtime logs for every component. XG is supposed to have them but you still have to hit the refresh button.

    Easy click and enable IPS rules.

  • Alan, I wish you luck.  I'm sticking with UTM for now.  Three years is a long time away. Maybe XG will improve to the point of consideration by then.

  • Look at the roadmap of XG, it seems to be planned out with business/corporate features in mind, with no new features planned that home users can even take advantage of. Therefore the XG could be considered like a final product already that is good enough for a home environment and has enough feature parity to the UTM that it has no real issues besides the learning curve.

    The only real thing I am concerned about is the EOL of the access points in December that will need to be managed through the Sophos Central Wireless when using the XG, which I cannot get my AP15 to synchronize with. If worse comes to worse I will still have my copy of UTM that I can use just in case that will still be able to manage the APs.

    I just wish Sophos would include UEFI bios support and a newer kernel in the next version of XG but who knows.....

  • Same here. 3 years is a huge time frame in IT. Given how the world did look out 3 years ago (the time before corona) changes are huge and mostly not expected (at least not by me).

    If in 3 years such a thing like on-premise endpoint security is still a viable part of corporate infrastructure, XG will certainly be among the options to evaluate. For now we stick to UTM.

  • I tried to stick with the UTM but a few issues with the DDNS updater not working has made me decide to migrate. 

    There are simply more features in the XG to enhance security, such as MFA and support for TLS 1.3 decryptions. I doubt any of these features will be added to the UTM. Do you think sophos will sell the UTM to another developer the way Astaro sold it to sophos, or is it pretty much dead?

  •   Depending who your domain registrar is, it may be possible to handle ddns directly from the server in question using an API.  I use cloudflare as my domain registrar and name server. They offer api access to update dns records. When I was on cable, a script ran daily (maybe twice a day) to verify public facing IP then update's A record if changed.

    This api token allows only dns editing for requests coming from a particular ip (my ip only).

    This worked quite well at the time. Realistically the only time it changed was when the mac presented to the modem changed. Since switching to fiber my IP hasn't changed in 5 years so it's not off much importance any more.

    Re web filter/tls, it may make some sense to run xg in parallel with the firewall of choice (ie pfsense) to proxy such traffic¿?

    Open source or resell UTM would be nice options. It could use a proper update. Selling it to someone else?  Doubtful, that would help a competitor. Why would a business want to create competition to itself....

  • I was using the freedns updater tool, then their URL that updates, but it takes away the fun of having the XG do it Grin

  • It still supports  Free for 3 records.