This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Looking to upgrade our UTM hardware - what are our options?

We're running a small SG115 unit at the office. It used to be quite sufficient for all our needs, however since a lot of things shifted to online work and the company has expanded we've had more and more trouble with performance.

The main culprit - Webserver Protection. This seems to be quite demanding when even a single client opens a lot of connections (example: a colleague working from home was restoring Nuget packages using our local DevOps Server feed as the source and this killed the SGs performance to such a degree that general internet connectivity was negatively affected).

I'm trying to find a way if I can't proxy our DevOps in some other way, but I'm also looking if upgrading the hardware is even a possibility. From what I can tell Sophos has a new line-up of network devices - the XGS series... which probably come preinstalled with the XG Firewall.

Now, to be honest, I'm not a fan of the XG Firewall. The entire control scheme seems a wee bit backwards AND it's still missing Let's Encrypt support, which I think kills it for us at this time. So... can the XSG series devices have UTM installed on them? Will Sophos be willing to convert / sell our current UTM license so that it works with a new XGS device should it be compatible?



This thread was automatically locked due to age.
Parents
  • Can you post the dashboard of the performance graphs when you have a heavy usage of that box?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • You mean this one? I've marked two instances where the UTM flat out failed to process DNS queries as it got overloaded. 

    In both instances the "culprit" was tracked to httpd processes hogging the CPU, and further investigation (using a web application firewall status page) showed there being numerous connections to our DevOps, all from a single IP, which I've then tracked to a colleague working from home. He had a VPN active, but since the VPN did not use our office as the default gateway he would be using the public IP of our DevOps (rather than the internal IP).

    The issue was remediated after I asked my colleague to use a "default gateway" VPN and after I had restarted the webserver proxy service. Still, this is more of a workaround than a proper solution and that makes me nervous...

  • Your options are:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I would recommend either SG135 or SG210. Software cost is the main point here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • See my reply to  ... I'm not sure what's going on behind the scenes, but the reseller we're currently in contact with essentially told us any new SG units are impossible to get. If this is some ploy to get us to move to newer hardware and SFOS then it's rather dirty...

    I wouldn't even mind moving to SFOS (and it's somewhat backwards configuration design when compared to UTM), but it lacks LE support and we need that.

  • We have dozens of both models available.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Cześć Mateusz,

    The reseller contact you're using is misinformed and should ask his management what the complete story is.  Reading between the lines of the notice sent to Partners, Sophos will stop SG manufacturing in June and sell only remaining stock after June 30, 2023.

    You might find it more cost-effective to change to the software version.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Question is, does it make sense to invest in a product going EOL in a few years.....?

  • You can "convert" an SG model to an XG, there is an official procedure for that.

    Given you have bought enough "horsepower" for your company, you want lose your invest.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Probably not. On the flip side the annual costs for SFOS (as our reseller presented it) were astronomical compared to UTM. A jump from 500EUR to 3500EUR is rather insane!

    And then SFOS still doesn't have LE support. Perhaps it's time to look for a new vendor entirely... 

  • You should definitely ask another Sophos partner. Probably PM me?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I need to clarify my statement above.  Using the term "product", I mean both the hardware and the software. While upgrading to a more powerful version of SG should amount to restoring a previous config file, upgrading to a whole new OS is more involved. 

    At one point there was a conversion utility, but not sure if that's still available. Also, due to lack of feature parity it's probably best to do the config manually anyway.

    My point, if one is going to be changing software to anything else, they need to fully evaluate if the upgrade path makes sense. How well does the new software meet their needs.

    Even as a home user, I dread redoing it as my config is not all that simple, with multiple vlans, granular firewall rules, several servers behind the firewall and so on. I only want to redo this once for the foreseeable future.

Reply
  • I need to clarify my statement above.  Using the term "product", I mean both the hardware and the software. While upgrading to a more powerful version of SG should amount to restoring a previous config file, upgrading to a whole new OS is more involved. 

    At one point there was a conversion utility, but not sure if that's still available. Also, due to lack of feature parity it's probably best to do the config manually anyway.

    My point, if one is going to be changing software to anything else, they need to fully evaluate if the upgrade path makes sense. How well does the new software meet their needs.

    Even as a home user, I dread redoing it as my config is not all that simple, with multiple vlans, granular firewall rules, several servers behind the firewall and so on. I only want to redo this once for the foreseeable future.

Children
  • I fully agree.

    For a paid license you get migration support from your Sophos partner and a specialised team at Sophos. This is to minimize efforts and risk. BUT: there is no such thing as "feature parity", you have to evaluate the functions you need and then decide.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.