UTM (Home) EOL and moving over to Sophos Firewall... options?

Hello there...

Apologies if there is already a thread of this type... search didn't seem to find anything.

So UTM has a EOL announcement and I'm not here to bleat.

I've been using UTM Home for over 10 years so its kinda baked into my network with many many years of tweaking etc. It works. I can gladly say I have never had any compromised systems in this time.

The "new" Sophos Firewall was presented to me by a vendor/sophos team a few years ago as a suggested migration and try out. I wasn't impressed when I looked at it a few years ago and didn't feel like being a guinea pig for a system that could have an impact of a functional home system with "working from home" aspects too.

I have since had a good look over a Sophos Firewall demo site and had a browse through most of the options. Functionality in all the basics seems to be there, just a matter of finding it. Its another learning curve I suppose I may need to undertake.

So options???

Any comments suggestions etc from the long time users of UTM who have made a transition?

Regards
Craig

Parents
  • Notes on installing Firewall... thinking I had not done it right etc x 5 - (rufus usb iso)

    SW-19.5.1 ISO boots to display the following after an install
    "   Booting '19_5_1_278'
     _
    "
    Yep thats it....

    So in actual fact you need to connect to an AP (so wireless router with DHCP disabled,  plugged into one of the LAN ports) to access the box.
    Figuring out what ports on the firewall are LAN/WAN is you next step...

    The firewall interface is a "shotgun splatter" of activity and config.

    It seems to be doing a great job as a "firewall" but setting up user profiles and devices? WTF?

  • The firewall interface is a "shotgun splatter" of activity and config.

    So true!

    Any updates? How is the migration going for you? I'm still leaning towards migrating to one of the *sense's. I've been "playing" with several FW's and XG is just not a top pick for me. I'm hoping ease of use and feature parity with the UTM gets better by 2026. Fingers crossed.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Hey Jeff

    The XG box is gathering dust right now... I have stayed with the UTM.

    What are the options Jeff?

    I guess I have a year before they figure out the shite that "needs fixing that was never broken".

    I spent a couple of days on an XG load, configured to what I could possibly figure out.... my issue is I don't want anyone connecting to my network with a device I dont recognise/mac address and authorise with a user/pass. For me this is basic network security 101. XG didnt seem to offer this option. I have no idea how this is configured under XG... I seriously lost interest. I need simplicity and logic. This product is confusing and layered in "vapour". 

    XG has stuff buried in "options"... network traffic control???  I'm worried. No fcking way as an enterprise business would I pay for this system.

    Reminds me of Blizzard Entertainment spending millions on a Diablo game upgrade... only to scrap it because "it actually wasnt fun to play"

    Hey if you or anyone can help on this then let me know.

    Cheers

    Craig

  • Unfortunately, *sense and Untangle appear to be the only options that I can afford.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Jeff do either of these options have a "Home" version?

    As an alternative if Sophos dont sort themselves out, Im considering a "basic" firewall with DHCP to manage mac/connections.... and then use my DNS PiHole for URL blocking (currently using Pihole with the UTM, and works a dream with subscribed domain blocklists)...

  • What I meant by *sense is pfSense and OPNsense. Both are open-source. Untangle is $50 or $150 a year for a home license. If you use web filtering with SSL DPI, Untangle will be much better.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • OPNSense also supports the Zenarmor NGFW plugin which has a basic version for free. The paid home version is $9.99 a month. 

  • The OPNsense/Zenarmor combo has been at the top of my list as a Sophos UTM replacement but the $10 a month plan has a 100 device limit and only allows for 3 profiles plus I DESPISE cloud web admin panels. I have several web apps and the profile limitation makes me hesitant. Lately, I've been leaning more towards holding off and waiting to see what the Sophos Firewall will look like when we get closer to the UTM's EOL.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • I switched over to the XG a few months ago after tying it out a couple times. What irks me the most (and this is even before it's installed!) is how Sophos firewall uses 172.16.16.16 as the default gateway automatically without even allowing you to specify until afterwords. There are a lot of things that are just bad decision making, I could give you a list of about 30 things about it that keep me awake at night, lol.

    But, I was really, really close to going with an Ubiquity Dream Machine Pro, but, at the time they had no OpenVPN support built-into the software. the big advantage though is that the software itself is free for life after you buy the hardware. ($379 for the Dream Machine Pro is not really that bad).

    I hear a lot of mention about pfSense, OPNsense, Untangle, and I wonder why Ubiquity wouldn't be a good alternative to Sophos UTM especially for home users.

Reply
  • I switched over to the XG a few months ago after tying it out a couple times. What irks me the most (and this is even before it's installed!) is how Sophos firewall uses 172.16.16.16 as the default gateway automatically without even allowing you to specify until afterwords. There are a lot of things that are just bad decision making, I could give you a list of about 30 things about it that keep me awake at night, lol.

    But, I was really, really close to going with an Ubiquity Dream Machine Pro, but, at the time they had no OpenVPN support built-into the software. the big advantage though is that the software itself is free for life after you buy the hardware. ($379 for the Dream Machine Pro is not really that bad).

    I hear a lot of mention about pfSense, OPNsense, Untangle, and I wonder why Ubiquity wouldn't be a good alternative to Sophos UTM especially for home users.

Children
  • Hi, saw your post littel late,

    but i cant find any demo for the Ubiquity Dream Machine Pro. I would buy it, the price is realy ok, but not without a closer look to the software.

    Anyone got a tip where i can look at the software ?

    thanks

  • I would assume the software is tied to Ubiquity firewalls. But there are tons of product reviews for it on youtube. You could watch  them and see what the software looks like before you buy one. 

  • Well, watched some Vids on Youtube... don't think thats what  i want.

  • With *sense, untangle, etc. You provide your own hardware, upgrade as neeed.  Untangle does have an annual fee associated.  *sense does not (for home user).

    I've decided to go with pfsense+. It may not have all the features of web scanning that xg does but offers far more config granularity. There are some things about it that irk me, such as the lack of integration between modules.  IE, in utm you define an object once and can use it anywhere appropriate. Such is not the case with *sense.

    Re pf vs opnsense, feature wise are very similar, but ui is quite different. Can't wrap my head around opnsense's ui layout. Reminds me of the old tomato firmware for wrt* series.

    As for ubiquity, if one already has hardware, why reinvent the wheel by buying more hardware.

  • Can't wrap my head around opnsense's ui layout.

    I tried OPNsense awhile ago. I was not fond of the UI either, and the default allow firewall rules that allows everything outbound by default is really dumb. I never tried pfSense yet, but since Zenarmor removed support for it, I can't see it making a good next-gen firewall unless you maybe installed Zenarmor on a Linux distro in Layer 2 bridge mode "with filtering" in a separate VM or on a separate device with 2 or more NICs, which sounds interesting.

    EDIT: so it seems that free Zenarmor can still be installed in pfSense manually, you just need to create the Zenconsole Cloud Portal. Is it worth it?

  • The question is, is this protection really needed for a home user.

    According to docs.opnsense.org/.../zenarmor.html,  the features it provides include;

    At present, I don't have https inspection enabled in utm as that tend to break a number of sites. Depending on one's household, #1 might be useful, not here. A lot of things can be blocked by using pfblockerNG. Of course, all devices also have some form of security locally (AV/firewall, etc).

    In this link, https://www.zenarmor.com/docs/installing/installation

    They talk about zenarmor working with the CE (community edition) of pfsense but not pfsense+ (their commercial product).

    Due to the recent changes to the pfSense+ software; pfSense+ package manager now blocks 3rd party applications from getting installed onto the platform.

    To that end, regretfully, we have decided to remove pfSense+ support.

    If you'd like to continue using Zenarmor, you can consider other platforms alternatives including OPNsense, pfSense CE and other Linux-based distributions.

    If I want it that bad, installing into another vm sounds like a reasonable option.

  • I host a lot of stuff going back to the days when "next gen" firewall weren't the buzz words that they are today. I've always used the UTM's WAF. It successfully filters a lot of bad traffic and it has its share of false positives so the rules need to be monitored and appropriate exceptions need to be added.

    One thing that I've never gotten a clear answer on is... Since the UTM's WAF terminates SSL, doesn't  that mean that the UTM is scanning SSL ingress traffic? Does anyone know the definitive answer to this? This question is what's holding me back from giving *sense a deep dive and waiting to see what XG looks like just before the UTM EOL hits. I'm not very concerned about scanning SSL egress traffic (should I be?) because I trust the local users but I am concerned about what's trying to get into my open ports.

    I think most security experts argue that a "next gen" firewall with SSL inspection is a must if you host websites and web apps but is it really?

    Free is best but I would pay $120 a year for Zenarmor if it were not for the 3 filtering policy limit and the 100 device limit. I could live with the 100 device limit but having only three filtering policies sucks if you host more than three services.

    So for us hobbyists that host email, websites and web apps, who can tell us if *sense with HAProxy provides enough protection without Zenarmor?

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • It's a real pitty.

    I have found nothing so far, that could replace the UTM 9 and the clock is ticking.

  • Jeff, my understanding is WAF does scan ingress traffic based on the firewall policy defined under webserver/firewall profiles.

    Good question re haproxy. From what I was able to briefly search, it's primarily a reverse proxy/load balancer. It may be possible to integrate it with snort/suricatta to scan the traffic as well. This needs more research for sure.

  • I have found nothing so far, that could replace the UTM 9 and the clock is ticking.

    Just wondering, is there a specific feature you need besides an easy-to-use UI that the UTM has? Does the XG simply not have the feature you need.... serious question.

     How difficult Sophos makes it to do simple things can make a person livid. The new version 20 coming out barely address the quality of life issues that are turning people away from the product.

     Things like

    difficulty of creating static IP and MAC hosts,

    lack of a searchable list of  host names  and IP addresses available to use in the web filtering exception Source list, 

    truncating words with ellipsis "..."  in the UI so the user can't even fully read it. 

    Version 20 is about cramming in more features without fixing the UI flaws first.