Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

UTM Sophos | EOL | " "When someone in the control room doesn't know what they're doing."

Hello everyone

unfortunately, after 20 years of great satisfaction, indeed tremendous satisfaction, with a product you had purchased called Astaro, you have decided to discontinue it. This product has nothing to envy to other renowned brands, but it has surely been discontinued with the excuse that it is "old," as if Windows or Office had told us the same thing.
The version 7 developed by the UTM team of Sophos has achieved an exceptional level of functionality maturity. Having several UTM licenses, Sophos "forced" me to hurriedly purchase subscriptions (due to their subscription deadline of June 20, 2023), because migrating many firewalls, cannot be done quickly.

I have installed the latest version of Sophos firewall in a test environment and, trying to be fair, I compared the two solutions. In summary, the details make the difference:

The simplicity and sense of control over what is edited or managed from the UTM interface are not even remotely comparable to Sophos Firewall (those who are UTM customers know what I am talking about).

For instance, logics such as matching hosts or users to groups are limited in Sophos Firewall compared to UTM.

Real-time tracking and understanding if a firewall rule in Sophos Firewall is doing the right thing are not comparable to the immediacy of the UTM system.

When disabling a user, it is not clear from a rule assigned to them.

I could continue with dozens and dozens of other examples...

And I wonder, rather I ask: why was this EOL (End of Life) decided for the UTM solution but not for the one on AWS? Why are development or at least updates maintained only for AWS?

Sophos Firewall is not as mature as SOPHOS UTM today; I hope it will be by June 30, 2026.
Signed by a frustrated customer using Sophos UTM solution since 2004.

PS
Shall we talk about the cost of UTM licenses VS Sophos Firewall licenses with the same features?
Parents
  • Those points are already discussed plenty of times here in this community and most likely boils down to own preferences. If you are used to use a product for 20 years, you are finding a new approach to be frustrating. 

    Most points are currently looked at and will be improved, if time is given but keep in mind, the main goal of a product like SFOS and UTM is to keep a customer secure. So the main focus of development costs are being invested in security features and some are going into quality of Life features. 

    I like to work with SFOS and like the improvements in handling certain instances. But again that is customer preferences. 

    You can use the UTM now for 3 years and re evaluate your options in 3 years, but what i am doing as a Sophos Employee (in Germany) for the past 5 years: Migrating customers to SFOS - And this works fine. 

    __________________________________________________________________________________________________________________

Reply
  • Those points are already discussed plenty of times here in this community and most likely boils down to own preferences. If you are used to use a product for 20 years, you are finding a new approach to be frustrating. 

    Most points are currently looked at and will be improved, if time is given but keep in mind, the main goal of a product like SFOS and UTM is to keep a customer secure. So the main focus of development costs are being invested in security features and some are going into quality of Life features. 

    I like to work with SFOS and like the improvements in handling certain instances. But again that is customer preferences. 

    You can use the UTM now for 3 years and re evaluate your options in 3 years, but what i am doing as a Sophos Employee (in Germany) for the past 5 years: Migrating customers to SFOS - And this works fine. 

    __________________________________________________________________________________________________________________

Children
  • "as a Sophos Employee" and "sales engineer"... hmmmm sure that is where loyalty lies. XG is not showing a user interface that is supporting a system for "trust". Regardless of how great the "black box" is underneath, I'm not buying it.

    "customer preferences" is bs... the functionality is clearly lacking. Yes UTM needs revision, but there is transparency in the product. I have no love for XG right now. I support Alessandro's post 100%

    Having been it IT for 30+ years I know my stuff too in regards to everything IT/Application/Corp

    Your statement " If you are used to use a product for 20 years, you are finding a new approach to be frustrating." is insulting

  • Maybe i phrased my first point wrong - Sorry for that - I just wanted to point out, i can understand, somebody, who used a product for 20 years found other products to be frustrating or illogical or something. I can now do some car analogies but you will get the point. 

    About the trust system: Trust systems basically goes hand in hand with NAC solutions. Home users often time do not have a NAC Solution. In SFOS you could do Radius Accounting SSO as well, which means, if a device is logged in via a WPA Enterprise service, you automatically take over the user information. Or the better approach, which most customers also choose - using the Sophos Endpoint to get the heartbeat. Thats the ultimate trust solution, as you can make sure, the device, you are logged in, is protected by Sophos and you get the user information based on this information:
    For a home user, those systems are not available. UTM was build to be used as a standalone solution - SFOS is a game with different systems, which customers have in place. 
    Also you could use systems like STAS to get user information based on your AD. 

    __________________________________________________________________________________________________________________

  • Lucar, I honestly have no clue what you are trying to say here in the 2nd paragraph. I understand there is a possible translation loss here, so please rephrase your statement.

  • I mixed up two conversation about Trust in another thread, which was about NAC in UTM. You can ignore that part about NAC. 

    It was point about your point of "trust" and mixed trust with the Zero Trust approach. 

    __________________________________________________________________________________________________________________

  • We tried the XG twice in the last few years, and compared to the UTM it still is an inferior product. By doing so the workload for administrators triples, due to the lack of information, and the illogical way features are implemented.

    For example, the separation between IPv4 and IPv6 means you have to do everything twice in a dual-stack environment, and keep manual documentation to make sure everything is and remains in sync, when added and when being maintained.

    Also, the UTM is a comprehensive product for those without deep pockets, like our charity and non-profit client-base.

    If there is not going to be a solution to use the UTM moving forwards (Sophos basically kills it on a fixed date by terminating the license, which I am not sure is even legal), we will advice and assist our client base to migrate away from Sophos.

  • Harro thankyou for making this point and statement.Yes I am in agreement with everything you have stated.

    I have been through 2 install cycles with XT, one a few years ago at the suggestion of a Sophos provider, while having issues with a Sophos AP... this was a complete disaster and exercise in frustration... in the end I reformatted the box back to a UTM backup and threw out the AP. Then again recently after the announcement, I though maybe XG would be an improvement, but after meticulously working through each setting and layout and help documents... after 2 or 3 days I had no clue what was or wasn't working. Simple stuff like domain blocking based on a defined category wasn't easy to figure out... even the basic default settings on the XG seemed to think "pornhub" and adverts were okay... Management of "Adverts" seems to be non-existent. Setting up a user login, fixed IP, for a device/mac address seemed impossible... for me this is Network Security 101. I want complete control of who and what connects to my network and complete visibility and control of domain access. Especially mobile devices (Apple products are the worse), that seem to think they have free reign on any network they connect to. At least with the UTM Firewall I can create a hierarchy of mobile devices that have access to services to a certain point before a "Drop" is instated...

    I sound like a broken record... I think I have said enough.