Things that may (not) working better after migration from UTM to XGS

My personal experience so far (current firmware version):

- on every of my 2 factory-new XGS3300 -> setup assistant had a loop and I could not finish the setup without a factory reset (not a good first impression ;-)
- planned firmware auto-updates like on UTM are not possible anymore without register and using central service
- poor mail logging on GUI: pretty useless on XGS compared to UTM -> you have to use the console to see the full logs (and mails that are not even comming to the MTA)
- on UTM you saw where and if any object are in use -> not anymore on XGS
- only single adresses can added in mailing-exceptions (networks or hostgroups not possible)
- self-sign windows certificates can not added as trusted certificate (firewall does not trust any cert that is no CA or issued by a CA)
- it is not possible to deactivate an interface (pre-configure like on UTM with creating deactivated interfaces not possible)
- you can not add an LAG interface without giving an IP or activate DHCP on it
- no AD user pre-cache: AD users are only on the firewall if (and only if) the users are login to the userportal first (as admin you can do nothing anymore, even not able to get an SSL VPN config file for the user)
- AD users can not migrated from UTM (including OTP hashes) -> all AD users can create themselve again in user-portal including OTP
- AD groups can not used for admin groups / users on firewall
- it is not possible to switch a firewall admin user back to a normal user (you have to delete and re-create the user)
- no notification if your RED is alive again possible (if your RED goes down, maybe its up again, maybe not...)
- to get your RED running on new firewall you have to restart the device for new provisioning (maybe a problem on remote-sites without IT)
- the connect provisioning feature is only working if you make the userportal reachable (maybe even for WAN if users only working @home)
- provisioning is not working for OTP users who are not creating themselve in user-portal before (so any user with OTP needs to login 2x to get a config via provisioning)
- the connect provisioning will give any user with OTP an connection error (the provisioned config is connecting right after the provisioning login of the user -> connection failed because OTP code can used only 1x)

A lot of things are of course better compared to UTM -> can tell you any sophos sales guy in his sleep.

[bearbeitet von: Quallensaft um 3:34 PM (GMT -7) am 14 Aug 2023]