This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Things that may (not) working better after migration from UTM to XGS

My personal experience so far (current firmware version):

- on every of my 2 factory-new XGS3300 -> setup assistant had a loop and I could not finish the setup without a factory reset (not a good first impression ;-)
- planned firmware auto-updates like on UTM are not possible anymore without register and using central service
- poor mail logging on GUI: pretty useless on XGS compared to UTM -> you have to use the console to see the full logs (and mails that are not even comming to the MTA)
- on UTM you saw where and if any object are in use -> not anymore on XGS
- only single adresses can added in mailing-exceptions (networks or hostgroups not possible)
- self-sign windows certificates can not added as trusted certificate (firewall does not trust any cert that is no CA or issued by a CA)
- it is not possible to deactivate an interface (pre-configure like on UTM with creating deactivated interfaces not possible)
- you can not add an LAG interface without giving an IP or activate DHCP on it
- no AD user pre-cache: AD users are only on the firewall if (and only if) the users are login to the userportal first (as admin you can do nothing anymore, even not able to get an SSL VPN config file for the user)
- AD users can not migrated from UTM (including OTP hashes) -> all AD users can create themselve again in user-portal including OTP
- AD groups can not used for admin groups / users on firewall
- it is not possible to switch a firewall admin user back to a normal user (you have to delete and re-create the user)
- no notification if your RED is alive again possible (if your RED goes down, maybe its up again, maybe not...)
- to get your RED running on new firewall you have to restart the device for new provisioning (maybe a problem on remote-sites without IT)
- the connect provisioning feature is only working if you make the userportal reachable (maybe even for WAN if users only working @home)
- provisioning is not working for OTP users who are not creating themselve in user-portal before (so any user with OTP needs to login 2x to get a config via provisioning)
- the connect provisioning will give any user with OTP an connection error (the provisioned config is connecting right after the provisioning login of the user -> connection failed because OTP code can used only 1x)

A lot of things are of course better compared to UTM -> can tell you any sophos sales guy in his sleep.



This thread was automatically locked due to age.
  • Thanks for sharing! Keep 'em coming so others know what to expect and maybe Sophos will pay attention. I'm not holding my breath, but I'm hoping Sophos XG will elevate to the number one spot on my list of viable UTM replacements before June 30, 2026. Regrettably, XG's currently very low on that list.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • I'm with you. As an Astaro SG user, I'm really saddened to hear of the sunsetting but to be fair it's gone far longer than I expected. I'm sure I'll put it off for quite a while but I'll have to start evaluating new options myself. I've tried XG, the *sense, and a few other niche options but have always come back to UTM. 

    I've read some of your other posts and it's just as ingrained in my environment as it sounds for yours. I really don't want to tackle that conversion as I have years of configs and optimization in place (not hacks, just settings). While I'd love to not have the IP limit, I'm really not excited about the hardware limitations.

  • Well there is no "to be fair".

    The UTM is till today a superior Product.

    And Shopos will not get any of the features XG is missing into XG within the next 3 years. that's for sure.

    So instead of making a rock solid product even better and update it to modern needs, nope, again management knows it better again.

    the other brands will take any changing customer with ease.

    because some of them are less pain then the XG.

  • IPv4 and IPV6 are management completely seperate. If you have a dual-stack environment, be prepared to have your workload more than doubled, as you need to create everything twice, maintain everything twice, and keep track of it all. A nightmare.

  • It would be to their credit if they would return the UTM codebase back into the open source domain, so it could be kept up to date for home or other environments without deep pockets (we provide services for charities and non-profits). The XG is a disaster of a product.

    If there is no way to continue using the UTM (as I understand sophos will switch it off once the license expires, and it will become useless), we'll have to look elsewhere for an alternative solution for Firewall and WAF (the main components used).

  • Wishful thinking but unlikely to happen.  Why would sophos want aid a competing product.

  • They are discontinuing the product, so they don't see it as a viable and competing product in the market anymore?

  • But if code was released and product improved then it would be competing :).

    How to get rid of competition... buy out your competitor, then kill their product.

  • True. But then without us and our clients, the XG was and still is crap.

  • Can't argue there. I already have my solution lined up.  Just need inspiration to make the transition.

    It took a fire at my webhost's datacenter to push me into self hosting email. Been meaning to do it for years, but never got around to it.  Took a few weeks to work all the bugs out but working well now.  Even has redundancy (like today when some @sshole drove into a tree which fell on a power line, taking out the entire neighborhood for a few hours).