Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Things that may (not) working better after migration from UTM to XGS

My personal experience so far (current firmware version):

- on every of my 2 factory-new XGS3300 -> setup assistant had a loop and I could not finish the setup without a factory reset (not a good first impression ;-)
- planned firmware auto-updates like on UTM are not possible anymore without register and using central service
- poor mail logging on GUI: pretty useless on XGS compared to UTM -> you have to use the console to see the full logs (and mails that are not even comming to the MTA)
- on UTM you saw where and if any object are in use -> not anymore on XGS
- only single adresses can added in mailing-exceptions (networks or hostgroups not possible)
- self-sign windows certificates can not added as trusted certificate (firewall does not trust any cert that is no CA or issued by a CA)
- it is not possible to deactivate an interface (pre-configure like on UTM with creating deactivated interfaces not possible)
- you can not add an LAG interface without giving an IP or activate DHCP on it
- no AD user pre-cache: AD users are only on the firewall if (and only if) the users are login to the userportal first (as admin you can do nothing anymore, even not able to get an SSL VPN config file for the user)
- AD users can not migrated from UTM (including OTP hashes) -> all AD users can create themselve again in user-portal including OTP
- AD groups can not used for admin groups / users on firewall
- it is not possible to switch a firewall admin user back to a normal user (you have to delete and re-create the user)
- no notification if your RED is alive again possible (if your RED goes down, maybe its up again, maybe not...)
- to get your RED running on new firewall you have to restart the device for new provisioning (maybe a problem on remote-sites without IT)
- the connect provisioning feature is only working if you make the userportal reachable (maybe even for WAN if users only working @home)
- provisioning is not working for OTP users who are not creating themselve in user-portal before (so any user with OTP needs to login 2x to get a config via provisioning)
- the connect provisioning will give any user with OTP an connection error (the provisioned config is connecting right after the provisioning login of the user -> connection failed because OTP code can used only 1x)

A lot of things are of course better compared to UTM -> can tell you any sophos sales guy in his sleep.



.
[bearbeitet von: Quallensaft um 3:34 PM (GMT -7) am 14 Aug 2023]
Parents Reply Children
  • Can't argue there. I already have my solution lined up.  Just need inspiration to make the transition.

    It took a fire at my webhost's datacenter to push me into self hosting email. Been meaning to do it for years, but never got around to it.  Took a few weeks to work all the bugs out but working well now.  Even has redundancy (like today when some @sshole drove into a tree which fell on a power line, taking out the entire neighborhood for a few hours).

  • We do a lot for non-profits and charities, so we already run a lot of open source. The challenge is mainly on the management side, technically all solutions (firewall, ips, proxy, reverse proxy, mail services, etc) are well established and stable, but without a good GUI it is very difficult to manage it all efficiently.

    It is the biggest issue I have with the XG, apart from the lack of some features: the architecture is so illogical (no central object management, seperate ipv4 and ipv6 objects, etc) that the management cost triples. Not to mention the diffence in licencing costs between the XG and the UTM.

  • We run a postfix / dovecot / roundcube / sogo / amavis / spamassasin / clamav HA cluster for email, have done so for years. With a database backend, so it wasn't too complex to build a web interface for that, which we use to manage domains, mailboxes, quota's, white and blacklists, etc.