This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Thank you for all the good times

Hi folks,

So it's done, migrated off Sophos UTM.

It is a bit with mixed feelings and emotion that I shift deleted the last UTM VM but in all honesty it's been as well a very nice ride onto different territories and I personally learned loads. I wanted to sincerely thanks the Astaro team, the Sophos UTM team for all the good years.

Cheers folks,
Take care,
M.



This thread was automatically locked due to age.
Parents
  • What did you migrate to? Any particular reason(s) why you choose that over something else?

  • Hi there Jay Jay,  

    To cut a long story short, I went for OPNsense + Zenarmor because:  

    - all my formerly at use Sophos AP's wouldn't show up on XG -- so the complete WiFi setup had to be rebuilt.
    - my testings of XG were not really giving me satisfaction (changes on parent interface = anything bellow would vanish (vlans/ipsec...)).
    - I honestly don't really get the point with XG, it is a different way of doing things but does it make sense for me = no 

    For the WiFi part I went for Ubiquiti gear (managed switches + AP's) and honestly, it's been really smashing, never had something that smooth.

    There isn't anything OPNsense can't achieve that UTM/SG could (within my setup) so overall I'm really happy.
    Currently, open source seems to me like more reliable these days, the last possible reason not to go for open source might be support, but what support exactly?  

    Cheers,
    m.

  • Thanks for the reply.

    I have no interest in exploring XG either. The flow and implementation just makes no sense to me. UI still difficult to see (as in visually) with no themes option last time I checked.

    I don't have sophos AP's, but do have a tplink omada EAP670 which works quite well here with good coverage and speeds.

    I'm more curious why you chose opnsense over pf.  I'm actually partial to pf because it's layout seems more logical. I'm not a fan of the collapsing menu items on the side.  Functionally they're both very similar, although pf is now based on freebsd14, while opn is still using freebsd 13.

    I don't know how important zenarmour would be to my use case.  Even in UTM, I've long since disabled the https scanning, leaving only url inspection enabled. Knock on wood this has worked out well here with no infected clients. Endpoints do have AV software installed as well.

Reply
  • Thanks for the reply.

    I have no interest in exploring XG either. The flow and implementation just makes no sense to me. UI still difficult to see (as in visually) with no themes option last time I checked.

    I don't have sophos AP's, but do have a tplink omada EAP670 which works quite well here with good coverage and speeds.

    I'm more curious why you chose opnsense over pf.  I'm actually partial to pf because it's layout seems more logical. I'm not a fan of the collapsing menu items on the side.  Functionally they're both very similar, although pf is now based on freebsd14, while opn is still using freebsd 13.

    I don't know how important zenarmour would be to my use case.  Even in UTM, I've long since disabled the https scanning, leaving only url inspection enabled. Knock on wood this has worked out well here with no infected clients. Endpoints do have AV software installed as well.

Children
  • Well mate, as of PF vs OPNsense, honestly, there isn't much I can say -- the one time I tested PF I didn't got the GUI at all, which made me get away.. OPNsense needs a little bit of learning (especially on the firewalling rules etc) but overall I think that my setup is now much cleaner than before. Transparent Proxy all over, syslog to OSSIM etc etc..

    Zenarmor is pretty cool, I wanted to have some safeguards over web filtering, app control and clear text malware protection. SSL Inspection/interception is something that works all fine although within the implementation here, it's not being wanted -- hence no SSL Interception... ZA also provides device detection, which works really well. You can bind ZA policies over different devices/interfaces etc.. I.E: no porn on Guests Network etc etc.. Again, very positively surprised here. I think as well that I've read that in upcoming releases of ZA, TLS Inspection will be supported (at the ZA level) which I'd likely embrace -- That could probably mean that you "could" SSL Intercept single/multiple Web Filtering categories (say Malware/Virus/Hacking etc..)

    Still, it's a bit sad as you see, we can talk about it for hours but quite frankly, this is a one to one replacement. As said nothing the UTM couldn't do can OPNsense do and vice versa.. Hence, perhaps the only viable question remaining would be; why killing this?

    Let's hope Sophos would do the right thing and gift the open source community with the UTM source code, that would revamp their image for sure.

    So long!