Hello Sophos,
can we still expect the XG V18 MR 3 this week ?
[locked by: FloSupport at 4:35 PM (GMT -7) on 13 Oct 2020]
Hello Sophos,
can we still expect the XG V18 MR 3 this week ?
Hello Mike,
so I can only recommend one thing to you, start using another solution from another vendor.
Trust me, I've been using Astaro / Sophos UTM solutions since 2003 and it is hell for the last 5 years. You won't find such a low-quality and unreliable product like XG anywhere else in the world.
Trust me, I really have many and many years of experience with these products and such a bad situation in quality and reliability has not been in the past.
If you are a home user, I understand your enthusiasm. But if you are a corporate network administrator or a supplier of security solutions for companies, this is hell ....
Regards
alda
Hi alda,
One honest question, is the firewall not doing It's job to protect your clients, which is the main purpose of it.
Or your mad at It because the management plane on Sophos XG is horrible? Or both?
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
Hello Prism,
I think it's a mix of all the bad things together. I think the last 2 to 3 years are "normal" that Sophos released a new version and within a week at the latest (more often in a few days) we ourselves reported what is not working properly or what other features are damaged by the new version.
When was the last time you encountered a problem that a function is not implemented correctly or its implementation is not completed? Again for the last 2 to 3 years, this situation has been repeated regularly.
I'm right, I think you've experienced it too, right?
Have you solved any problem with Sophos support in the last 2 to 3 years? How long (on average) did it take to solve the problem? Our experience is at least 2 to 3 weeks (ideally). First you have to describe the problem in detail, so you describe the problem, then L1 support finds out that it is not enough to solve the problem (in the meantime you are asked for ping and traceroute analysis, which of course you did and you know there is no problem). So the problem will be taken over by L2 support and again you have to describe the problem in detail even if you did it with L1 support. And again: ping and traceroute. And in the meantime, you are waiting and waiting, because the engineer is going on vacation and another engineer will not take over the solution to your problem, waiting for the original engineer to return from vacation.
Want more experience?!? I can go on for a long time.
So my conclusion? For many reasons, I will keep it to myself at this time.
So, as can be seen from the above arguments, I think Sophos has a lot of internal problems and it will be a big surprise for me if he can handle them at all in the foreseeable future.
I think v18.5 will be crucial for the survival of Sophos as a UTM vendor. Personally I rated v18 as a very failed version (same as v16).
Regards
alda
Hi Prism ,
alda has got a point, I have experienced similar problems and the time it takes and the motivation of some of the staff on the support desk astounds me.
The Sophos Support structure is broken, I think alda was lucky to get Level 2 techs, I only get the ticket logger and level one tech, then over to GES (and there it disappears for months) before a footnote in the updates if you're lucky.
some of the techs do not understand time-zones, I have been called @ 10pm (BST) on a Friday evening, and the tech will then mark the ticket down as customer refused telephone call, and not why it was refused.
This is not good relationship building.
I now do not sell the UTM, as nothing constructive is coming from Sophos, and they do seem to be winding down operations and development in favour of the XG, I still have a mistrust of their QA process and reliability of their testing process, which feels to me like the Microsoft Windows QA team who were fired a few years back, and we have all felt the knock-on effect of that one.
XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
You have a good point.
I've never used Sophos support since on the place I has in didn't used Sophos XG.
But looking in to your experience, the Checkpoint TAC is the same thing, unless my problem got hand over to Israel, I would be in a state of suffering the whole time with the LATAM L1 support.
When was the last time you encountered a problem that a function is not implemented correctly or its implementation is not completed? Again for the last 2 to 3 years, this situation has been repeated regularly.
I'm right, I think you've experienced it too, right?
Well, that's another good point; What makes me angry with this, is knowing the back-end of the firewall, (which most parts are GPL code) supports a lot of things that isn't available on the management plane.
Personally I rated v18 as a very failed version (same as v16).
I don't rate v18 "as a very failed version", they did something right which is the new SSL/TLS Inspection engine, but some other features that we got, such as SD-WAN support don't even work correctly.
An example is: try to use the "Application Objects" to route the streaming application traffic to another interface, most of the time the engine will detect YouTube.com as TCP/443, instead of the YouTube streaming application.
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
You have a good point.
I've never used Sophos support since on the place I has in didn't used Sophos XG.
But looking in to your experience, the Checkpoint TAC is the same thing, unless my problem got hand over to Israel, I would be in a state of suffering the whole time with the LATAM L1 support.
When was the last time you encountered a problem that a function is not implemented correctly or its implementation is not completed? Again for the last 2 to 3 years, this situation has been repeated regularly.
I'm right, I think you've experienced it too, right?
Well, that's another good point; What makes me angry with this, is knowing the back-end of the firewall, (which most parts are GPL code) supports a lot of things that isn't available on the management plane.
Personally I rated v18 as a very failed version (same as v16).
I don't rate v18 "as a very failed version", they did something right which is the new SSL/TLS Inspection engine, but some other features that we got, such as SD-WAN support don't even work correctly.
An example is: try to use the "Application Objects" to route the streaming application traffic to another interface, most of the time the engine will detect YouTube.com as TCP/443, instead of the YouTube streaming application.
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
I just went back and looked and MR1 was released nearly 3 1/2 months ago. There was an unannounced MR2 that was released to MySophos with no release notes whatsoever, despite repeatedly being asked for them, in what I would call a very bizarre event. People are clamoring for MR3 because there are still many serious bugs in v18 that we are hoping are addressed and we're wary of installing an undocumented, beta (or is it?) release in production when we have no idea what it fixed or didn't fix or what bugs it might introduce. The new DPI inspection engine sounds nice on paper, we had so many problems we had to end up disabling it entirely. And while its nice that Sophos is out there doing innovative things, most all of us would appreciate the simple things, like a logging facility that actually, you know, can give you good consistent information. God help you if you have to troubleshoot and need logs. I would say that the decision making process on what features to work on seems totally broken to me. For example, was there any great outcry for a new DPI engine for v18? But DHCPv6-PD, which is how just about ALL business class cable modem providers distribute IPv6 addresses, nah....who needs that. But if you do need it, a cheap $75 home Chinese router from Wal-mart can do it for you. Its just baffling.
My interactions with Sophos support have been generally decent, so I can't offer much complaint on that.
I mean, medium to big companies don't care about DHCPv6-PD, and thats the point. Sophos want to stop appealing to the home/small busines and go bite the medium/large companies.
They care about DPI/Scanning TLS, routed based vpn, decoupled NATs and rules, etc.
So yeah, that's why and I don't blame them, the money is in the biggest corporations, not small business. And they have to include functions that are present in bigger fw companies (vrf?, central management?, etc)
Its good to know that Sophos doesn't want my business anymore, I guess that makes my renewal decision next year easy.
Its a shame, I do like Sophos XG and the value for the money is good. If they are truly wanting big enterprise customers only, I would say good luck. XG as it exists right now is not nearly a good enough product to break into that market, the terrible logging alone would be a disqualifier for many.
I don't rate v18 "as a very failed version", they did something right which is the new SSL/TLS Inspection engine, but some other features that we got, such as SD-WAN support don't even work correctly.
And what is the throughput on the DPI again? The xtreme DPI engine...
One honest question, is the firewall not doing It's job to protect your clients, which is the main purpose of it.
I totaly gave up on XG even for home use after the remote code execution problems that was in the wild so no the firewall was not doing its job in its default configuration.
I check in here once in a while since I use SG in my lab due to abundant logging and things are still the same as they were when v16 was released. Big promises little follow through as alda pointed out. Now there is a remote code execution on the SG UTM webadmin. Luckily someone was nice enough to tell them instead of leaking it to the hackers.
Unreal
Regards.
Hi,
have passed a comment back on the release page about the DPI engine performance not being any different to the mail proxy.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
And what is the throughput on the DPI again? The xtreme DPI engine.
It's actually High... Also your comparing the throughput of the DPI Engine on Sophos XG with what other vendor?
Fortinet have custom ASIC's to do pattern matching and L3 Networking and crypto, Palo Alto have FPGA's for the same reasons, even checkpoint have acceleration pcie cards now.
If you look at the appliances Sophos have right now are all using old Intel x86 CPU's from 2017<, even then, the throughput is still high for a NGFW.
I'm not here to defend Sophos, but if a USD$50.000 appliance from Palo Alto (PA-5220) that have multiple FPGA's, and uses Marvell "security processors" can only do 1.9Gbit/s of Threat Prevention on a enterprise mix traffic with SSL/TLS Decryption, which is the same as an XG 750 Rev.2 could do on v17.5, then I'm impressed with Sophos results.
I totaly gave up on XG even for home use after the remote code execution problems that was in the wild so no the firewall was not doing its job in its default configuration.
Did you ever looked at the other vendors CVES? Feel free to take a look at Palo Alto here.
Also, let's talk about the ssh "backdoors" (Which has hard-coded SSH public keys) Fortinet had some years ago, even their SIEM product had a vulnerability like this last year.
Every vendor has shitty vulnerabilities that someday will piss off their costumers, the only difference is how fast they fix it, and if they are going to be public speaking about it, or they will hide it.
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
Ha, the old "LOOK" other vendors suck to we suck also defense? Or half our stuff works for half the price defense?
If XG is working for you great and that is all that matters. But there is no sugar coating that their code quality has been slipping.
I will leave this alone as Ian doesn't want me to muddy this thread and move back to MR3 release which will probably be next week because they usually release on wednesday or thursday most of the time ;-)
Regards.
