Hello Sophos,can we still expect the XG V18 MR 3 this week ?
Update: SFOS v18 MR3 has been releasedPlease see - https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3
Here's the latest update:
As with any release for XG Firewall, ensuring…
It'll arrive when ready is my home, better be late, but right
so I can only recommend one thing to you, start using another solution from another vendor.Trust me, I've been using Astaro / Sophos UTM solutions since 2003 and it is hell for the last 5 years. You won't find such a low-quality and unreliable product like XG anywhere else in the world.
Trust me, I really have many and many years of experience with these products and such a bad situation in quality and reliability has not been in the past.
If you are a home user, I understand your enthusiasm. But if you are a corporate network administrator or a supplier of security solutions for companies, this is hell ....
Prism said:I don't rate v18 "as a very failed version", they did something right which is the new SSL/TLS Inspection engine, but some other features that we got, such as SD-WAN support don't even work correctly.
And what is the throughput on the DPI again? The xtreme DPI engine...
Prism said:One honest question, is the firewall not doing It's job to protect your clients, which is the main purpose of it.
I totaly gave up on XG even for home use after the remote code execution problems that was in the wild so no the firewall was not doing its job in its default configuration.
I check in here once in a while since I use SG in my lab due to abundant logging and things are still the same as they were when v16 was released. Big promises little follow through as alda pointed out. Now there is a remote code execution on the SG UTM webadmin. Luckily someone was nice enough to tell them instead of leaking it to the hackers.
have passed a comment back on the release page about the DPI engine performance not being any different to the mail proxy.
Billybob said:And what is the throughput on the DPI again? The xtreme DPI engine.
It's actually High... Also your comparing the throughput of the DPI Engine on Sophos XG with what other vendor?
Fortinet have custom ASIC's to do pattern matching and L3 Networking and crypto, Palo Alto have FPGA's for the same reasons, even checkpoint have acceleration pcie cards now.
If you look at the appliances Sophos have right now are all using old Intel x86 CPU's from 2017<, even then, the throughput is still high for a NGFW.
I'm not here to defend Sophos, but if a USD$50.000 appliance from Palo Alto (PA-5220) that have multiple FPGA's, and uses Marvell "security processors" can only do 1.9Gbit/s of Threat Prevention on a enterprise mix traffic with SSL/TLS Decryption, which is the same as an XG 750 Rev.2 could do on v17.5, then I'm impressed with Sophos results.
Billybob said:I totaly gave up on XG even for home use after the remote code execution problems that was in the wild so no the firewall was not doing its job in its default configuration.
Did you ever looked at the other vendors CVES? Feel free to take a look at Palo Alto here.
Also, let's talk about the ssh "backdoors" (Which has hard-coded SSH public keys) Fortinet had some years ago, even their SIEM product had a vulnerability like this last year.
Every vendor has shitty vulnerabilities that someday will piss off their costumers, the only difference is how fast they fix it, and if they are going to be public speaking about it, or they will hide it.
I don’t want to seem to be too picky because the discussion is of value, but needs to be in its own thread.
Ha, the old "LOOK" other vendors suck to we suck also defense? Or half our stuff works for half the price defense?
If XG is working for you great and that is all that matters. But there is no sugar coating that their code quality has been slipping.
I will leave this alone as Ian doesn't want me to muddy this thread and move back to MR3 release which will probably be next week because they usually release on wednesday or thursday most of the time ;-)
Yes, you are right. Ill be using the UTM for a long time and XG since v15. The last 5 years was an hell ride for both products, this means instability with business impact and production loss multiple times. Sophos also speaks about releasing new features like lets encrypt and so on for XG. They also said "We will improve the stability of our beloved XG". The support is also an nightmare, when you have trouble with the devices. So you can feel the ice breath of the investor Thoma Bravo over the Sophos company and their products. And i am not alone with my opinion.
This all in sum makes me really sad.
In 2021 we have to renew our 13 XG and UTM clusters, but not with new Sophos Hardware and Licenses. We are switching over to better solutions with enterprise grade quality and support like Palo Alto, Fortigate and so on. XG is an good firewall for home use, because the home version is for free of charge.
Basically this discussion should continue after MR-3 is released, so having it in the MR-3 release thread will probably cause the thread to loose its focus. Please keep up the discussion and provide Sophos management errors where the XG is seen to fail for any level business.
Probably the worst failure from my point of view is the QA area, fixes in one version fail in the next version. How the DPI engine got past QA has to be a serious question for the QA manager?
QA in Sophos, really? I don't think anyone like that has ever existed for XG. Yes, for UTM v9 when it was still astaro and a few years later, yes the QA department did exist. But then I think it was canceled without compensation. It's just my feeling, but the quality of this "security product" would match that.And if I may have one more little observation. As long as the development of XG was driven by AlanT, v17.5 is at a significantly higher level than v18 in terms of quality, stability and reliability.However, if you look at the v18, whose development is driven by PMParth, then the quality in all the above areas is at a significantly worse level.Only a blind person would not notice the change ....
I just leave this here then....
Yeah same here. Every real company makes a UEFI installer that boots UEFI. Sophos makes ISO for 18.0.1 that blows up booting legacy, will boot and install UEFI but the resulting boot fails since it installed MBR. The workaround is a ghetto hack 18.0.4 Ubuntu EFU file usinga 2 year old distro.