Am I the only person who likes this new XG product?

I bit the bullet and set up an x64 system to try this. (Why can't they document that? The web site says 'intel' not x64.). I had to load up my disk from an x86 system anyway as my microserver would not run the usb stick properly - no keystrokes seen. Then I moved the disk to the x64 microserver.

Next I waste a bunch of time finding out certain ways of coding rules keep me off the internet. And some more time to see native ipv6 for a few minutes before it broke.

every thing I do is 'pot luck'. it takes the changes, then I have to wait around for some minutes to see if it will do what I asked. I click on something in yellow to find out what it is trying to tell me and get a change to the display that is not informative at all. to me it is Beta quality. And without the heartbeat for home users, I have yet to figure out a motivation to switch everything over to it.

I am very pleased to have a UTM 9 for free and to see the constant stream of pattern updates and regular code fixes. I have figured out its quirks (very few) and have improved my patterns and exceptions over time. Starting over on this new thing has been painful at best. Yet I see that people on my favorite forums have turned it up as production for their home network. I have to assume their needs are different from mine.

So we all get to pick and choose and if the developers are deaf and mute I guess I will just go away and see what has happened six months from now, maybe it will improve.

I do not know cyberoam but the configuration is horrible compared with UTM9 that i´m running since .0 version.
I would have taken the UTM and added the user based firewalling.

Christian

Hi Luk, thanks for pointing out the MTA feature request as accepted, I had already noticed it ;) I see you have a lot of other feature requests trying to improve everything. Thanks for not giving up and actively pressuring sophos into making SFOS better. Maybe they will listen to a few feature requests this time.
Regards
Bill

BillyBob,

we will continue to support Sophos and customers if Sophos is going in the direction we are hoping to.

We only have 2 ways to let them hear from us:

1. this community

2. feature requests.

At the moment I have XG at home and I am trying to push what is really missing before to move some small customer to XG.

So add feature request and vote the one that are already there.

It is a great news that MTA will be back! At least, something is moving! [:D]

Now we need live log, better UI navigation and dashboard too.

Luk

I think its funny when people call this a 1.0 product. You have fallen victim to clever marketing.

This is Cyberroam, this is not some new creation. This is the same cyberroam core with a new gui. In fact, cyberroam customer can upgrade to SFOS right now. And its the only update available to them.

Cyberroam has sucked for years. A new GUI on top does not change that. Cyberroam v1 through v10 has been a terrible product and v11 (SFOS v1) doesn't change that nor will version 12 or 13...ie SFOS v2 and v3.

Sophos knew they couldn’t tell UTM customer they are migration to Cyberroam. Many Sophos customers looked at cyberroam and decided against that platform when they initially joined hte UTM camp.

So the easy thing was to call this SFOS, and everyone fell for it.

I really wanted to like XG. I liked the new interface and finally started to figure out the logic of building policies. My biggest issue was that the performance was terrible using the same rules I had on UTM 9. I'm not sure if it is due to the 4-core limitation. That probably isn't a big deal on an Intel i3/5/7/Xeon but when you're running it on a server grade Atom processor it would be nice to be able to spread the load out over all 8 cores. System load was a constant 2 with no traffic running. If I started a download running then my ping to Google shot up to 1,200ms and I couldn't browse the internet. When I ran the top command my CPU usage was usually 2%-15% and I couldn't figure out where the load value of 2 was coming from. Maybe it's a bug that will be fixed in the future? My second biggest gripe with XG was that I was never able to get SMTPS filtering running for my mail server. It could be that I just don't understand the differences between when you need to use certificates and certificate authorities. I was able to get my certificate into the certificate section so I could use the WAF with my web server, but I was unable to get it working for email. In UTM 9 I just uploaded my cert in the cert section and then I could use it for the WAF and SMTPS. I'm not sure why in XG it wants me to select a cert I've uploaded to the CA section for SMTPS and select a cert I've uploaded to the cert section for WAF?

I too have done both the UTM and XG training and certification cources and while I will be somewhat bias toways the SG/UTM platform as i know it well here are my issues with the XG.

Support

Loggin a ticket with Sophos arround a simple feature issues i had to guide the tech arround via WebEx as they could not find the menue they needed. I know this may improve but extreamly fustrating and very unassuring considering they ar ment to be the experts. 

No it wasnt a level 1 either.

Deployment

No more offline deployment, you litterally have to configure WAN connectivity before you can even start the config in a device, rather then the UTM where you could do a 30 day trial. Build everything & then ativate it later. Seems like a small issue but it's a massive pain when you are trying to prestage systems or have delays in orders.

Reliability

We have now had 3 instances where Sophos has returned the XG devices under RMA and replaced them with the SG devices. In once instance a randon rule was passive traffic intermittantly. Also traffic from rule 1 was flowing over rule 7, even when both were disabeled. 

We spent about 6-8Hrs on the phone as a P1 case untill we concluded it was a bug. By this stage we had a few unhappy customer who refused to touch the XG again, it was replaced with an SG, no issues.

Another instance was a VPN to a SonicWALL device was flapping up and down as well as intermittantly dropping voice traffic. Swapped out with an SG and all was well.

ChavousCamp said:

Seriously guys - give it a few months.

...

ChavousCamp said:

a very aggressive development timeline

First, I'll start by saying I never used UTM9 (it sounds nice), second I'm a paid customer not a home user (multi-year license), third and the most important is the above comments. This is my biggest issue here...sloooooooooooooooooow development, poor communications, delayed schedules, etc. etc.

I realize there has been several BETA versions but c'mon, agile development is all about short spurts of beta->GA (rinse/repeat) releases (think GMAIL early days,  releases weekly to the general masses!). Sophos should be spinning a new release every week IMO, active development and releases are more important then a list of bugs in the works for eons.

Case in point here, SSL VPN. OpenVPN fixed an issue with datetime per RFC specs and its been months since I've been able to use a feature I paid for. See here: https://community.sophos.com/products/xg-firewall/f/127/t/77547 -- again I'm aware there is a BETA fix but I'm uncomfortable knowing the next "release" could be months away (to fix regression or new bugs,etc).

I've worked with hundreds of vendors and various applications. The developer who releases fixes in a timely manner will always have my business over the ones that spend weeks or months to finally address it.