v18 EAP2. Anyone have a clue when ? Because I have quit testing EAP1 ...

To clarify things up.  As far as I am concerned, it was not a complete waste of time. 

1. The free introduction course for v18 was VERY appreciated. 
2. Playing with TLS/SSL inspection gave me a hint to what will will get around December 2020.  Because obviously, it is not gonna be before that, since it took 6 months this year to solve things like DHCP and all.  Things to fix in v18 are far more elaborate and will certainly take more than a year to fix. 
3. NAT improvements are more than welcome, I wish I could continue to play with it, but the rest of v18 is just unworkable for now, even for home use.  Things freezes way too often.

Tonite that was my screen before I reverted back to 17.5.8:

WEB pages do not render properly, performances graphs shows that everything is idle while pinging the firewall shows an extreme latency.  Icons keeps disappearing, particularly in firewall rules.  Activating TLS/SSL reduces performances even more up to frozen molasse.  Outlook takes forever to open.  Really un-workable.

Finally, I really don't take that Sophos do not upgrade X105W for reasons that are nothing more than marketing and nothing to do with technicalities.  This is extremely frustrating.

Maybe others will find positive continuing testing EAP1.  There are many reasons for that and I encourage it.  But me, I do not find the gain is worth the effort.  Also, my enthusiasm is not there most probably because I have waited the bride for too long.

I will re-evaluate at EAP2, or once I read EAP 1 is ironed out enough to be workable.

Paul Jr

Hi,

Are you sure that your latency issue is because v18? I've been using v18 EAP1 since the release on a low-powered machine, and had no issues like this. Couldn't it be something else in your network?

Also, I've been testing the v18 EAP1 since release, and it's being an love/hate relationship with it.

The SSL/TLS inspection works, but it's performance is bad. (Mainly compared on port 443 for https traffic, web proxy is way faster than SSL/TLS inspection.(but of course, web proxy only supports 80/443, while SSL/TLS inspection supports any port.))

Somehow IDS/IPS managed to get at least 50% slower compared to v17.5.x.  *

My machine will lock itself for 10~ seconds if the load on it is really high for a long period of time.

I've had to remove two WAF rules, because country blocking isn't woking with WAF on v18. (Already reported.)

* I currently have a J1900 with 4GB of RAM, i'll be upgrading to 8GB RAM (6GB usable), i belive the IPS performance issue is being caused because my machine doesn't have enough RAM for snort alocate to work correctly. One friend of mine, which have the same machine but with 8GB of ram has seeing much higher throughput than mine with 4GB of ram.

Thanks,

I replied here:

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18/418428#418428

with the experience gained during these days. If they do not want to listen, amen! We move the remaining customers from UTM9 to other vendors. Life is not a static thing and we cannot change the world. If they do not want to listen, great, we move away. No problem. Me and other community users/partners remember the XG v15 disaster that you cannot even find documentation anymore. They forget about and many of us told them the UI was terrible, the rest is history. If most of the customers will complain with the new firewall section, something will change like v15 or like firewall registration method where using XG was not even possible if no internet connection was available. I guess before 16.5

Regards

It is Sophos.  It is not a "right".  It is not a "democracy".  It is not a "religion".  It is a Business.  And there to make profits.

They write and apply their own rules, and if it does not fit someone.  The only alternative is to go elsewhere.

I personally think XG will catch up other players at version v20.  And like I have written two years ago, it will take at least five years.  So 3 years left.  If it takes more than that, they are dead.  Because others players are not sitting stand still.

Meanwhile learn and practice your CLI, because it is the only reliable way to manage XG.  The only alternative is to go elsewhere.

I posted their financial reports few weeks ago and was surprised how small Sophos actually is compared to others.  Consequently, developing XG while maintaining SG is a big chunk.

To go back to the topic of this post, I will wait for EAP2 or at least when EAP1 becomes really what I understand an "Early Access" is.  By definition, early access means not "Ironed-Out",  but I personally feel more like in a laboratory now, testing concepts.  I cannot use it at home as it is now.  Is is unworkable for me.

So I understand that non official schedule for EAP2 is November.  But from what I see, EAP2 is EAP1 + unlocked features.  In other words, nothing guarantees that at that point, DPI will work, or that freezes will be things of the past.

I am far less nervous about this than at the beginning of the year since I already moved most of my IT stuff to other players (i.e. mail gateway, web gateway, and 50% of end points).  It is not a mountain to climb anymore to change my firewall to another player.  I can do it in a day now.  So I'll be able to give a chance to Sophos up until March 2020.

Thanks Luk for the unofficial time frame.

Paul Jr

Hi All,

To add to what  has already mentioned.

I personally apologize for any previous posts that were incorrectly deleted or threads that were locked. As per the Community T&C, Sophos encourages the sharing of constructive advice and criticism and the community forums are therefore as open and free from content control as possible. This has been addressed internally.

Please don't hesitate to reach out to me via PM if you have experienced any of your posts being incorrectly moderated.

Regards,

Ahoj alda,

I just approved the latest post for you that was flagged as abusive.  Hopefully, as Flo says in the post just above mine, that the new employees have been"corrected" and we won't see the deletion of any more posts of honest frustration and criticism.

Cheers - Bob

Hello BAlfson,

maybe you read my appeal, so you know what I think about the quality of implementing NAT rules.
Please for answer if there is anyone in this community who is satisfied with the quality of implementation of NAT rules and their link to the firewall rules.
I think there is no one in this community. I think we all feel as big this problem is.

I really think this product is going to hell. v15 and v16 were, clearly, disasters. v17 and then v17.5 remedied the bad reputation a little, and we all rightly expected that the two-year promised version of v18 would be a significant advance and that Sophos had learned from previous mistakes. I'm afraid Sophos didn't learn.

I have written it before, DPI engine, Kerberos, DKIM, etc. and other newly implemented security features move this product clearly forward. But then you come across the horror of implementing NAT rules and links to firewall rules and you don't trust your eyes.

It's like dr. Jekyll and Mr. Hyde

Regards

alda

P.S. I know my post was very expressive, but I still have the impression that none of the developers understands the seriousness of the situation and they write down a comprehensive explanation of why they implemented it.

J1900 doesn't have AES-NI instructions so there's no hardware acceleration of certain crypto functions.

This may be the cause for the performance loss you're seeing when activation TLS/SSL inspection.

I do know from experience that a slower clocked CPU with AES-NI makes a better performing pfSense IPSec router than a faster clocked CPU without AES-NI.

Bottom line is you really need an AES-NI capable CPU for a security router if you want it to perform well.

Very good point.  Boy, I overlook that one ... Some reading here: https://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-9.html

Few things to remember:

1. AES acceleration applies only to real cores.  Not Hyperthreading.
2. It applies only to AES, and not to SHA or anything else.  That alone castrate quite a lot its real life utilization.
3. Very dependent on the compiler used while generating applications/OSes. Since Sophos is an assembly of Open Sources softwares, chances are latests compilers were not used.
4. Latest AES-NI version have a utmost importance on the performance.  Not all Intel CPU uses the same version.  And it is quite tricky to find it.

Obviously, there will be cases where AES will have a drastic positif effect.  4, 5, 6 times faster.  I can tell for other product like Mikrotik already.  But with Sophos, you'll only learn when you open the switch.  Or maybe there's some technical paper out there to enlight us ...

One last thing.  It is puzzling to me Sophos appliances do not implement TPM.  Go figure.

Paul Jr

I have just done the exercise to check Sophos appliances CPUs from XG85Rev2/XG86 up to XG210Rev3.

In general, it supports AES.  But I would have to check more to make sure it is AES-NI for all cases.  I say that, because Sophos appliances' CPUs are of old generation. Earliest being released in spring 2017.  XG86, XG106, XG115Rev3 are using Intel Apollo Lake CPUs that were released in 2016 with 14 nm lithography.  It is not archeology yet.  But the clear goal is to shop in "EOL / Inventory clearance" to reach the cheapest price point.

On top of it, memory and storage are kept at minimum speed.

I personally think anything below XG115 should have never existed.

Paul Jr

Big_Buck said:

I personally think anything below XG115 should have never existed.

Interestingly when I started my XG Firewall journey I was advised by Sophos Australia techs not to use nor recommend anything smaller than an XG115. So glad I took onboard that piece of advice.

I advised our sales group (we are a reseller) to never sell any of the models with only 2GB of RAM... thank goodness.  I actually turned a few potential customers away who insisted on it (not using it as a simple firewall, we're talking they wanted to use all the features on very high speed circuits with large user counts).  Didn't want the headaches.

I advised our sales group (we are a reseller) to never sell any of the models with only 2GB of RAM... thank goodness.  I actually turned a few potential customers away who insisted on it (not using it as a simple firewall, we're talking they wanted to use all the features on very high speed circuits with large user counts).  Didn't want the headaches.