Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 7667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v18 EAP2. Anyone have a clue when ? Because I have quit testing EAP1 ...

Big_Buck

Ok

I concluded it was useless for me to continue testing EAP1.  First because I am on the impression things are simply not working.  We are testing something "in the pipe" which, to my judgement, means before EAP.

And there's the thing that many - including me - had half of their posts deleted by moderators with no appropriate judgment.  It has become counter-productive.  What's the point of testing hours just to have our comments deleted in the end ?

Paul Jr



This thread was automatically locked due to age.
  • +1 in reply to lferrara

    Hi All,

    To add to what  has already mentioned.

    I personally apologize for any previous posts that were incorrectly deleted or threads that were locked. As per the Community T&C, Sophos encourages the sharing of constructive advice and criticism and the community forums are therefore as open and free from content control as possible. This has been addressed internally.

    Please don't hesitate to reach out to me via PM if you have experienced any of your posts being incorrectly moderated.

    Regards,

  • 0 in reply to alda

    Ahoj alda,

    I just approved the latest post for you that was flagged as abusive.  Hopefully, as Flo says in the post just above mine, that the new employees have been"corrected" and we won't see the deletion of any more posts of honest frustration and criticism.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hello ,

    maybe you read my appeal, so you know what I think about the quality of implementing NAT rules.
    Please for answer if there is anyone in this community who is satisfied with the quality of implementation of NAT rules and their link to the firewall rules.
    I think there is no one in this community. I think we all feel as big this problem is.

    I really think this product is going to hell. v15 and v16 were, clearly, disasters. v17 and then v17.5 remedied the bad reputation a little, and we all rightly expected that the two-year promised version of v18 would be a significant advance and that Sophos had learned from previous mistakes. I'm afraid Sophos didn't learn.

    I have written it before, DPI engine, Kerberos, DKIM, etc. and other newly implemented security features move this product clearly forward. But then you come across the horror of implementing NAT rules and links to firewall rules and you don't trust your eyes.

    It's like dr. Jekyll and Mr. Hyde

    Regards

    alda

    P.S. I know my post was very expressive, but I still have the impression that none of the developers understands the seriousness of the situation and they write down a comprehensive explanation of why they implemented it.

  • 0 in reply to Big_Buck

    J1900 doesn't have AES-NI instructions so there's no hardware acceleration of certain crypto functions.

    This may be the cause for the performance loss you're seeing when activation TLS/SSL inspection.

    I do know from experience that a slower clocked CPU with AES-NI makes a better performing pfSense IPSec router than a faster clocked CPU without AES-NI.

    Bottom line is you really need an AES-NI capable CPU for a security router if you want it to perform well.

  • 0 in reply to ChrisKnight

    Very good point.  Boy, I overlook that one ... Some reading here: https://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-9.html

    Few things to remember:

    1. AES acceleration applies only to real cores.  Not Hyperthreading.
    2. It applies only to AES, and not to SHA or anything else.  That alone castrate quite a lot its real life utilization.
    3. Very dependent on the compiler used while generating applications/OSes. Since Sophos is an assembly of Open Sources softwares, chances are latests compilers were not used.
    4. Latest AES-NI version have a utmost importance on the performance.  Not all Intel CPU uses the same version.  And it is quite tricky to find it.

    Obviously, there will be cases where AES will have a drastic positif effect.  4, 5, 6 times faster.  I can tell for other product like Mikrotik already.  But with Sophos, you'll only learn when you open the switch.  Or maybe there's some technical paper out there to enlight us ...

    One last thing.  It is puzzling to me Sophos appliances do not implement TPM.  Go figure.

    Paul Jr

  • 0 in reply to ChrisKnight

    I have just done the exercise to check Sophos appliances CPUs from XG85Rev2/XG86 up to XG210Rev3.

    In general, it supports AES.  But I would have to check more to make sure it is AES-NI for all cases.  I say that, because Sophos appliances' CPUs are of old generation. Earliest being released in spring 2017.  XG86, XG106, XG115Rev3 are using Intel Apollo Lake CPUs that were released in 2016 with 14 nm lithography.  It is not archeology yet.  But the clear goal is to shop in "EOL / Inventory clearance" to reach the cheapest price point.

    On top of it, memory and storage are kept at minimum speed.

    I personally think anything below XG115 should have never existed.

    Paul Jr

  • 0 in reply to Big_Buck

    Big_Buck said:

    I personally think anything below XG115 should have never existed.

    Interestingly when I started my XG Firewall journey I was advised by Sophos Australia techs not to use nor recommend anything smaller than an XG115. So glad I took onboard that piece of advice.

  • 0 in reply to ChrisKnight

    I advised our sales group (we are a reseller) to never sell any of the models with only 2GB of RAM... thank goodness.  I actually turned a few potential customers away who insisted on it (not using it as a simple firewall, we're talking they wanted to use all the features on very high speed circuits with large user counts).  Didn't want the headaches.

  • 0

    It's funny how it is always the same people who complain about a concept they seemingly can't comprehend: Beta testing. It's always the same when a new EAP arrives: People download the very first version, slap it onto their machines and expect a production ready system. And then the endless complaining begins. 

    EAPs are supposed to be broken. And you are supposed to break them. You are however not supposed to use them in production. Deal with it. Read up on what it actually means to use beta software. And stop complaining. It doesn't help. Anyone. At all. 

    That said, I can see why Sophos deletes irrelevant posts that don't add any value to the tests. 

  • 0 in reply to cryptochrome

    You're right, it's Beta testing and we are currently on EAP 1, there's EAP 2 and 3 to go before GA.


    I've also complained before about v18 EAP 1throughput, the main reason of it being slow was IPS, it's currently 1/3 the speed i has getting on v17.5.x.

    But, I has also wrong before - I've made a post saying TLS/SSL Inspection has slower than the Web Proxy (HTTPS Decrypt), which is wrong.

    TLS/SSL Inspection is currently much, much faster than Web Proxy.

     

    For the people that didn't watched the 14/NOV webcast, EAP 2 is coming next week.

    I'll be waiting to know what has been fixed, or if there's any IPS performance improvement on it.