Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 5351 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM vs Sophos XG

J.Rivett

Hi everyone!

Guess I'll start by saying I'm running my firewall as a VM in ESXi running on a Mac Pro 5,1 (2x2.66Ghz Hex core Xeons).  The UTM has 8GB RAM and 4 cores (used to have 8 but since snort is single threaded I never saw more than about 12% CPU usage, so there wasn't much point in having seven more cores sitting idle).  The XG has 6GB RAM and 4 cores.  Does the XG also use snort?  I did see that the CPU maxed out close to 25%, which would again indicate that the IPS scanning process is single threaded, be it snort or otherwise.  

I decided to give the XG firewall a test drive to see how it stacks up against my UTM 9, which I've been using for the past year.  This was a clean install on a new VM, no migration (speaking of which, are there migration tools yet?).

My initial results are very impressive, but have led me to believe I might have something misconfigured.  While I imagine there are significant performance and efficiency gains on the XG vs the UTM, I feel a bit too impressed by the results.  My UTM struggles to scan more than 200Mbps (about), especially if I include signatures more than 6 months old.  If I go back a year or more, I drop well below 100Mbps.  I didn't find similar settings on the XG.  On the XG, with IPS, AV, and Application Control all enabled, I am getting 350+ Mbps (which is the limit of my internet speed).  While that sounds nice, I am worried I'm missing a checkbox somewhere, or some configuration that is doing more intense scanning.  I put the most strict predefined policies I could find for IPS, and applied it to the firewall rule my traffic is flowing through.  

Additionally I want to enable TCP and UDP flood restrictions, but when I run a speedtest, my internal clients show up in the IPS log as the WAN IP, so when I put in a DDoS exclusion for my internal subnet, it has no effect.  So then the only thing to do would be to include the WAN IP in the exclusion, but then that pretty much negates the point of having DDoS protection on (not that I'm worried about a DDoS, just having fun and learning).  I believe this has the additional effect of both inbound and outbound rate restriction applying simultaneously (I needed both turned off to get full speed in a speed test).  



This thread was automatically locked due to age.
  • 0

    My humble opinion.

    Keep your UTM for at least one more year.  Too much basic problems to solve around here.  Unless you're curious and consent to spend hours at debugging and monitoring.

    XG is just too high maintenance still.

    Paul Jr

  • 0

    I have had XG at home setup and work now for about 8-9 months.  What I can say is that I have not seen too many issues, a few thoughts here-

    Although you do lose on notifications which in turn has made me investigate less I am still not sure if this is good or bad since attacks or attempts will occur all the time, do I really need to know? or am I better at spending my time elsewhere?  

    Performance has been good, although I have seen the same DDOS issues as you with speed tests.  I have not taken the time to find a workaround for this, would be great if anyone had a tutorial.

    The reporting aspects do work pretty well if they are working and you take the time to learn them. 

    Having the zones also helps in my mind by separating different aspects of traffic.  But this just could be an experience I enjoy.

    One thing I would recommend would be to create a country blocking rule since the XG does not really have this option built-in and you have to create them.  I would also suggest to check the logs and look to see what is being blocked, I believe there was a TTL adjustment I had to make after first setting it up but I cannot remember now.  i.e. there was a few false positives being blocked.

    From an enterprise standpoint, I do like the heartbeat/Sophos central features as well but you have to have enterprise licensing, as far as I know, to get that aspect to work.

  • 0 in reply to Big_Buck

    Its all about the "passion" you have to learn new stuff.

    Most people, running UTM/XG at home are some builders like myself and like to dig deep into Stuff and perform some new installations. 

    The migration to a new Platform can be difficult, if you do not have time to spend into the new system. 

     

     

    If you want to discuss specific stuff, try to install XGv18 EAP1 and rerun your tests. Maybe you will perform better numbers. 

  • 0 in reply to Big_Buck

    Thank you!  Yeah I'm just disconnecting my UTM in VMWare, and connecting the XG in it's place for testing.  If the host ever went down, it would come back up with the UTM connected. :)

     

    I did also find out that, similarly to the UTM, Netflix on Smart TVs is broken by the HTTP scanning.  I have to disable HTTP scan for Netflix to load, as has already been discussed on the Sophos forums.

     

    I do see that the XG has an apparent performance advantage over the UTM and the web interface is MUCH, MUCH better looking, MUCH faster (remember how long it takes for the log viewer on the UTM to load?) and the way rules and policies are applied is in line with other next gen firewall solutions.

  • 0 in reply to Badrobot

    Appreciate your response!!  Yeah I added a zone for my Guest network, which helps nice.  I do like the rule grouping feature in concept, although it confused me at first :D.

    Thanks for your advice on the country blocking, I'll look into that.  I actually just did that at work on a different, more mature firewall for some services that were getting nailed with botnet attacks by China and Italy all the time, just changed my rules to stop allowing traffic from there.

  • 0 in reply to LuCar Toni

    I'll give it a shot!

    Thank you for your response!