Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 5352 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM vs Sophos XG

J.Rivett

Hi everyone!

Guess I'll start by saying I'm running my firewall as a VM in ESXi running on a Mac Pro 5,1 (2x2.66Ghz Hex core Xeons).  The UTM has 8GB RAM and 4 cores (used to have 8 but since snort is single threaded I never saw more than about 12% CPU usage, so there wasn't much point in having seven more cores sitting idle).  The XG has 6GB RAM and 4 cores.  Does the XG also use snort?  I did see that the CPU maxed out close to 25%, which would again indicate that the IPS scanning process is single threaded, be it snort or otherwise.  

I decided to give the XG firewall a test drive to see how it stacks up against my UTM 9, which I've been using for the past year.  This was a clean install on a new VM, no migration (speaking of which, are there migration tools yet?).

My initial results are very impressive, but have led me to believe I might have something misconfigured.  While I imagine there are significant performance and efficiency gains on the XG vs the UTM, I feel a bit too impressed by the results.  My UTM struggles to scan more than 200Mbps (about), especially if I include signatures more than 6 months old.  If I go back a year or more, I drop well below 100Mbps.  I didn't find similar settings on the XG.  On the XG, with IPS, AV, and Application Control all enabled, I am getting 350+ Mbps (which is the limit of my internet speed).  While that sounds nice, I am worried I'm missing a checkbox somewhere, or some configuration that is doing more intense scanning.  I put the most strict predefined policies I could find for IPS, and applied it to the firewall rule my traffic is flowing through.  

Additionally I want to enable TCP and UDP flood restrictions, but when I run a speedtest, my internal clients show up in the IPS log as the WAN IP, so when I put in a DDoS exclusion for my internal subnet, it has no effect.  So then the only thing to do would be to include the WAN IP in the exclusion, but then that pretty much negates the point of having DDoS protection on (not that I'm worried about a DDoS, just having fun and learning).  I believe this has the additional effect of both inbound and outbound rate restriction applying simultaneously (I needed both turned off to get full speed in a speed test).  



This thread was automatically locked due to age.
Parents
  • 0

    My humble opinion.

    Keep your UTM for at least one more year.  Too much basic problems to solve around here.  Unless you're curious and consent to spend hours at debugging and monitoring.

    XG is just too high maintenance still.

    Paul Jr

  • 0 in reply to Big_Buck

    Its all about the "passion" you have to learn new stuff.

    Most people, running UTM/XG at home are some builders like myself and like to dig deep into Stuff and perform some new installations. 

    The migration to a new Platform can be difficult, if you do not have time to spend into the new system. 

     

     

    If you want to discuss specific stuff, try to install XGv18 EAP1 and rerun your tests. Maybe you will perform better numbers. 

Reply
  • 0 in reply to Big_Buck

    Its all about the "passion" you have to learn new stuff.

    Most people, running UTM/XG at home are some builders like myself and like to dig deep into Stuff and perform some new installations. 

    The migration to a new Platform can be difficult, if you do not have time to spend into the new system. 

     

     

    If you want to discuss specific stuff, try to install XGv18 EAP1 and rerun your tests. Maybe you will perform better numbers. 

Children