Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 5354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM vs Sophos XG

J.Rivett

Hi everyone!

Guess I'll start by saying I'm running my firewall as a VM in ESXi running on a Mac Pro 5,1 (2x2.66Ghz Hex core Xeons).  The UTM has 8GB RAM and 4 cores (used to have 8 but since snort is single threaded I never saw more than about 12% CPU usage, so there wasn't much point in having seven more cores sitting idle).  The XG has 6GB RAM and 4 cores.  Does the XG also use snort?  I did see that the CPU maxed out close to 25%, which would again indicate that the IPS scanning process is single threaded, be it snort or otherwise.  

I decided to give the XG firewall a test drive to see how it stacks up against my UTM 9, which I've been using for the past year.  This was a clean install on a new VM, no migration (speaking of which, are there migration tools yet?).

My initial results are very impressive, but have led me to believe I might have something misconfigured.  While I imagine there are significant performance and efficiency gains on the XG vs the UTM, I feel a bit too impressed by the results.  My UTM struggles to scan more than 200Mbps (about), especially if I include signatures more than 6 months old.  If I go back a year or more, I drop well below 100Mbps.  I didn't find similar settings on the XG.  On the XG, with IPS, AV, and Application Control all enabled, I am getting 350+ Mbps (which is the limit of my internet speed).  While that sounds nice, I am worried I'm missing a checkbox somewhere, or some configuration that is doing more intense scanning.  I put the most strict predefined policies I could find for IPS, and applied it to the firewall rule my traffic is flowing through.  

Additionally I want to enable TCP and UDP flood restrictions, but when I run a speedtest, my internal clients show up in the IPS log as the WAN IP, so when I put in a DDoS exclusion for my internal subnet, it has no effect.  So then the only thing to do would be to include the WAN IP in the exclusion, but then that pretty much negates the point of having DDoS protection on (not that I'm worried about a DDoS, just having fun and learning).  I believe this has the additional effect of both inbound and outbound rate restriction applying simultaneously (I needed both turned off to get full speed in a speed test).  



This thread was automatically locked due to age.
Parents
  • 0

    My humble opinion.

    Keep your UTM for at least one more year.  Too much basic problems to solve around here.  Unless you're curious and consent to spend hours at debugging and monitoring.

    XG is just too high maintenance still.

    Paul Jr

  • 0 in reply to Big_Buck

    Thank you!  Yeah I'm just disconnecting my UTM in VMWare, and connecting the XG in it's place for testing.  If the host ever went down, it would come back up with the UTM connected. :)

     

    I did also find out that, similarly to the UTM, Netflix on Smart TVs is broken by the HTTP scanning.  I have to disable HTTP scan for Netflix to load, as has already been discussed on the Sophos forums.

     

    I do see that the XG has an apparent performance advantage over the UTM and the web interface is MUCH, MUCH better looking, MUCH faster (remember how long it takes for the log viewer on the UTM to load?) and the way rules and policies are applied is in line with other next gen firewall solutions.

Reply
  • 0 in reply to Big_Buck

    Thank you!  Yeah I'm just disconnecting my UTM in VMWare, and connecting the XG in it's place for testing.  If the host ever went down, it would come back up with the UTM connected. :)

     

    I did also find out that, similarly to the UTM, Netflix on Smart TVs is broken by the HTTP scanning.  I have to disable HTTP scan for Netflix to load, as has already been discussed on the Sophos forums.

     

    I do see that the XG has an apparent performance advantage over the UTM and the web interface is MUCH, MUCH better looking, MUCH faster (remember how long it takes for the log viewer on the UTM to load?) and the way rules and policies are applied is in line with other next gen firewall solutions.

Children
No Data