Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 5354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM vs Sophos XG

J.Rivett

Hi everyone!

Guess I'll start by saying I'm running my firewall as a VM in ESXi running on a Mac Pro 5,1 (2x2.66Ghz Hex core Xeons).  The UTM has 8GB RAM and 4 cores (used to have 8 but since snort is single threaded I never saw more than about 12% CPU usage, so there wasn't much point in having seven more cores sitting idle).  The XG has 6GB RAM and 4 cores.  Does the XG also use snort?  I did see that the CPU maxed out close to 25%, which would again indicate that the IPS scanning process is single threaded, be it snort or otherwise.  

I decided to give the XG firewall a test drive to see how it stacks up against my UTM 9, which I've been using for the past year.  This was a clean install on a new VM, no migration (speaking of which, are there migration tools yet?).

My initial results are very impressive, but have led me to believe I might have something misconfigured.  While I imagine there are significant performance and efficiency gains on the XG vs the UTM, I feel a bit too impressed by the results.  My UTM struggles to scan more than 200Mbps (about), especially if I include signatures more than 6 months old.  If I go back a year or more, I drop well below 100Mbps.  I didn't find similar settings on the XG.  On the XG, with IPS, AV, and Application Control all enabled, I am getting 350+ Mbps (which is the limit of my internet speed).  While that sounds nice, I am worried I'm missing a checkbox somewhere, or some configuration that is doing more intense scanning.  I put the most strict predefined policies I could find for IPS, and applied it to the firewall rule my traffic is flowing through.  

Additionally I want to enable TCP and UDP flood restrictions, but when I run a speedtest, my internal clients show up in the IPS log as the WAN IP, so when I put in a DDoS exclusion for my internal subnet, it has no effect.  So then the only thing to do would be to include the WAN IP in the exclusion, but then that pretty much negates the point of having DDoS protection on (not that I'm worried about a DDoS, just having fun and learning).  I believe this has the additional effect of both inbound and outbound rate restriction applying simultaneously (I needed both turned off to get full speed in a speed test).  



This thread was automatically locked due to age.
Parents
  • 0

    I have had XG at home setup and work now for about 8-9 months.  What I can say is that I have not seen too many issues, a few thoughts here-

    Although you do lose on notifications which in turn has made me investigate less I am still not sure if this is good or bad since attacks or attempts will occur all the time, do I really need to know? or am I better at spending my time elsewhere?  

    Performance has been good, although I have seen the same DDOS issues as you with speed tests.  I have not taken the time to find a workaround for this, would be great if anyone had a tutorial.

    The reporting aspects do work pretty well if they are working and you take the time to learn them. 

    Having the zones also helps in my mind by separating different aspects of traffic.  But this just could be an experience I enjoy.

    One thing I would recommend would be to create a country blocking rule since the XG does not really have this option built-in and you have to create them.  I would also suggest to check the logs and look to see what is being blocked, I believe there was a TTL adjustment I had to make after first setting it up but I cannot remember now.  i.e. there was a few false positives being blocked.

    From an enterprise standpoint, I do like the heartbeat/Sophos central features as well but you have to have enterprise licensing, as far as I know, to get that aspect to work.

  • 0 in reply to Badrobot

    Appreciate your response!!  Yeah I added a zone for my Guest network, which helps nice.  I do like the rule grouping feature in concept, although it confused me at first :D.

    Thanks for your advice on the country blocking, I'll look into that.  I actually just did that at work on a different, more mature firewall for some services that were getting nailed with botnet attacks by China and Italy all the time, just changed my rules to stop allowing traffic from there.

Reply
  • 0 in reply to Badrobot

    Appreciate your response!!  Yeah I added a zone for my Guest network, which helps nice.  I do like the rule grouping feature in concept, although it confused me at first :D.

    Thanks for your advice on the country blocking, I'll look into that.  I actually just did that at work on a different, more mature firewall for some services that were getting nailed with botnet attacks by China and Italy all the time, just changed my rules to stop allowing traffic from there.

Children
No Data