How is the upgrade going from v17 to v18?

I moved one of my XG boxes (a lightly used one) to v18 mostly to test.  The migration went ok and everything "worked," enabling Kerberos failed due to a bug that had to be manually corrected (it works now). 

I mostly found the migrated NAT rules to be a mess so I set out to clean that up.  I've changed over from the web proxy to DPI engine for decryption and beyond discovering some "gotchas" with that, its worked fine.  It seems stable and the performance of the hardware is good.  The Log Viewer is still mostly useless but I've given up on the idea that Sophos will ever understand this; they believe their log viewer is great while us administrators who have to use it to discover what is wrong, find it to be awful.  Irreconcilable differences. 

Personally, I do not really like "new" design where we now have 3 different tabs to deal with firewall rules, NAT policies, and TLS rules.  I know the power users out there like the new decoupled NAT and I'm sure from a technical standpoint its superior in every way, but I used to be able to do everything I needed from a firewall rule and now its just not that simple anymore.  Oh well, probably just a personal preference.

Hoping to deploy to a couple test units in the next couple of weeks, but my company will likely not be deploying v18 to production for 9+ months. It normally takes us 1-2 months to vet/avoid the terribly buggy MRs, I'm sure it will take us 2-3 times as long to vet a new ver feature release.

Oh yeah we also have around 100 SG/XG105 units that we have to rip and replace since they were dropped on v18.

Thanks Bill.

Nice to hear that v18, apart from some small bugs, it works. For reporting and logging, I opened a long thread.

Please share your feedback. Sophos needs to listen to us for these 2 fields.

Thanks

Hi,

most is working as expected, the only thing which makes some problems is WAF, which is obviously related to the Update of ModSecurity.

I like the new way in which Firewall Rules are handled with seperate NAT and Decryption Profiles, because it makes the configuration much more granular.

The new DPI Engine seems to be blazing fast, when compared to the old one.

Regrads Dwayne Parker

Hello Bill,

well I think we all can vote with our feet, as we say. I'm already looking at what new shoes I put on and where to go.
I will wait at the latest at v18.5 and I do not have any illusions that Sophos will change his mind.

Regards

alda

Hi everybody, thank you for infos.

One stupid question: Why it doesn't appear the new firmware V18 in the firewall console, under "latest avilable firmware" ?

Hi,

simply hasn't been put into automatic deployment yet. I would suspect that there are still too many machines still running versions 17.5.8 or older which will not upgrade.

Ian

hello

the update runs smoothly, after a certain time...

What i have appreciated is quite simple : everything runs (dnat,waf, vpn,routing....) after the update !

But i agree, the translated infamous FW/NAT/PBR are a mess, and it will be a mess to manage....

I second you Bill, Sophos Live logs are just useless, as most of the NGFW give dashboard for live logs for analytics and understanding which is not available in sophos and i have raised this issue multiple times with them but still waiting if we get anything like this in near future.