New XG125 w/ V4 Firmware

Hi,

how much memory is your 125 configured with?

For the WAN interface try using auto rather than manual configuration.

The XG GUI is not the fastest in the world, that is why I went back to my e3 for home use over the Atom based low power unit.

Boot time even on my e3 takes about 3-5 minutes.

Why do you need all the NAT rules, in most cases for external access a generic MASQ rule will suffice.

Country blocking is quite good, but please remember that some companies from blocked ccounties use MS or AWS servers in non-blocked countries, yes a right royal pain.

Sound like you might have needed a 135.

Ian

Thank you for the quick response Ian.    I purchased recommended unit from firewalls.com did not occur to me that it would have less memory than an Iphone 4.   Possibly it can be upgraded.   XG GUI is not fastest is understatement i think.  If you have also used virtually any other similar unit from any other manufacturer, you would have a completely different opinion I think.    Essentially this appears to be the same hardware we purchased in 2016.  We at that time had issues with the UTM and switch back to a Sonicwall 2400.   However, was giving SOPHOS one more try because FW(s).com said worked well.    NAT rules are because we have multiple websites along with QA and DEV regions, 5 + 5 + 5, + Email server etc, Plus country blocking.   Again I know, 135...but SW2400 has far less advertised throughput and worked fine for 4 years.   So $ for $ Sophos more expensive if I am counting my chickens.   And as far as country blocking, I have software on the webservers because Russia, China, Ireland, Netherlands have been hammering our servers to break in, so software on the servers is catching the remaining.

But thank you for your thoughts.   I am more thinking that SONICWALL has the upper hand here.   Given apples to apples, TZ400 etc... with a newly acquired test TZ400, none of these issues came up...none.

I provided my experience in hopes of helping some other poor, unassuming operator to avoid the same headaches I have experienced with both the original SG and the newer XG appliance.

Best Regards,

Robert

Hi Robert,

I have extensive experience with the UTM, but that was really before Sophos took over and it was a very responsive GUI. I have also use Pal Alto and Cisco and still find the XG GUI extremely slow. My machine has a mix of IP4 and IPv6 and around 45 active rules. With country blocking are you dropping or rejecting in the firewall rule, drop is preferred.

Ian

Also are you sending the bad countries to a deadend address?

Hi Ian,

    Yes I do appreciate your experience.   Yes dropping because no reason for rejected countries to have any information at all.   I also thought the UTM was a decent device and it worked as advertised for the time we had it, however the VPN single endpoint connection drove the network folks nutz so we changed back to SW for our multiple locations.  I was just really taken aback that after 4 years, the XG unit is so lacking in both usability and performance, it actually is stunning.   I guess my expectations were just assumptions that it would have made positive progress not negative.   Having a specific business budget for hardware, we attempt to get the best value for our available $ each year.   However, this time, we are just about ready to throw in the towel and move back to Sonicwall, whatever the expense it's worth the reduced time and effort we have been putting in trying to get these devices fully functional.   There are going to be a couple of lightly used (like never), SG125 and XG125 available on Ebay soon ;)

Best Regards,

Robert

XG resource and webadmin consumption are basically another approach. The Webadmin should be faster in regards of your responsive time but will not get slower than your current experience, even if you pump the configuration full. Thats a pro statement. The database is build to get as much objects and configuration into it, without loosing the speed. What you can do: Use Central Management to get your configuration done: In Central you can configure most of your stuff in a quick manner (As it uses the cloud backend). It will then push the configuration to the XG. 

The Webadmin has not the highest priority compared to other modules. Simply because the hardware is limited to its own resources and Sophos need to think about: Should the appliance get slower in throughput, if somebody starts to configure something? Thats the reason, the appliance does not give you much resources to deal with with the webadmin. 

Do not think about the Mem / CPU consumption. It will not increase, if you add 100 VLANs. It will not increase if you add 500 VLANs plus more Rules. The backend already placed its bet on your configuration. 

About your VPN Point: I am not able to understand what you mean? Do you talk about Site to Site VPN or Remote access? Sophos promotes Sophos Connect (Own VPN Client for IPsec/SSLVPN). Should be one config file for everything and its free. 

Your NAT issue looks odd to me. I would recommend not using Linked NAT Rules. Instead only NAT rules for your needs (DNAT for example) and everything else fetched by the Default SNAT Rule on the bottom to MASQ the traffic to WAN. 

Hi Robert,

1) This is not the fastest but not that slow. Don't have a XG 125 but Interface speed is not muxh correlated to the price of the device(which means that on a XG 550 is also not the fastest GUI on earth and not much faster than a XG 135). I assume it is single threaded an depends on the speed of one processor.

2) Yes search options and references should be a must in "Enterprise" level. Organize by groups in source and destination zones. This helped me. Everything is very space consuming and you need to scroll a lot.

3),7) Check what processes are consuming CPU and memory (CLI+Top). We had some testing packets with random destination addresses that hit the firewall at a rather low bandwidth. This was driving the IPS mad and after disabling it on the affected rules everything ran much smother (could be another issue in your case - e.g. you are attacked heavily and the IPS is getting mad on the WAN side). 

4) Not to unusual for every pc hardware. If you need HA or better availibility consider to make an active-passive cluster. You only have to pay hardware maintenance + hardware of the second firewall. This also reduces the downtime at updates for most services to 0 (some services are not clustered - especially VPN Stuff).

5) This is under Network - Interfaces - Advanced Setting (could not test - everything on 1 GBit/s)

8) Have never seen this.

(Using XG 550, XG 210, XG 135W)

Hi LuCar,  Thank you for your thoughts.  I will look into Central Management which seems like a reasonable option.   For the last point with the NAT's stopping, our FW's vendor redid their data entry setup and suggest problem should go away now.

Best Regards,

Robert