Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 930 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing from UTM to XG

ChriZathens

Hello to all!

Since a few days I am evaluating XG in order to replace my UTM

I have been running Sophos UTM for the last 5+ years, have been extremely pleased with it, but I started considering to move on.

So installed XG on a second machine I have...

I find XG's logic more... logical to be honest, but this does not mean that I can necessarily follow this logic, especially for someone like me who has been spoiled for so many years  with the UTM's user friendliness.

Anyway, my use case is the below:

One WAN connection using PPPoE with a 3G failover. (I will soon be adding a second WAN connection via a WISP, but that is a matter for another day)

I have a few NAT rules to access some non important services remotely. I use VPN to access  securely my important stuff

I have a couple of VLANs for guests and IoT devices.

I also have 3 dynamic dns hostnames that point to 3 different machines on my internal network.

I use Advanced threat protection, web filtering and application control in order to block ads and access to bad sites (aka young kids)

Also a few web filtering profiles to block internet access using some criteria (e.g. kids tablets during specific hours, IP cameras etc)

So I started my tests to see how I can transfer my configuration to XG. Not a dead easy task, XG wan port is now connected to the guest network, so cannot simulate my PPPoE WAN and have this as DHCP. I assume PPPoE will have no issues, though, will just need to change the interface type when I decide to go in production.

I also checked NAT options. After a quick look I realized that while on the UTM I was creating 2 rules (DNAT and Full NAT) in order to access from inside using the "external" address, now on XG it is only a checkbox to enable this option. Really nice (unless I was stupid with my UTM config and dual rules were not needed, that is)

VLANs also are straight forward on XG, as I see, and the usage of Zones makes things much more organized IMHO.

The log is another thing... Pardon me, but the one on the UTM was not good. Especially since there were essentially no filtering options, trying to find something using the available method was simply a pain. In XG things appear to be much easier in this regard. Of course I will clearly find out when I go live with XG, because in my test environment I have for starters only one machine behind XG, so not the same thing

I then went on to the DynDNS thing. I am accustomed to the UTM logic where I was adding the dynamic dns account, then on webserver protection creating real webservers, then the virtual ones and was assigning the dyndns host to the virtual webserver.

I did not see the same approach on the XG... how does this work in XG? Not entirely clear to me, granted I only played a few hours with it, so will have to explore more I guess. Searching about this, however, I realized that everything I could find was about the new feature where sophos can be used as a DDNS server. (BTW does this mean I can discard what I have now and use sophos for 3 or more hostnames that I need?)

An important question: Is something important still missing from XG compared to UTM features? (I remember in the past reading posts about some missing features that were deal breakers for some users. But I can't find those any more and additionally XG has evolved a lot since then and said features may be already added by now)

A thing that it is missing and it bothers me is the lack of UPS management. Having this I know it is not extremely important in a firewall and UTMs implementation was pretty basic anyway. Nevertheless, the ability to gracefully shutdown the machine was nice to have. Additionally, the notifications of a power loss via email was a good piece of information. I liked that even when I was away I was still aware of power issues at my house. Do you think it will ever be added to XG? I hope so, even at the basic form UTM had it.

Another thing... The test machine I have now is using a Haswell core i3-4130 CPU with 8GB of RAM ( I know 6 is only used in Home edition). So it is powerful enough. My actual firewall has an Atom C2358 with 4 GB of RAM (it can be upgraded to more RAM if needed). Do you thing it can handle XG with the same stuff running in the background as UTM does?

Is there anything else I should be aware of before I make the transition, or after my transition?

Thanks in advance for all your comments/answers!!



This thread was automatically locked due to age.
  • 0

    Hi,

    very quickly the I3 is more than adequate. With XG the faster the CPU the better, not the processing power.

    Ian

  • 0 in reply to rfcat_vk

    Hello! Thanks for your reply.

    The i3 is the temporary machine.. The main firewall uses an Atom c2358. This is the CPU that will host the firewall after the transition, unfortunately, not the i3.. Do you believe it will be adequate, or I should simply not try at all?   

  • +1 in reply to ChriZathens

    Hi,

    that will work, make sure you add extra memory. Also the NICs should not be i219 series (not supported) or realtek.

    Ian

  • 0 in reply to rfcat_vk

    I will see about replacing one of the 2GB sticks with a 4GB one so that I can use full 6GB of RAM that the home license allows.

    Regarding NICs, I think I am good:

    00:14.0 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03)
00:14.1 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03)
00:14.2 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03)
00:14.3 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03)

    Thanks a lot for your advice! Do you perhaps have any insight regarding my DDNS questions above?

    I then went on to the DynDNS thing. I am accustomed to the UTM logic where I was 
adding the dynamic dns account, then on webserver protection creating real 
webservers, then the virtual ones and was assigning the dyndns host to the 
virtual webserver.

I did not see the same approach on the XG... how does this work in XG?

    and 

    Searching about this, however, I realized that everything I could find was about 
the new feature where sophos can be used as a DDNS server. 
(BTW does this mean I can discard what I have now and use sophos for 3 or more 
hostnames that I need?)

  • +1 in reply to ChriZathens

    I use dyndsn for my systems, I am not aware of home user limitation of the Sophos DNS service.

    Ian

  • 0

    Thank you again for your insight, 

    Does anyone perhaps know how to use 3 different hostnames that I have using either no-ip or the sophos dyndns service?

    I created a new host, e.g. something.myfirewall.co and saved it

    I have also created a new webserver and gave it a name. I realized I need to also add a host for this to work. So I created a host in  Hosts and services section.

    Now I can use this host for my web server to be created. However I don't see where I can point this webserver (or my host) to something.myfirewall.co that I have in Dynamic DNS.. 

    Do I have to create a host and give it the same name as the host I created in Dynamic DNS and it will understand and point it to that host. Or is there something else that I need to do? 

    Unless me search skills suck (and they probably do suck..) I can't find any help for this procedure anywhere in the help docs.

    Any help from anyone appreciated!

  • +1 in reply to ChriZathens

    You need to setup a WAF Rule. In the WAF Rule, you simply use Hosted Address (WAN Port), Port 443 and Domains is your myfirewall.co Client. 

    There is no LetsEncrypt integration, so you need a own certificate. IF you have a host behind XG, this could be done via a linux client on myfirewall.co for example. See: https://community.sophos.com/xg-firewall/f/discussions/108931/letsencrypt-how-to-in-xg

    Just an example of mine without hostname: 

  • 0 in reply to LuCar Toni

    Thanks for your help 

    However... I cannot find anywhere the options I see in your screenshot..

    Searching a bit about how to create a WAF rule,  I found out  that I need to create a new Business Application Rule

    I found the following in online help:

    Adding a Business Application Rule
Go to Protect > Firewall and select IPv4. using the filter switch. 
Now, click on +Add Firewall Rule and select Business Application Rule. 
You can then select the Application Template from the list of available templates.

    However there is no such options in my case. it seems that the online help needs updating, because I managed to find a different option in Action (Protect with server protection). In my case Action is just below Rule name. In your screenshot I see nothing like this.

    I have version 18.0.4 MR-4, perhaps you are on an earlier version?

    Anyway, since this is where I need to set things up I will try to manage. I hope I will.

    Thanks again!

  • 0

    Hi,

    I am using SG and XG at work. I have also knowlege of fortigate.

    I think in your scenario you can use SG and XG.

    In bigger environments like ours with a new project there is no other option than using XG as the EOL of SG is coming some time and everything new and the central management is developed in XG. In home use there might be no need to migrate to XG unless you need a feature that is not available on SG.

    We had some issues with XG in 17.5 (stability of IPSec Tunnels; clustering an licensing) and some weird behaviour on 18 MR-1 to MR-4 (especially with teams communication and REDs). XG definitely needs more ressources on comparable hardware. The change from 17.5 to 18 MR-4 was a big step with a lot of feature enhancements. I think everything before 17.5.x was a mess ...

    However there are still a lot of things missing you know from firewalls like SG and Fortigate.SG and Fortigate have good logging, excellent search functions and you can see where an object is referenced. The documentation of fortigate is excellent but XG documentation is getting better (slowly). The performance of fortigate is much better as they have implemented some stuff in specialised hardware whereas XG only uses plain computer hardware. The support of XG was bad and is getting better (slowly).

    If you like playing around with these things migrate. If not stick to SG for another 1 - 1 1/2 years and migrate then. Things are moving slowier and are less stable than we expected when we migrated the first firewall from fortigate to XG in autumn 2019. Meanwhile we also migrated some other SG sites and implemented new sites.

    Best regards
    BeEf

  • 0 in reply to ChriZathens

    Since V18, you find WAF here: