Definde Objects/groups

Hi NoName NoName2,

Thank you for reaching out to the Community! 

Go to Hosts and services > MAC host to configure a single MAC host or a list of MAC host entries. Check out the following document for more info: 

• Add a MAC host

Thanks,

Hello,

that's not what i mean.

In the SG you could add objects, IP clients with their IP / Mac etc, so that this object can be used as an object in the entire firewall.

This is largely missing in the XG. In my opinion, clients etc. have to be entered and maintained twice in many places.

I find using the XG an absolute horror compared to the SG. In the SG one could find oneself very quickly and use it sensibly.

Do you understand what I mean ?

Greetings

Thanks

Its based of the architecture of both system. While one system works with a middleware, the other has a databased oriented system. Both comes with advantages and disadvantages. One issue on the databased system like XG is, it can get complicated to maintain a unified system (one object for everything and to store every information).Another problem would be the system to find "where this object is used". 

Both points, currently looked into it. There are stories to covered to get to such a point. 

On the other hand, such system have a high performance. Numbers of objects simply does not care in the long run. Also the database is more robust.  

Hi,

yes i understand the problem. But, it is simply not usable and not implemented in a meaningful way.

If someone sells such products to a customer, who has been used to the SG series for years, the work performance in money is accordingly, and you switch to a new product, which theoretically requires 3x as long as configuration time needs, how would you like to invoice the customer for these hours put. An end customer who only wants security, but who does not maintain or set up these devices, cannot understand this and does not want to pay for something like that.

That's the problem here, what I'm seeing. The facility is very, very iment to the Sophos.

I see that a lot of work still has to be put into the XG user-friendliness.

The fact alone that the scaling of the individual fields was really unsuccessful.
A great many fields, or rather almost all of them, are completely too small.

But well, maybe you would have to put these notes in another place in the hope that the XG will again be a top product like the SG.

How can you forward such ideas or suggestions to Sophos?

It depends on the use case. So what do you want to archieve. In the long run, the installations and other topics are done via Central. The integrations in Central as a central management platform for partners is to achieve a simply one click push to all firewalls solution. 

Many MSPs are working with Scripts, simply because its fast then clicking anything on a Webadmin, no matter which platform you are working on. They are simply roll out a new firewall via one click on a script and are done. The same approach is the long run goal of Central. Simply roll out a new customer, prepare the configuration in Central and push the configuration to the target firewall. 

Another fact is the need of certain installations anymore. MAC and IP lists are good examples. XG Firewalls are mainly build to work with user based firewalls. You tell the firewall "IT administrators are allowed to use SSH". You do not create IP Lists like in UTM, which are the IT administrator IP address range etc. The question is, do you need to install the certain installation principle anymore or can you achieve the same goal with new mechanism, which reduce the need of manual work. 

A customer who wants to have security can simply use a LAN to WAN rule with best practice installed. Use the services, he need and you are done. XG works with firewall rules as a primary pillar of protection. Do you need MAC or IP Lists for this? 

How is it dispensed with MAC or IPs or one only relies on rules ???

Since when do you only work without IPs or MAC addresses ???

So I didn't understand any of that now and it doesn't make any technical sense to me.

Yes, that you work centrally, yes that is ok, but all in all you need a facility.

Nevertheless, no matter in which business segment you work somewhere, a PC is always married to a user of an IP and a MAC.

I don't understand everything now how it should be technically and safely ???

You can use LAN to WAN and work user based on XG. This will completely replace the need of any MAC or IP in your firewall rule set. I saw many customers completely adapting this principle and only using zones + user based access. 

XG supports multiple authentication mechanism to leverage the use case of mapping a user (actual person) to a computer. This replaces the need of MAC or IP. 

For example: i have intercept X installed on all clients in my network. The intercept X client sends the user information via sync user id to the XG firewall. After my initial sign-in to the windows client, XG knows my user and my groups. I can use this information in my network rules by simply tell the firewall: My domain administrator can use SSH to my servers. This is one rule, which do not need anything like MAC or IP. The server zone is a segmented area in my network (VLAN), which points to XG. My Admin will login to the client and can open Putty SSH to any server in my server segment.

Server segment is rather stateless. You can use authentication there, but most customer still use IPs in server segments because they need the IPs. But the question is, how big is your server segment (anymore)? Then you have the DHCP server system. Most customers in bigger networks rely on a DHCP server, which supports pooling etc. So they use DHCP relay and foward the requests to the service, taking over DHCP and reporting etc. 

Segmentation is still a big open issue in server networks. There are customers, still running one segment with terminal servers, exchange, internal databases in one segment, which is a big security risk. by splitting up this segment into different segments, you can again work with zone based networking. 

ok, it looks different. I think I got it.

Nevertheless, there is the possibility, I will call it that, to be able to use both configuration variants in the Sophos.

Otherwise, Sophos only has to choose one principle and not bring something unfinished or rather poorly usable onto the market. I perceive that as a very bad aftertaste and I think the buyer is very annoyed.

You can do both. But you have to use it the way its implemented. There are some techniques to give it a better implementation. For example use API or Import/export to get a mass import of objects, if you need them at certain places. 

Great
that's exactly the point. Just use it as it implements?
Clearly no, not like that, great, then the usability of the XG has become absolutely bad.

You don't want to tell me now that creating objects and drag and drop objects using drag and drop is no longer state of the art ???

The clients report centrally and report and manage directly using various mechanisms such as Intercept X.Yes, that's ok and state-of-the-art and is a good thing.

But to implement the usability worse because of this or to rely on scripting or API, that is a completely wrong way.

There are enough IT admins who cannot necessarily create scripts or implement an API for themselves. How do you imagine that.
A network administrator is not just a software developer, so you won't get any training from Sophis to pay and use the admins.

Sorry, so I disagree on that, just accept things as they are.

Sophos didn't like it.