This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My thoughts after using the XG for some months.

Troels Hansen over 3 years ago

As a long-time UTM user, trying once again to convince myself to give the XG a go, these are my experiences.

I absolutely love the UTM, the simplicity, well designed UI and how easy it is to use.

However on the XG....

The WebUI still seems like something straight out of 1995, optimized for 1024*768 resolution.

Not consistent naming of for example interfaces. Some places you can use the self defined name, some places not.

Not always being able to rename created objects.

Text being truncated, making it extremely hard to get an overview.

The zone based firewall and NAT linking is a f****g joke. Seems more and more like they just expect people to always do "ANY-ANY" rules.

Documentation is mis-leading and often just specifies "just add ANY", doesn't describe the actual usecase, and often exremely bad written. Some of it almost seems auto-translated, or written by Indian support?

When you write to support you quite fast get a response from their Indian support team which points to a generic KB or support page, even though you clearly stated that you already tried that solution, then doesn't hear anything back for days.

Video how-to guides, where 95% of the time is spent on useless sales pitches.

I often find myself not being able to delete objects because it claims its still in use not really being able to find out where.

It seems Sophos is actively trying to force customers from UTM to XG by keeping them in the dark, removing functionality, not updating functionality to new standards.

I'm quite sure XG can be a dream in a all Windows / AD, using all of Sophos's products and end user protection.

Right now I'm stuck with 2 XG firewall's I recommended to a client, really wishing I had stuck with UTM.

Sophos have had so long to fine tune the product, but it seems they are more focused on adding features to support their software, that delivering a good product.

Am I really just not understanding the product?

and yes, have actually had courses in both the UTM and XG, and are/were a certified XG and UTM architect.

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago +2

Most of those parts are actively worked on. But some of those points seems to be not true in a extend to the market. While some features were not integrated, other got added to interact with the market…

Parents

0 LuCar Toni over 3 years ago

Most of those parts are actively worked on.

But some of those points seems to be not true in a extend to the market. While some features were not integrated, other got added to interact with the market. Not everything was moved over from UTM to SFOS.

Most of your points are regarding the Web Interface and are correct (Resolution etc.).

But the firewall based system is actually pretty good, if you are into zone based firewalls in general. I can work with a zone based firewall without the need of remembering the IP networks at all. Most of the customers in bigger setups can degree the need of rules and the complexity of rules by a big portion simply by using zones for filter criteria. That needs to use a segmentation concept of course. If you use LAN for everything and no VLANs, then the zone concept is actually redundant. But to actually have user friendly rules, easy to understand, is a big win. Example VLAN for printers. You can say, My internal segment has access to the printer VLAN in one go, select the services, you want. Done. In case of UTM, you would have to maintain your objects of the networks and work with network/interface groups etc. Which blows up bigger setups.

Linked NAT is generally speaking a migration helper. Simply use the default NAT (aka MASQ from UTM) and NAT for DNAT etc.

The object handling will get better in the next major release, as far as i know.

If you find the documentation bad or not understandable, you could create a short Thread in the community and the docs team will pick up the request to change that. Personally i find most of the information i need in the docs quite fast.

Which features or things do you miss about the SFOS platform and you felt are "being removed" or not updated to the standards?
Cancel
Vote Up +2 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

One big thing missing in UTM is still IKEv2. It was promised, and on the roadmap, but was silently removed, and the whole uncertainty about whats going to happen with the platform.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

What I ment is that it seems Sophos is keeping UTM users in the dark.

Gon't get me wrong, Sophos and XG have a huge potential and a great featureset but it all seems so clumpsy implemented, and that really havn't changed since Sophos brought the first version of XG out.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

One thing I really miss is the VPN user / group flexibility from the UTM.

There any user could be a member of any number of groups, and you could add rules to users and groups.

On XG, a user can be member of one group, most likely because the access profile is added to the group, and not the other way round.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Troels Hansen

This is actually implemented. There are two things to consider: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationActiveDirectoryGroupBehavior.html?hl=backend

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125654/backend-group-membership-in-xg-firewall

IPsec does not support backend groups.

But Firewalling, SSLVPN etc. supports backend groups. Only the groups are not shown. But the backend groups are not shown on UTM as well.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

I've seen that one, but it appears to behave very different when suing LDAP instead of AD. Have an support case open about getting LDAP to work, but still no usable answer, except a link to a generic KB about creating local users and groups.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Troels Hansen

Plenty of services require a AD instead of a LDAP. I do not interact with LDAP´s anymore, as most customers can offer a AD.

You can dig into this, if you are interested. Check the access_server.log while logging in. Check if all groups are sent and mapped to the user or not.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

Unless there is a way of raising the loglevel there is nothing in the log when authenticating a user (guess logging in to the user portal should be enough).

I can see failed logins, but ones that succeed doesn't log anything. Not even a log single log line with succeeded login for user xxxx or something.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Troels Hansen

service access_server:debug -ds

Same command to disable the debug mode. If there is no indication of login, this is odd?
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

Finally, got some info form running it in debug mode.

No, LDAP doesn't provide mulit-group support in SFOS, only a single group, which could be fine if it worked.

This states that it should work:

https://support.sophos.com/support/s/article/KB-000035738?language=en_US

but apparently it never tries to resolve the group, only tries to match that attribute value to the SFOF group directly.

So if I have a attribute, as in the KB:

gidNumber: 2000

I would have to have a group named "2000"
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Troels Hansen

I am not familiar enough with LDAP at this point to help you further. Maybe you could create a new thread with the specifics and somebody with LDAP knowledge can jump in.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

Not really related to LDAP, but the internals on the auth mechanism on SFOS
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Troels Hansen over 3 years ago in reply to LuCar Toni

Not really related to LDAP, but the internals on the auth mechanism on SFOS
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 3 years ago in reply to Troels Hansen

This is the output of a AD:

DEBUG Aug 06 15:12:50.476540 [POSTGRES_DB]: get_group_list_by_priority_ads: 2 - server group: 'CN=SEAdmin'
DEBUG Aug 06 15:12:50.476543 [POSTGRES_DB]: get_group_list_by_priority_ads: 3 - server group: 'CN=ADSyncAdmins'
DEBUG Aug 06 15:12:50.476546 [POSTGRES_DB]: get_group_list_by_priority_ads: 4 - server group: 'CN=SophosAdministrator'
DEBUG Aug 06 15:12:50.476549 [POSTGRES_DB]: get_group_list_by_priority_ads: 5 - server group: 'CN=Organization Management'
DEBUG Aug 06 15:12:50.476552 [POSTGRES_DB]: get_group_list_by_priority_ads: 6 - server group: 'CN=Group Policy Creator Owners'
DEBUG Aug 06 15:12:50.476555 [POSTGRES_DB]: get_group_list_by_priority_ads: 7 - server group: 'CN=Domain Admins'
DEBUG Aug 06 15:12:50.476559 [POSTGRES_DB]: get_group_list_by_priority_ads: 8 - server group: 'CN=Enterprise Admins'
DEBUG Aug 06 15:12:50.476562 [POSTGRES_DB]: get_group_list_by_priority_ads: 9 - server group: 'CN=Schema Admins'
DEBUG Aug 06 15:12:50.476565 [POSTGRES_DB]: get_group_list_by_priority_ads: 10 - server group: 'CN=Users'
DEBUG Aug 06 15:12:50.476568 [POSTGRES_DB]: get_group_list_by_priority_ads: 11 - server group: 'CN=Administrators'
DEBUG Aug 06 15:12:50.476571 [POSTGRES_DB]: get_group_list_by_priority_ads: 4 - configured group: 'SEAdmin'
DEBUG Aug 06 15:12:50.476574 [POSTGRES_DB]: get_group_list_by_priority_ads: 1 - server group: 'CN=SE'
DEBUG Aug 06 15:12:50.476578 [POSTGRES_DB]: get_group_list_by_priority_ads: 2 - server group: 'CN=SEAdmin'
DEBUG Aug 06 15:12:50.476581 [POSTGRES_DB]: get_group_list_by_priority_ads: server group matches configured group: 'SEAdmin'
DEBUG Aug 06 15:12:50.476584 [POSTGRES_DB]: get_group_list_by_priority_ads: 3 - server group: 'CN=ADSyncAdmins'
DEBUG Aug 06 15:12:50.476587 [POSTGRES_DB]: get_group_list_by_priority_ads: 4 - server group: 'CN=SophosAdministrator'
DEBUG Aug 06 15:12:50.476590 [POSTGRES_DB]: get_group_list_by_priority_ads: 5 - server group: 'CN=Organization Management'
DEBUG Aug 06 15:12:50.476593 [POSTGRES_DB]: get_group_list_by_priority_ads: 6 - server group: 'CN=Group Policy Creator Owners'
DEBUG Aug 06 15:12:50.476596 [POSTGRES_DB]: get_group_list_by_priority_ads: 7 - server group: 'CN=Domain Admins'
DEBUG Aug 06 15:12:50.476600 [POSTGRES_DB]: get_group_list_by_priority_ads: 8 - server group: 'CN=Enterprise Admins'
DEBUG Aug 06 15:12:50.476603 [POSTGRES_DB]: get_group_list_by_priority_ads: 9 - server group: 'CN=Schema Admins'
DEBUG Aug 06 15:12:50.476606 [POSTGRES_DB]: get_group_list_by_priority_ads: 10 - server group: 'CN=Users'
DEBUG Aug 06 15:12:50.476609 [POSTGRES_DB]: get_group_list_by_priority_ads: 11 - server group: 'CN=Administrators'
DEBUG Aug 06 15:12:50.476612 [POSTGRES_DB]: get_group_list_by_priority_ads: 5 - configured group: 'Guest Group'
DEBUG Aug 06 15:12:50.476615 [POSTGRES_DB]: get_group_list_by_priority_ads: 1 - server group: 'CN=SE'
DEBUG Aug 06 15:12:50.476618 [POSTGRES_DB]: get_group_list_by_priority_ads: 2 - server group: 'CN=SEAdmin'
DEBUG Aug 06 15:12:50.476622 [POSTGRES_DB]: get_group_list_by_priority_ads: 3 - server group: 'CN=ADSyncAdmins'
DEBUG Aug 06 15:12:50.476625 [POSTGRES_DB]: get_group_list_by_priority_ads: 4 - server group: 'CN=SophosAdministrator'
DEBUG Aug 06 15:12:50.476628 [POSTGRES_DB]: get_group_list_by_priority_ads: 5 - server group: 'CN=Organization Management'
DEBUG Aug 06 15:12:50.476631 [POSTGRES_DB]: get_group_list_by_priority_ads: 6 - server group: 'CN=Group Policy Creator Owners'
DEBUG Aug 06 15:12:50.476634 [POSTGRES_DB]: get_group_list_by_priority_ads: 7 - server group: 'CN=Domain Admins'
DEBUG Aug 06 15:12:50.476637 [POSTGRES_DB]: get_group_list_by_priority_ads: 8 - server group: 'CN=Enterprise Admins'
DEBUG Aug 06 15:12:50.476640 [POSTGRES_DB]: get_group_list_by_priority_ads: 9 - server group: 'CN=Schema Admins'
DEBUG Aug 06 15:12:50.476646 [POSTGRES_DB]: get_group_list_by_priority_ads: 10 - server group: 'CN=Users'
DEBUG Aug 06 15:12:50.476649 [POSTGRES_DB]: get_group_list_by_priority_ads: 11 - server group: 'CN=Administrators'
DEBUG Aug 06 15:12:50.476652 [POSTGRES_DB]: get_group_list_by_priority_ads: 6 - configured group: 'VPN'
DEBUG Aug 06 15:12:50.476656 [POSTGRES_DB]: get_group_list_by_priority_ads: 1 - server group: 'CN=SE'
DEBUG Aug 06 15:12:50.476659 [POSTGRES_DB]: get_group_list_by_priority_ads: 2 - server group: 'CN=SEAdmin'
DEBUG Aug 06 15:12:50.476662 [POSTGRES_DB]: get_group_list_by_priority_ads: 3 - server group: 'CN=ADSyncAdmins'
DEBUG Aug 06 15:12:50.476665 [POSTGRES_DB]: get_group_list_by_priority_ads: 4 - server group: 'CN=SophosAdministrator'
DEBUG Aug 06 15:12:50.476668 [POSTGRES_DB]: get_group_list_by_priority_ads: 5 - server group: 'CN=Organization Management'
DEBUG Aug 06 15:12:50.476671 [POSTGRES_DB]: get_group_list_by_priority_ads: 6 - server group: 'CN=Group Policy Creator Owners'
DEBUG Aug 06 15:12:50.476674 [POSTGRES_DB]: get_group_list_by_priority_ads: 7 - server group: 'CN=Domain Admins'
DEBUG Aug 06 15:12:50.476677 [POSTGRES_DB]: get_group_list_by_priority_ads: 8 - server group: 'CN=Enterprise Admins'
DEBUG Aug 06 15:12:50.476681 [POSTGRES_DB]: get_group_list_by_priority_ads: 9 - server group: 'CN=Schema Admins'
DEBUG Aug 06 15:12:50.476684 [POSTGRES_DB]: get_group_list_by_priority_ads: 10 - server group: 'CN=Users'
DEBUG Aug 06 15:12:50.476687 [POSTGRES_DB]: get_group_list_by_priority_ads: 11 - server group: 'CN=Administrators'
DEBUG Aug 06 15:12:50.476690 [POSTGRES_DB]: get_group_list_by_priority_ads: user has 2 ad server groups

You see, that i am getting all groups of my user. Then the XG is try to figure out, which groups are matching to this group. Those both groups are imported / created on the firewall.

I am not sure, how this is done on LDAP.
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to LuCar Toni

Its done completely different on LDAP, but also completely different than stated on the KB.

On LDAP it does a search on the attribute you specify as the "Group name attribute"

That is the returned by the LDAP server:

INFO      Aug 06 15:03:27.979100 [LDAP_AUTH]: ldapauth_search_user: 172.16.16.1:389: ATTR INDEX: 3 ATTR-NAME: 'gidNumber'
INFO      Aug 06 15:03:27.979105 [LDAP_AUTH]: ldapauth_search_user: 172.16.16.1:389: ATTR-VAL[0]: '1103'

but never resolved, so only matched on the returned value:

DEBUG     Aug 06 15:03:27.999818 [POSTGRES_DB]: remove_escape_sequence: gropname before removing escape sequence 1103
DEBUG     Aug 06 15:03:27.999822 [POSTGRES_DB]: remove_escape_sequence: gropname after removing escape sequence 1103
DEBUG     Aug 06 15:03:27.999826 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Extracted groupname:'1103'
DEBUG     Aug 06 15:03:27.999830 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'Open Group'
DEBUG     Aug 06 15:03:27.999833 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999837 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'Guest Group'
DEBUG     Aug 06 15:03:27.999841 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999844 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'LDAP'
DEBUG     Aug 06 15:03:27.999848 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999858 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'1103'
DEBUG     Aug 06 15:03:27.999862 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999865 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Group Found:'1103'

making it completely useless (her I have created a group with the name 1103 to test, and that matches)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Troels Hansen

You should create a new thread and look into this with somebody having more knowledge of LDAP than me.
Cancel
Vote Up 0 Vote Down

Cancel