Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 31 replies
  • Subscribers 34 subscribers
  • Views 2370 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG / XGS ongoing issues list

Steve Klassen

Hi there,

I've been hesitant with moving from SG to XGS. I did dip my toe into the XG pool by setting up one location with an XG Firewall, however the experience was poor. So I'm currently planning a hardware refresh with SG for the next 3 years as I still think XGS is half-baked. I'm aware that XG is old, and XGS is a newer version and might be better, than XG, however...

Issue #1 - I have had many issues with our XG router not renewing it's WAN IP when the ISP changes it. I hear this is still an issue in XGS.

Issue #2 - There is no release/renew for any interfaces. I hear this is still an issue in XGS. And yes, a workaround is to assign a static IP, and then remove it... but if SOPHOS can't correct something simple like this for years... I can only imagine what other issues that I don't know about are also still un-fixed. 

Issue #3 - I use one of our SG devices as an internal relay for our Copiers. I have a consultant that deals with SOPHOS across many client businesses, and they've told me that they gave up on using the mail relay on XGS as it has been unreliable. They moved their clients to a paid mail-relay-service because of how poorly it works. 

These are some of the issues I recall off the top of my head. I'd be interested in feedback on these issues.

Also if anyone knows of other problems like these, that I may not be aware of, please add them to this list.

Thanks 



This thread was automatically locked due to age.
  • +1 in reply to Ross Fawcett - Aeris Networks

    OK - Let me rephrase the point about #3. 

    In general SMTP Relay works fine. 

    SMTP Auth is something, which is not RFC standard. This means, you cannot do an authentication against SFOS using SMTP Auth. This is often times used from WAN devices to use the firewall/MTA to relay to the internet back. This is not working.

    If you use the Host based Relay option, there is no problem (and in general it is the same - IP based or Auth based relay will do the same). SMTP auth would be "more flexible" tho. 

    So the part about "Relay to O365" should not be a problem, if its a internal network device. If you have a external device (like a service), there could be a potential limitation. 

    And to rephrase my point earlier: Personally i see a potential problem in using a MTA Relay firewall for this option. Simply because the firewall (UTM and SFOS) does not offer the proper tools to track this. So you are starting to have multiple point of Email history (for example Exchange and the firewall) which have different histories. The logging on your mail product like exchange is incomplete etc. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    WAN Link manager is to load balancing. So the WAN Link manager is used for "Default Gateway behavior". If the firewall needs a Default GW, WAN link manager will give you a feedback, which Link to use. 

    Essentially you are discussing a missing feature, which will pick up a renewal process of the IP based on the WAN Link Manager. And that is tracked to be discussed. 

    It is based on the technology. PPPoE Interfaces will do this (based on the used technology). But it seems like, there are other ISPs, only giving you a IP based on ethernet protocol (which is unusual for my field - ISPs are not doing this often times here - I cannot speak for other regions). 

    __________________________________________________________________________________________________________________

  • 0

    I found a new issue... another issue that should not be an issue. 

    So I wanted to test out a static routing change on an XG Firewall. I needed to disable a route... then build and apply a new one, before confirming that it was working. I didn't want to delete the route in case it had some negative ramifications, so that I could quickly revert back if needed. And wouldn't you know... you can't disable a static route in XG. It's not possible. Your only option is to document the settings and delete it. I mean seriously... why are basic functions just missing or broken on XG. We have an active license and maintenance...

    And of course... I take a look at my SOPHOS SG Router... and HEYYYY toggle buttons for static routes. I can disable and enable whenever I need to.

    Am I missing something? Or is SOPHOS just doing a bad job here? Can someone confirm this is still missing on XGS?

  • 0 in reply to Steve Klassen

    You can / should move to SD-WAN routes anyway. Those are far superior and you can disable them as well. In most scenarios, they are working more effectively. Depending on the scenario you are using. For example, you need a gateway for SD-WAN Routes. In Static routes, you need to do this every time. In SD-WAN you are using the already created GWs. 

    In your example: Create a GW (your Gateway CDK router), then create those 3 routes as SD-WAN Routes. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So to confirm specifically on this one... the ability to disable static routes is available on XGS?

  • 0 in reply to Steve Klassen
    Steve Klassen said:
    the ability to disable static routes is available on XGS?

    Isn't possible, you can only add or delete.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    So when LuCar Toni confusingly implied that "you can", he meant... "you can't". And here is a workaround... Perfect. Clear as mud.

    Thank you Prism for clarifying.

    I don't understand why SOPHOS won't do improvements to avoid these negative issues so migrating to XG/XGS is a "no-brainer" rather than an exercise in the issues and and "what i'll lose" by doing it. I know there are benefits... but if there weren't issues, then it would be a slam dunk. And ALL of these complaints are within SOPHOS' ability to fix. And they don't??? 

    It just doesn't make sense, and it concerns me greatly about their dedication and speed on fixing issues in general, if these issues are not being addressed. And each time I use XG/XGS, I stumble across more.

    Sigh... it's monday. 

  • 0 in reply to Steve Klassen

    He's telling you to use the new SD-WAN function instead of static routes, with SD-WAN routing you can disable/enable them as you wish.

    But for static routes it isn't possible. (you can't disable/enable them.)

    Steve Klassen said:
    I don't understand why SOPHOS won't do improvements

    No one knows, if you do please let us know here in the community.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Steve Klassen

    You can turn SD-WAN routes ON and OFF, have a look yourself here:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    It is indeed available for SD-WAN, but the question has specific about why It isn't available with the static routing function.

    Edit: Removed some content since It shouldn't be discussed in here.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Unfiltered HTML