I've now got XG running pretty well as my live firewall/router, replacing UTM9.4. I can't say that the configuration experience was a pleasant one - in fact it was a right pain in the a*se and took almost two days of work for a really quite simple network. However, now it's up and running, I'm warming to the way XG does some things and I can see a whole load of areas where it needs to improve (sadly, those are mostly just to get up to where UTM is).
My observations - and pleas to Sophos to improve things in the UI especially - follow... I very much hope we'll see some of these things sorted out in the next update!
Initial setup
- Initial setup with a PPPoE WAN connection, as many have remarked, is a ridiculous process involving a second firewall to connect out. It has to be made possible to configure PPPoE before activation of the licence online is required.
- Licence activation failed first time for me and wiped the WAN settings in the process. The page also hung and was only fixed by a reboot. Not helpful.
- After initial setup and reboot, the LAN doesn't start a DHCP server - so I couldn't connect until I realised the issue and configured the PC with a static IP in the 172.16 range. Need to start at least a basic DHCP server for the LAN port.
Overall, way too much unnecessary hassle involved here; too little thought has gone into this setup process.
Networking
- Doesn't seem to be a way to give the ports/networks sensible names and then refer to those names later on. I called port 4 "VOIP LAN", but then had to remember for zones, rules, etc that it's port 4. Please, use the object names given by the user throughout the UI.
- A host for a static DHCP entry can't have multiple MAC addresses. I have several devices with both wifi and wired interfaces and I want the same IP for the device however it connects. UTM can do this; please fix XG!
- DHCP static entries page turns all the hostnames into UPPERCASE. Why?! This is not correct - my hostnames aren't uppercase.
- "Host" entries are not for DNS or for DHCP as they are in UTM. They're just to use in firewall rules/NAT. DNS entries are set up in DNS, static DHCP entries under DHCP. So I have to enter host details in three places for most of my servers. This is a real drag and feels like we've regressed pretty close to editing the underlying Unix config files! Please, Sophos, copy UTM's host model over, it was much cleaner.
- DHCP static entries are not registered with DNS automatically. Why not?!
- Setting up DNS entries, the UI feels rather clunky when there are lots to be done. The DHCP page is smoother.
- Not possible to edit the hostname in a DNS entry after it has been saved. Typo = delete and create again! Basic UI usability stuff, disappointing.
- Hosts picking up dynamic IPs from DHCP don't seem to get registered with DNS. This worked on UTM, so I think it's another XG step backwards. Please integrate both static and dynamic DHCP leases with DNS!
- Can't set DHCP options from the UI, have to resort to google to find the CLI commands and then ssh into the appliance. Another basic step backwards from UTM. Can we have these in the UI in the next update, please? By the way, it should ideally be possible to serve DHCP option values to specific host MAC addresses, not just to every device using a DHCP server... my Cisco phone and my Plantronics phone need different paths for their TFTP files.
Firewall & web filtering
- I like the way NAT and firewall are handled in one rule, makes sense.
- Took me a little reading and some thinking to realise how the firewall rules and the web filtering interact, but now I've got it, it's actually a pretty good approach.
- It isn't immediately apparent whether a rule should "allow all" or just have no filter policy if no filtering is desired. The answer appears to be that it has to be "allow all" or we get no traffic at all...! This wasn't helped by the latest documentation being for v15 not v16, which has quite significant UI changes from v15.
- Also watch out for "match known users", which seems to be set by default on some firewall rules. Initially, my PC couldn't ping anything on the WAN. Log showed a refusal by the default "allow all" firewall rule, rule 1... bit counter-intuitive, a rule called "allow all" blocking something! ;-) Turn off "match known users", it's a pain in the butt. One day I'll work out how to use it but until then it just seems to cause problems.
- The logging and the URL category checker aren't enough to work out why something was blocked. Better would be a tool that can report which rules a URL would go through and the result of each rule processing the URL. Then it would be simple to tell "ok, it was blocked for the file type by rule 17" or "blocked by rule 6 because the user is unidentified".
Logging & alerting
- Firewall & web filter: would be good to be able to log only warnings/blocked traffic, rather than having all or nothing. I don't want to log successful hits, there are a lot of those! I do want to log what was refused so that I can see whether any of my rules need to be tweaked.
- VPN: IPSec logs "VPN down" and immediately "VPN up" when the IPSec SA expires. That is a routine event and I don't want an alert for it; VPN down for some other reason and not coming back up, I do want an alert for. More granularity in the alerting & logging needed, please. Aside, why isn't the SA renewed just before it expires rather than waiting for it to expire?
What I haven't tried yet... but will soon
- Authentication for non-Windows clients (believe linux will work, need to see how Android plays though)
- SSL VPN
- QoS / traffic shaping (video & VOIP priority for the WAN connection, in particular)
This thread was automatically locked due to age.
