Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 10495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to XG views?

Louis-M

I know this has probably been done to death on this forum but this morning, I decided to have another look at XG (v16)

The jury is still out for me. I know with all new OS's, that you can struggle to find your way around until you become used to them.

At this time, I'm not quite warming to XG but maybe that is me. I prefer the UTM obviously because I'm used to it.

So, from the experienced users who have switched over from UTM or maybe switched back to UTM, what are your thoughts?



This thread was automatically locked due to age.
  • 0

    Hello Louis

    Hope you are well. I suggest to stay on UTM at the moment as there are no migration tools from UTM to XG at the moment. I suggest when the migration tools become available, you can start thinking of the migration.

     

    Hope that helps.

    Regards,

    Varun

  • 0 in reply to varunparikh

    There is absolutely no way I can change anyway. In production, I have 2x SG310 clusters which are fairly complex (wish I'd got 430's now)

    This is purely as a test system as I want to get ahead of it if we do change. I'm going to give it a go this week. Mulling around it, there's things I do like but there's also things I don't like due to being biased towards the UTM interface I'm used to.

    Maybe next week or thereafter, I'll be warming to it. I'm going to give it an honest go as it's not fair to the developers by just crossing your arms and saying no....

  • 0 in reply to Louis-M

    I second that Louis. The only point I was trying to make here is that since the configuration migration tools are not yet available it would make no sense to migrate. 

    Please give it a go on your test system and share the results. I also suggest you test Heartbeat feature.

  • 0 in reply to Louis-M

    Louis,

    Before moving to XG make sure to test it first.

    There some features that XG is still missing and some bugs that still exist.

    The migration tool can be useful to prevent from starting from scratch but I would suggest you to test (always test a new system).

    I moved some UTM installations to XG and the response is good for easy configurations.

    I tested IPSec, red, access points,stas and web filtering on 100 users and it is going good (apart logging which is still difficult and not complete yet on XG).

  • 0

    Hi Louis,

    Well i have been a UTM user for 9 years (at work and home) and i have played with SFOS for around 1.5 year when it was in beta.. There's actually some really cool things in the SFOS product and i do in general like it now with version 16. It's has matured a lot since version 15, but there's still room for a lot of improvements.

    • In general it seems like SFOS is faster a processing packets
    • I have had some strange issues with traffic being dropped by the default drop rule in the firewall even though i had created rules to allow the traffic (I have also tried with an allow any any rule and it still showed up as dropped). The configuration was restored from a backup so there could be a bug in the restore process (Haven't seen it on my other SFOS installation)
    • Another strange issue of mine is creating a network object

     

    Here's my wishlist:

    1. Unified objects like in the UTM (This is a really strong feature on the UTM)
    2. NAT should have it's own tab under firewall, It's confusing to call it a non-http business rule, why not call it what it is?
    3. Make Country blocking easy to use with it's own tab like in the UTM
    4. The UTM interface would be a real killer for me, but that probably ain't going to happen :-)
    5. There's probably more

    I have turned to pfSense it home (Sorry Sophos)

  • 0

    XG is pretty good if you test it as a completely new product unrelated to UTM9. The way things are done in XG are completely different than UTM9 and once you get past the GUI that some of us find difficult, its actually pretty good. The main problem is the firewall page, its so configurable with so many switches that are further tuned in so many different places that I think most people don't realize how powerful the firewall/NAT/Webfiltering/IPS/QOS is. I personally wouldn't choose any other freely available distro including IPFire, Pfsense, OPNSense, or Untangle over XG.

    Here is my review after using XG compared to UTM9 after a few weeks of usage. 


    PROS:

    1. Web filtering is faster, easier, and more powerful in XG. 

    2. QoS is far superior in XG. Although I wish they added CoDel support. Maybe v17.

    3. Built in live reporting is pretty good. 

    4. IPS is far more configurable compared to UTM9.

    5. Packet capture is a unique feature that they carried over from cyberoam which comes in handy sometimes.

    6. Firewall Rules/ NAT are much easy to write and then you can apply these rules to users, apply webfiltering or application filtering to the same rule, apply QoS by firewall policy, QoS by webfilter rule, application rule or username ALL IN ONE FIREWALL RULE. This is so powerful and highly configurable that I can't praise sophos enough for their forward thinking. Once you understand all the relationships in the firewall section, you will wonder how you worked without this previously.

    There are other areas but these are the ones I have tested mainly

    CONS

    1. Logging sucks. If you are having problems, good luck finding the cause. This makes it very easy to make the very powerful webfiltering/firewall section so complicated that you will have trouble fixing your own firewall rules.

    2. MTA is a new addition but nothing like UTM9 and I wouldn't use XG for securing an email server.

    3. Dashboard looks good at first glance but other than showing info about new applications is pretty static and useless.

    4. I haven't tried WAF, I assume it is comparable to UTM9 but due to bad MTA in v16, I use UTM9 for protecting all my servers.

    5. DNS/DHCP are nowhere as granular as UTM9

    6. Other basic daemons like NTP is missing, DDNS clients not as complete as UTM and other little things that make XG feel incomplete/weak.

    There are other items but to me logging is what seriously hurts XG.  had a good thread during the beta https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing 

    So, to sum it up, would I move from UTM9 to XG? For small deployments where you only need webfiltering, qos, and basic authentication XG is more than ready and capable. For larger deployments where they have in house servers etc, I would stick with UTM9. 

  • 0

    Hi Louis,

    I won't compare these two products with each other. Sophos UTM is a great product coming out from the Astaro reign and Sophos XG is a show stopper evolving from Cyberoam. Both the products are unique and have their own credibility in the market. 

    My suggestion is that you can try the home version for XG or take a POC from the Sophos partner/reseller before migration. Test XG if it justifies your requirement and you have the answer by yourself.

    Thanks

  • 0 in reply to Billybob

    Bill, I feel like I would miss the possibility of using grep to find things that require complex searches.  I wouldn't have the ability to make a quick change on a client's UTM instead of having to login to the Gui and navigate.  Etc. etc. etc.

    Old programmer that I am, will I have tools to find the same things in an environment where I can't make a query like:

    cc get_objects_using_object REF_AaaUseBalfson

    Are there any such shortcuts available to someone that supports an XG client?

    Cheers - Bob

  • 0 in reply to BAlfson

    Bob,

    fortunately on XG (for now) we still have most of the basic Linux Commands (cat, awk, sed, grep, tail, less, more).

    Also what I like from XG (compared to UTM9) is that there is a true command line (now you can change network ip address, restart services, change bgp, http proxy and other settings from CLI easily) and API. You can create, edit, delete objects using API.

    At the moment the list of XG command is not so long and complete (you cannot create objects from XG CLI) but I hope that they will add more and more commands into next releases.

    Here the feature request to have more XG CLI Commands:

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10873362-cli-more-basic-commands-to-manage-xg

    Every old school Engineer loves CLI. Who came from Cisco's World or C programming, cannot give up to command line!

    [8-|]

  • 0 in reply to BAlfson

    Hi Bob, great to finally see you on the XG side[:D] Luk has pretty much answered your question but I would like to add a couple of things. 

    XG offers shell access although I don't like some things like "top" command which doesn't allow all the functions like in UTM. XG also has a dedicated console which is like the cc equivalent in XG. The cc system was added somewhere in v8 if I remember correctly. For me, the best thing about cc is that all the changes made using cc are backed up during a normal back up. I am not sure if changes made via console are registered during a backup. Also, conf daemon is very smart in UTM9 and if you are using a certain item and want to delete it, UTM9 tells you exactly where that item is being used. Unfortunately XG is not so smart and it still gives generic warnings when making changes / deleting items etc.

    Another thing that has taken quite a bit getting used to is the ACL system in XG

    In UTM9, each daemon is configured independently, you turn on DNS and the allowed networks are right there. In XG, you setup DNS and then go looking for ACLs to grant access to your zones. There are numerous threads here where people don't know why when they turn on MTA, the server denies mail... because ACL hasn't been set to allow smtp traffic. On a plus side, XG shows you the DNAT rule that is created by the MTA and you can move it up or down unlike UTM9 where automatic DNATs have kept many admins working long hours before the official Rulz thread was published https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 

    It gets worse, once I got used to the GUI, I tried testing VPN. PPTP was easily available on my iphone, so I gave it a try. I was going to look at my ACLs first, but the vpn ACLs weren't there. I had to configure pptp vpn first because since the interface didn't exist for vpn, neither did the ACL[:#] But my iphone kept on refusing to connect and the logging wasn't helping... little tail -f of pptp log showed the client connected for a second and disconnected. Googled cyberoam pptp vpn and aha... You can change your pptp encryption to NONE on your phone or enter the following command via console on your XG and vpn works

    set vpn pptp authentication MS-CHAPv2 encryption STRONG

    PPTP is bad enough but MS-CHAPv2 is not enabled by default?[8o|]I was going to test ssl vpn but didn't see an easy way to change the ssl port. It maybe hidden somewhere but it wasn't there easily available like UTM. I also didn't find a way to download an apk for my open vpn client on my iphone. Granted, its not easy to find where the client downloads are on UTM either if you are not using the user portal.

    Sorry for going on a rant, XG has so much potential but after they tried to cram the whole cyberoam system in minimalistic GUI of v15, they have recovered some with v16. However, certain things that seem so easy to find even for a novice admin in UTM9 are hidden in XG.

    Who hides NAT under System> Profiles or Traffic Shaping under System Services... Sophos XG[:@]

    Regards
    Bill

    P.S. Waiting on your initial review of v16...