This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to XG views?

I know this has probably been done to death on this forum but this morning, I decided to have another look at XG (v16)

The jury is still out for me. I know with all new OS's, that you can struggle to find your way around until you become used to them.

At this time, I'm not quite warming to XG but maybe that is me. I prefer the UTM obviously because I'm used to it.

So, from the experienced users who have switched over from UTM or maybe switched back to UTM, what are your thoughts?

This thread was automatically locked due to age.

Parents

0 Billybob over 8 years ago

XG is pretty good if you test it as a completely new product unrelated to UTM9. The way things are done in XG are completely different than UTM9 and once you get past the GUI that some of us find difficult, its actually pretty good. The main problem is the firewall page, its so configurable with so many switches that are further tuned in so many different places that I think most people don't realize how powerful the firewall/NAT/Webfiltering/IPS/QOS is. I personally wouldn't choose any other freely available distro including IPFire, Pfsense, OPNSense, or Untangle over XG.

Here is my review after using XG compared to UTM9 after a few weeks of usage.

PROS:

1. Web filtering is faster, easier, and more powerful in XG.

2. QoS is far superior in XG. Although I wish they added CoDel support. Maybe v17.

3. Built in live reporting is pretty good.

4. IPS is far more configurable compared to UTM9.

5. Packet capture is a unique feature that they carried over from cyberoam which comes in handy sometimes.

6. Firewall Rules/ NAT are much easy to write and then you can apply these rules to users, apply webfiltering or application filtering to the same rule, apply QoS by firewall policy, QoS by webfilter rule, application rule or username ALL IN ONE FIREWALL RULE. This is so powerful and highly configurable that I can't praise sophos enough for their forward thinking. Once you understand all the relationships in the firewall section, you will wonder how you worked without this previously.

There are other areas but these are the ones I have tested mainly

CONS

1. Logging sucks. If you are having problems, good luck finding the cause. This makes it very easy to make the very powerful webfiltering/firewall section so complicated that you will have trouble fixing your own firewall rules.

2. MTA is a new addition but nothing like UTM9 and I wouldn't use XG for securing an email server.

3. Dashboard looks good at first glance but other than showing info about new applications is pretty static and useless.

4. I haven't tried WAF, I assume it is comparable to UTM9 but due to bad MTA in v16, I use UTM9 for protecting all my servers.

5. DNS/DHCP are nowhere as granular as UTM9

6. Other basic daemons like NTP is missing, DDNS clients not as complete as UTM and other little things that make XG feel incomplete/weak.

There are other items but to me logging is what seriously hurts XG. had a good thread during the beta https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing

So, to sum it up, would I move from UTM9 to XG? For small deployments where you only need webfiltering, qos, and basic authentication XG is more than ready and capable. For larger deployments where they have in house servers etc, I would stick with UTM9.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to Billybob

Bill, I feel like I would miss the possibility of using grep to find things that require complex searches. I wouldn't have the ability to make a quick change on a client's UTM instead of having to login to the Gui and navigate. Etc. etc. etc.

Old programmer that I am, will I have tools to find the same things in an environment where I can't make a query like:

cc get_objects_using_object REF_AaaUseBalfson

Are there any such shortcuts available to someone that supports an XG client?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to BAlfson

Bob,

fortunately on XG (for now) we still have most of the basic Linux Commands (cat, awk, sed, grep, tail, less, more).

Also what I like from XG (compared to UTM9) is that there is a true command line (now you can change network ip address, restart services, change bgp, http proxy and other settings from CLI easily) and API. You can create, edit, delete objects using API.

At the moment the list of XG command is not so long and complete (you cannot create objects from XG CLI) but I hope that they will add more and more commands into next releases.

Here the feature request to have more XG CLI Commands:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10873362-cli-more-basic-commands-to-manage-xg

Every old school Engineer loves CLI. Who came from Cisco's World or C programming, cannot give up to command line!

[8-|]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 8 years ago in reply to BAlfson

Bob,

fortunately on XG (for now) we still have most of the basic Linux Commands (cat, awk, sed, grep, tail, less, more).

Also what I like from XG (compared to UTM9) is that there is a true command line (now you can change network ip address, restart services, change bgp, http proxy and other settings from CLI easily) and API. You can create, edit, delete objects using API.

At the moment the list of XG command is not so long and complete (you cannot create objects from XG CLI) but I hope that they will add more and more commands into next releases.

Here the feature request to have more XG CLI Commands:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10873362-cli-more-basic-commands-to-manage-xg

Every old school Engineer loves CLI. Who came from Cisco's World or C programming, cannot give up to command line!

[8-|]
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data