Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 10495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to XG views?

Louis-M

I know this has probably been done to death on this forum but this morning, I decided to have another look at XG (v16)

The jury is still out for me. I know with all new OS's, that you can struggle to find your way around until you become used to them.

At this time, I'm not quite warming to XG but maybe that is me. I prefer the UTM obviously because I'm used to it.

So, from the experienced users who have switched over from UTM or maybe switched back to UTM, what are your thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    XG is pretty good if you test it as a completely new product unrelated to UTM9. The way things are done in XG are completely different than UTM9 and once you get past the GUI that some of us find difficult, its actually pretty good. The main problem is the firewall page, its so configurable with so many switches that are further tuned in so many different places that I think most people don't realize how powerful the firewall/NAT/Webfiltering/IPS/QOS is. I personally wouldn't choose any other freely available distro including IPFire, Pfsense, OPNSense, or Untangle over XG.

    Here is my review after using XG compared to UTM9 after a few weeks of usage. 


    PROS:

    1. Web filtering is faster, easier, and more powerful in XG. 

    2. QoS is far superior in XG. Although I wish they added CoDel support. Maybe v17.

    3. Built in live reporting is pretty good. 

    4. IPS is far more configurable compared to UTM9.

    5. Packet capture is a unique feature that they carried over from cyberoam which comes in handy sometimes.

    6. Firewall Rules/ NAT are much easy to write and then you can apply these rules to users, apply webfiltering or application filtering to the same rule, apply QoS by firewall policy, QoS by webfilter rule, application rule or username ALL IN ONE FIREWALL RULE. This is so powerful and highly configurable that I can't praise sophos enough for their forward thinking. Once you understand all the relationships in the firewall section, you will wonder how you worked without this previously.

    There are other areas but these are the ones I have tested mainly

    CONS

    1. Logging sucks. If you are having problems, good luck finding the cause. This makes it very easy to make the very powerful webfiltering/firewall section so complicated that you will have trouble fixing your own firewall rules.

    2. MTA is a new addition but nothing like UTM9 and I wouldn't use XG for securing an email server.

    3. Dashboard looks good at first glance but other than showing info about new applications is pretty static and useless.

    4. I haven't tried WAF, I assume it is comparable to UTM9 but due to bad MTA in v16, I use UTM9 for protecting all my servers.

    5. DNS/DHCP are nowhere as granular as UTM9

    6. Other basic daemons like NTP is missing, DDNS clients not as complete as UTM and other little things that make XG feel incomplete/weak.

    There are other items but to me logging is what seriously hurts XG.  had a good thread during the beta https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing 

    So, to sum it up, would I move from UTM9 to XG? For small deployments where you only need webfiltering, qos, and basic authentication XG is more than ready and capable. For larger deployments where they have in house servers etc, I would stick with UTM9. 

  • 0 in reply to Billybob

    Bill, I feel like I would miss the possibility of using grep to find things that require complex searches.  I wouldn't have the ability to make a quick change on a client's UTM instead of having to login to the Gui and navigate.  Etc. etc. etc.

    Old programmer that I am, will I have tools to find the same things in an environment where I can't make a query like:

    cc get_objects_using_object REF_AaaUseBalfson

    Are there any such shortcuts available to someone that supports an XG client?

    Cheers - Bob

  • 0 in reply to BAlfson

    Bob,

    fortunately on XG (for now) we still have most of the basic Linux Commands (cat, awk, sed, grep, tail, less, more).

    Also what I like from XG (compared to UTM9) is that there is a true command line (now you can change network ip address, restart services, change bgp, http proxy and other settings from CLI easily) and API. You can create, edit, delete objects using API.

    At the moment the list of XG command is not so long and complete (you cannot create objects from XG CLI) but I hope that they will add more and more commands into next releases.

    Here the feature request to have more XG CLI Commands:

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10873362-cli-more-basic-commands-to-manage-xg

    Every old school Engineer loves CLI. Who came from Cisco's World or C programming, cannot give up to command line!

    [8-|]

  • 0 in reply to BAlfson

    Hi Bob, great to finally see you on the XG side[:D] Luk has pretty much answered your question but I would like to add a couple of things. 

    XG offers shell access although I don't like some things like "top" command which doesn't allow all the functions like in UTM. XG also has a dedicated console which is like the cc equivalent in XG. The cc system was added somewhere in v8 if I remember correctly. For me, the best thing about cc is that all the changes made using cc are backed up during a normal back up. I am not sure if changes made via console are registered during a backup. Also, conf daemon is very smart in UTM9 and if you are using a certain item and want to delete it, UTM9 tells you exactly where that item is being used. Unfortunately XG is not so smart and it still gives generic warnings when making changes / deleting items etc.

    Another thing that has taken quite a bit getting used to is the ACL system in XG

    In UTM9, each daemon is configured independently, you turn on DNS and the allowed networks are right there. In XG, you setup DNS and then go looking for ACLs to grant access to your zones. There are numerous threads here where people don't know why when they turn on MTA, the server denies mail... because ACL hasn't been set to allow smtp traffic. On a plus side, XG shows you the DNAT rule that is created by the MTA and you can move it up or down unlike UTM9 where automatic DNATs have kept many admins working long hours before the official Rulz thread was published https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 

    It gets worse, once I got used to the GUI, I tried testing VPN. PPTP was easily available on my iphone, so I gave it a try. I was going to look at my ACLs first, but the vpn ACLs weren't there. I had to configure pptp vpn first because since the interface didn't exist for vpn, neither did the ACL[:#] But my iphone kept on refusing to connect and the logging wasn't helping... little tail -f of pptp log showed the client connected for a second and disconnected. Googled cyberoam pptp vpn and aha... You can change your pptp encryption to NONE on your phone or enter the following command via console on your XG and vpn works

    set vpn pptp authentication MS-CHAPv2 encryption STRONG

    PPTP is bad enough but MS-CHAPv2 is not enabled by default?[8o|]I was going to test ssl vpn but didn't see an easy way to change the ssl port. It maybe hidden somewhere but it wasn't there easily available like UTM. I also didn't find a way to download an apk for my open vpn client on my iphone. Granted, its not easy to find where the client downloads are on UTM either if you are not using the user portal.

    Sorry for going on a rant, XG has so much potential but after they tried to cram the whole cyberoam system in minimalistic GUI of v15, they have recovered some with v16. However, certain things that seem so easy to find even for a novice admin in UTM9 are hidden in XG.

    Who hides NAT under System> Profiles or Traffic Shaping under System Services... Sophos XG[:@]

    Regards
    Bill

    P.S. Waiting on your initial review of v16... 

Reply
  • 0 in reply to BAlfson

    Hi Bob, great to finally see you on the XG side[:D] Luk has pretty much answered your question but I would like to add a couple of things. 

    XG offers shell access although I don't like some things like "top" command which doesn't allow all the functions like in UTM. XG also has a dedicated console which is like the cc equivalent in XG. The cc system was added somewhere in v8 if I remember correctly. For me, the best thing about cc is that all the changes made using cc are backed up during a normal back up. I am not sure if changes made via console are registered during a backup. Also, conf daemon is very smart in UTM9 and if you are using a certain item and want to delete it, UTM9 tells you exactly where that item is being used. Unfortunately XG is not so smart and it still gives generic warnings when making changes / deleting items etc.

    Another thing that has taken quite a bit getting used to is the ACL system in XG

    In UTM9, each daemon is configured independently, you turn on DNS and the allowed networks are right there. In XG, you setup DNS and then go looking for ACLs to grant access to your zones. There are numerous threads here where people don't know why when they turn on MTA, the server denies mail... because ACL hasn't been set to allow smtp traffic. On a plus side, XG shows you the DNAT rule that is created by the MTA and you can move it up or down unlike UTM9 where automatic DNATs have kept many admins working long hours before the official Rulz thread was published https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 

    It gets worse, once I got used to the GUI, I tried testing VPN. PPTP was easily available on my iphone, so I gave it a try. I was going to look at my ACLs first, but the vpn ACLs weren't there. I had to configure pptp vpn first because since the interface didn't exist for vpn, neither did the ACL[:#] But my iphone kept on refusing to connect and the logging wasn't helping... little tail -f of pptp log showed the client connected for a second and disconnected. Googled cyberoam pptp vpn and aha... You can change your pptp encryption to NONE on your phone or enter the following command via console on your XG and vpn works

    set vpn pptp authentication MS-CHAPv2 encryption STRONG

    PPTP is bad enough but MS-CHAPv2 is not enabled by default?[8o|]I was going to test ssl vpn but didn't see an easy way to change the ssl port. It maybe hidden somewhere but it wasn't there easily available like UTM. I also didn't find a way to download an apk for my open vpn client on my iphone. Granted, its not easy to find where the client downloads are on UTM either if you are not using the user portal.

    Sorry for going on a rant, XG has so much potential but after they tried to cram the whole cyberoam system in minimalistic GUI of v15, they have recovered some with v16. However, certain things that seem so easy to find even for a novice admin in UTM9 are hidden in XG.

    Who hides NAT under System> Profiles or Traffic Shaping under System Services... Sophos XG[:@]

    Regards
    Bill

    P.S. Waiting on your initial review of v16... 

Children
No Data