I'm noticing a very very poor reuse of objects in SFOS compared to UTM, which makes the configuration and usability quite a chore..
let's take a workflow simple example:
in UTM you define objects: hosts/network/services(which can be TCP/udp or both) and then group them, then throughout the ENTIRE system you use ONLY those objects.
it's clean, it's simple, it's based on objects, prevent duplications.
on SFOS i check the web proxy settings for target services... and it's a list of ports, already started poorly.
another case:
i want to create a simple DNAT!, what do i encounter? i can't select any service by alias, i need to enter PORT or portlist by hand, what the nine hells?!?!, it TOTALLY IGNORES your list of services and has you putting ports by hand, that's mental!, so then you have 100 rules all with ports and you haven't got the foggiest idea WTH is that port for...
worst, it's only TCP OR UDP, WHAT?!?!, in UTM i can do a DNAT rule with MULTIPLE services at the SAME TIME on the same rule and they can be udp AND tcp combined, it does wonders to maintain a tidy ruleset to the same hosts. Here?, nope, duplicated rule already....
¿¡¿¡is this a 10$ chinese home router or a very expensive security appliance!??!!?
so that's two for two where the defined services are NOT used...
let's check the services part... the list looks complete, but when you go to groups BZZZTS there's only ONE GROUP, what the HELL is this?!?! absolute fail, UTM has a long list of predefined service groups which are crucial(for example: web browsing group, email services group, vpn protocols, etc). Then again you can waste half a day setting groups only to find out later that you can shove them up your recycle bin because the system won't even use them everywhere else.
Another point: web server protection
Lets say i want to publish my exchange OWA, neat there's a predefined template!, huh.. where do i define my internal server target??, i see path mapping... ELEVEN RULES that you have to configure in a NEW WINDOW ONE BY ONE to select the target server. Sophos, are you kidding me??!?!, why in the nine hells do i have to set a target for EACH PATH who even thought of that... in UTM9 i select the paths and i select a webserver and THAT'S IT, simple, FAST, USABLE. You kwno what they get with that?, i'll simply do a DNAT to port 443 because setting that convoluted and poorly built rule system is not worth it.
Letsee about interfaces: i can't rename them, i put a name but then throughout the system i see "PortA/PortX" what the... i don't care and i don't want to care which PORT it is, that's why i have an "interfaces" tab to map port to whatever thing i want and then use a human friendly name in the rest of the system... JUST LIKE IN UTM. AT LEAST it shows the IP of the port and the mouseover gives you the info, but that's poor, VERY poor, i care about ISP name for example, additional IP, etfc, not which port it is in EVERY rule.
On the subject of FW rules: there's no way to group rules like in UTM where you then see each rule with a different colour and can group them accordingly, in there it's just a mess of rules.
another one: DNS server, ¿where's the access list?, in utm i can select which networks have access to the services of the utm in each service page, in SFOS the closest i can find is the checkbox matrix on administration->device access
and a ton more of stuff i still haven't even found
UTM8 is FAR more productive and usable than this SF 16.xx, i'll stick with UTM9 if i can(sadly that's not an option on cyberoam converted devices), the first thing they should've done with SFOS is 99% feature parity with UTM, not release this
This thread was automatically locked due to age.
