Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 240 replies
  • Subscribers 91 subscribers
  • Views 627503 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v17: what's coming next

AlanT

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall

 

 

 

One last tease.. 

    



This thread was automatically locked due to age.
Parents
  • 0

    Will there finally be an accurate live bandwidth view to see which users \ IP hosts are using data ?  ie Mikrotik's 'torch' 

  • 0 in reply to AndrewMillard

    AndrewMillard said:

    Will there finally be an accurate live bandwidth view to see which users \ IP hosts are using data ?  ie Mikrotik's 'torch' 

    This is what is so frustrating about XG and I can imagine the prioritization that  has to do on which features need attention right away.

    For example: My old Asus Rt68U that I bought almost 3 years ago as a play toy for the gigabit connection I was getting can:

    1. Use any port for open VPN while XG still cannot.

    2. Has live bandwidth showing which appliance is using how much bandwidth and the total bandwidth being used. I can then control each of those devices right there from the live screen and use sfq, codel, or fq_codel by providing my own limits on either the clients or my total bandwidth. While XG has great granular QoS control, who is using what kind of bandwidth or assigning bandwidth to the interfaces in multi wan configurations is missing.

    So while some of us are asking for the basics that even a 150 dollar router has been providing since 2014, other users are asking about more business related stuff like ikev2, improved vlans, enhanced MTA etc. Plus sophos wants to add their own stuff on top to improve their return on investment. That's how we ended up with XG v16.

    Don't get me wrong, an arm processor based router is not a substitute for a business class intel UTM, but its interesting to see the limits being pushed. Also, to be fair, the MR releases have been coming at a steady pace and the base system has been improving greatly. This gives me hope that sophos is finally getting serious about XG as a contender and not just another firewall with hype.

    While v17 won't satisfy everyone, I am hoping that all the quirks have been fixed by now and we will have a stable, fast, and dependable firewall that is easy to work with and easy to troubleshoot. How successful is sophos in delivering a quality release? We'll all find out soon enough...

    Regards 

  • 0 in reply to AlanT

    Thanks Alan. Personally I still do not like the XG at 100% (70% maybe) because there are some limitations that come from the base. I am sure you learned a lot from community, partners and customers about v15 and v16.

    If you will improve the base and move what you have done until now you will succeed.

    XG at the moment is still cyberoam like (you changed a lot but the os is the same). You have added Sophos features but I am sure you know how to improve and make the XG a better product. With the feature sets XG and UTM you have, XG seems a Ferrari that is running with small wheels and reduced engine.

    We should see the real power into v18+.

    Again, thanks for your time and reply.

    Now we are ready to criticize v17 and improve it.

  • 0 in reply to AlanT

    Hi AlanT,

    Thank you for taking the time to answer my post.

    I have  HE tunnel, so bno IPv6 on the external interface. If you use a IPv6 router on your link then you get IPv6 on the external interface, but not native using PPPoE.

    I will try the XG DNS static function again and see what I was doing wrong with the configuration, I suspect it has to do with using DHCP and clientless devices.

    Ian

    Update:- I found  my new Telstra adsl2+ connection does native IPv6 over DHCP. This is good, I have an IPv6 on the external interface, but there is nowhere that I can see that shows me the assigned /56 for internal use. The other issue I hope that is being addressed is having to create a dummy network both 4 and 6 just to get addresses assigned to the vlans.

    I can get the /56 address range I have been assigned from the UTM, but that is not a good way.

    More updates :- I am going to kill the UTM and build another XG so I can test the IPv6 without upsetting the wife and her facebook activities.

  • 0 in reply to AlanT

    AlanT said:
     
    Bill Roland

    I would just like to add that I hope DHCP-PD gets some priority because this is how most if not all major US cable operators are doling out IPv6 addresses to customer CPE. 

     

     

     

    Understood, though it shouldn't stop you from connecting to such an ISP today (DHCPv6 is supported on XG) but you would have to NAT your local clients, to come from the firewall's IP. 

    DHCP-PD is the top priority IPv6 feature on the XG backlog. 

     

    Is there a document or something that describes how to do this?  How do the clients behind the XG get the IPv6 addresses?

  • 0 in reply to Bill Roland

    I don't think there is a kb on it, but it would really just be exactly the same type of setup that you might do with IPv4, and using a private IP range internally. You can have XG's DHCP give out IPv6 addresses to your clients, and you would enable NAT on your ipv6 firewall rules, to masquerade all of your clients behind the single IPv6 IP that your firewall received. 

  • 0 in reply to AlanT

    hopefully also IPv6 incl. PD over PPPoE (since you have fixed it in UTM recently I hope this comes over)

  • 0 in reply to AlanT

    It would be nice to see a KB article especially when the CPE has an assigned static IPv4 range along with an Assigned IPv6 block. This is how Comcast Business in the U.S. is setup and you have to use their router (firewall disabled).

     

    -Ron

  • 0 in reply to AlanT

    Hi Alan,

    IPv6 tunnels only work when the WAN tunnel interface is numbered with a global address - unnumbered interfaces or numbered interfaces with a local address don't work.

  • 0 in reply to AlanT

    Hi Alan,

    Doesn't work when the ISP's IPv6 deployment assumes the client device performs a DHCP-PD request, hands over a /48 or /56 and expects the client device to carve out a /64 from this for the WAN interface.

    Basically, if you see the following Cisco configuration extract from the ISP:

    interface Dialer0
    ipv6 address ISP-PREFIX ::FF:0:0:0:1/128
    ipv6 enable
    ipv6 dhcp client pd ISP-PREFIX rapid-commit

    then you're currently out of luck getting this working with the XG unless you put the XG into bridge mode and have a DHCP-PD capable router establish the IPv6 connection.

    Good to hear that DHCP-PD is on top of the list - means I don't have to swap out XG Firewalls for pfSense once the subscriptions are up for renewal.

  • 0 in reply to ChrisKnight

    Hi AlanT,

    I have been experimenting with the XG DNS and found a weakness.

    The DNS assumes you have a fixed IP address for internal devices which for servers and printers is good, but for laptops, that doesn't work with DHCP assignments. Assigning names in clientless users  is also a failure with laptops/tablets etc because DHCP hands out different addresses after an XG restart.

    Clientless users a required to manage things like VOIP phones because you cannot use a VLAN id as part of the firewall rules.

    Hoping clientless users have the mail address requirement removed in V17b.

     

    Ian

  • 0 in reply to rfcat_vk

    Ian, No plans to touch clientless users in v17, but we'll address everything you list next year. 

Reply Children