XG v17: what's coming next

It has been more than a year since this post was published.  2017-1-25 in fact.  Maybe some will dare to take time to re-read it.  Gives the impression we are stuck frozen in time.

PJR

You're right, it's been a while since this post, and feature-wise, only v17 has shipped since then. Looking back at the past year of development and releases, we started off with XG in a bit of a rough place from a quality standpoint. It was generating more support calls per customer than it should have, for several reasons. Some of it, was just because the platform is very different from UTM9, but a big portion was driven by issues in the software. We needed to make some improvements to how we write software, before we raced ahead much faster.  

We've spent a great amount of effort making sure that the foundation is solid, even getting to a point where XG's measurable quality exceeds UTM9 and other sophos products. We then moved on to v17 and further feature development, while also holding to higher quality standards. We took a hit on feature velocity while we did that, so yeah, we have taken longer to get to where we are now, than we wanted to. As a result, we decided to add a few smaller feature releases, to hold users over until v18 is ready. v17.1 will ship in coming weeks, and v17.2 and .3 will follow later this year. Each making asked for improvements, and adding important new features. 17.1 for instance, among many other things, will allow configuration of the SSL VPN port. You should see some increase in feature velocity this year. 

Big_Buck please pm me any cases you did report on this. What you describe in those threads is not possible, unless something is horribly wrong with the configuration on the system. The logs showed rule ID 3 with an action of Allow, but your screenshot showed rule ID 3 with an action of Drop, and a traffic counter that shows 0 bytes of traffic in one direction. This suggests that the rue is not permitting anything to pass, or both directions would be non-zero. If traffic is still being logged in association with that rule as allowed, then there is something wrong, that other users aren't reporting. If you can share a related case number with me, I will dig into it with support and engineering, and see where the issue may be. 

As for measurable quality, you will always be able to point to some issue and say "but what about this?" When I say we are measurably at or better than UTM9, it means that XG causes fewer calls to support per install, fewer escalations per # of cases, and few bugs per number of installs. XG quality is measurably improved over previous versions, as well as UTM9. 

Dear All

My understanding from  forum quotes  is  , Those coming from Cyberoam world and Those coming from UTM world  feel XG is not up to mark and soooo on 'a mixed reaction'. My personal user experience is very good except some hick-up on vpn side. Over all build quality has been improved through out last year . Integration with end point is killing feature .  I am able to safely manage more than 500 users with one person army. Look forward for Good product role-out this year from Sophos Stable.

Best Regards,

Vishvas

I sent my coordinates ...

Thanks for that, and replied in kind. For the broader audience, the issue in that case is not a security issue, but traffic automatically allowed by the firewall, such as connections from the firewall itself, would normally match firewall rule 0, but be allowed by automatic exceptions, to allow the firewall to function. By adding an any/any/drop rule, (which is generally a good idea for troubleshooting and general visibility) it can happen that those items get associated with the new rule, rather than rule zero, and are logged as such. The confusion happens because they are correctly logged as allowed, but associated with a user-created drop rule. Thanks for reporting that Big_Buck we'll look into how to improve that.

Hi AlanT 

Like many others here, I have been a fan of Sophos since the UTM and early endpoint days. I bought into the XG promise of end to end security, simpler management, etc. and have been sorely disappointed. At first, it was adjusting to the new OS and little quirks. Beyond that, there are quirks that are fundamental limitations with these devices. Not reliably supporting Child SA's on a multi-subnet VPN under IKEv2 seems like very basic functionality, and most other vendors have this solidly supported. Not being able to use 3rd party MFA for VPN connections due to timeout limitations is nuts and this should be doable. I'm tired of sheepishly supporting these devices when I can't leave town without worrying about a tunnel falling apart. I had to re-architect my network to support creating a class B to class B vpn since the XG wouldn't reliably create the child SA's for a tunnel. At this point, I've invested WAY too much time and duct tape trying to get this to work. I'll most likely be moving to a different product shortly. BTW the security HB never worked reliably enough for me to turn it on, I'd have people getting locked out all day.

I'm hopeful Sophos can get their act together and make these great devices but at the current pace we're talking maybe 2020 - I can't wait that long for peace of mind.

-Matt

Well said

AlanT,

thanks for your update. Regarding the call, people are not even calling the support for XG issues, as they are in the queue for more than 30 minutes. I received personally PM saying, can you help me to have support for XG? I called the support and the queue is very very long. More than 30 minutes. After the 30 minutes, people are just bounced from one person to another.

UTM9 is more realiable because it has strong pillars than XG has. You are trying to reinvent the wheel with XG and time goes by, resources, efforts and so on. I personally don't believe in XG anymore. So much issue. Logging has improved but still some issue on finding the reason. For example, VPN, you need to check several logs to understand why the S2S does not come up. OTP does not work if the CAA is used. Marketing is very good to deceive customers. Yes, XG is recognized by the NSS labs as one of the best product but take experience from the field and not from benchmark where always the same test are performed. In the beginning, you guys, performed phone calls to Partner on how to improve the XG, roundtable, webinar to hear feedback and this does not happen anymore.

I am not partecipating in the community anymore and soon I will leave the community ( I will write a proper thread very soon...)because you destroyed a dream, a project. You are spending time to release feature sets on a foundation that has some many cracks. CASB in 17.1? Just because the competition has released the feature you are doing the same. This castle will fall down soon. You are promising a new release v18 next year....quite late. After 5 years after Cyberoam joint adventure. 5 years are a lot. I know you cannot say othewise but the reality is this. See Skype, if you use decrypt and scan, you need to add an exception list manually. App control what is doing? I wrote to support saying please write a proper KB and include the exception list in the future realese or inside a patter update.....In 2018, we still need manual exception for certain Application.

Please do not ask which are the motivation on bad things because there are so many on community. I believed in this project at the beginning as many others but I lost hope as many others and when people, customers lose the hope, they will not come back to Sophos again. The only products which are performing well at the moment are Intercept-X and Sophos Endpoint cloud.

XG is the worst!

No arguments there!  I made the mistake two years ago of drinking the KoolAid, being new to Sophos and looking for a different firewall vendor just to broaden my offerings.  I had a nine site installation I was going to do Sonicwall, but the client already the Sophos ES1100 and endpoint, so figured would be a good fit.  That installation ranks as one of the very worst experiences in thirty years in IT.  I can't count the unbilled hours getting the XG to do basic things, and the untold time, lost productivity to the customer, etc. while figuring out broken things like Win 10 updates totally jamming the Internet due to XG's security features, security features which seemed to do nothing, total lack of visibility, and on and on and on.  I upgraded my in-house NFR unit to V17, and didn't see nearly the overhaul I was hoping for, plus with the news that it was breaking a lot of S2S VPN I wasn't going to roll it at that client.  Luckily that client just got bought out and the new owner will likely replace everything with their standards and I can wash my hands of it.  I recently sold my NFR unit and will never touch anything from Sophos again.  The only reason I'm even responding to this was because I still had auto-notifications set for this thread from way back and have been skimming the recent spurt of posts out of some morbid curiosity. 

I've been wondering how the updates have been since I tried to switch from Sonicewall to XG over a year ago.  Luckily I didn't waste time and removed them and sent them back in time for a refund.  What a disaster XG seems to be! 

It is truly disheartening to read a veteran like Luk (Iferrara) is hanging it up.

I have shared my mind on the subject of XG several times, but I'll summarize it again.  As a customer, I am satisfied with what I am getting with XG for the money.  I have stated before that I am paying far less than I paid for Cisco Meraki MX firewalls and I get a lot more, and the Cisco Meraki MX firewalls had their own problems, so I accept the premise that no software is perfect and that sometimes, bugs happen.

Having said that, v17 has been, from my perspective, a bit disappointing.  I think we were all hoping that with the improvements in v16, that we were really going to see some momentum with v17 and it hasn't really translated.  I have personally had problems with v17 that I did not have in v16.  First there was the lockup problem with 17GA (that bug bit me).  After I rolled back to v16, when I went to upgrade to v17 again after the lockup bugs were dealt with, the upgrade blew up my XG so bad that I had to re-image it entirely.  Luckily I had a good backup and restored and so I was back in business.  A week ago I had the awarrenhttp service crash out of nowhere (I had not made any changes to the XG in days) and I was unable to restart it (503 error when trying from the CLI), I had to reboot the appliance to get it back running.  And while I don't use it anymore (thankfully), the IPsec woes are frankly indefensible.  I appreciate changing to a new engine brings challenges but it is a total failure in the entire process that it a) made it through the beta in this broken manner and b) 6 maintenance releases later still doesn't work well or reliably.  IPsec isn't exactly cutting edge tech and it is definitely something that many use.  

Lastly, there is a perception out there in the power user community at least that XG does not have feature parity with UTM and that that was something that has been promised several times now.  There is still no migration tool from UTM.  There is also a perception that it is missing useful features that other products have.  I am not here to judge what feature it should or should not have, although some that are missing (anti-port scan, DHCPv6-PD for instance) seem to be even in cheap Chinese home routers, so it is a bit difficult to understand why they are missing in action in an enterprise grade product.  I would also add that I find the reporting capabilities extremely disappointing.  The graphs are pretty but drilling down into the data and getting actually useful, in depth information is difficult to impossible.

I am hopeful that things will improve and we will start seeing these things delivered, but I definitely understand the frustrations that some in the community are feeling.

It is truly disheartening to read a veteran like Luk (Iferrara) is hanging it up.

I have shared my mind on the subject of XG several times, but I'll summarize it again.  As a customer, I am satisfied with what I am getting with XG for the money.  I have stated before that I am paying far less than I paid for Cisco Meraki MX firewalls and I get a lot more, and the Cisco Meraki MX firewalls had their own problems, so I accept the premise that no software is perfect and that sometimes, bugs happen.

Having said that, v17 has been, from my perspective, a bit disappointing.  I think we were all hoping that with the improvements in v16, that we were really going to see some momentum with v17 and it hasn't really translated.  I have personally had problems with v17 that I did not have in v16.  First there was the lockup problem with 17GA (that bug bit me).  After I rolled back to v16, when I went to upgrade to v17 again after the lockup bugs were dealt with, the upgrade blew up my XG so bad that I had to re-image it entirely.  Luckily I had a good backup and restored and so I was back in business.  A week ago I had the awarrenhttp service crash out of nowhere (I had not made any changes to the XG in days) and I was unable to restart it (503 error when trying from the CLI), I had to reboot the appliance to get it back running.  And while I don't use it anymore (thankfully), the IPsec woes are frankly indefensible.  I appreciate changing to a new engine brings challenges but it is a total failure in the entire process that it a) made it through the beta in this broken manner and b) 6 maintenance releases later still doesn't work well or reliably.  IPsec isn't exactly cutting edge tech and it is definitely something that many use.  

Lastly, there is a perception out there in the power user community at least that XG does not have feature parity with UTM and that that was something that has been promised several times now.  There is still no migration tool from UTM.  There is also a perception that it is missing useful features that other products have.  I am not here to judge what feature it should or should not have, although some that are missing (anti-port scan, DHCPv6-PD for instance) seem to be even in cheap Chinese home routers, so it is a bit difficult to understand why they are missing in action in an enterprise grade product.  I would also add that I find the reporting capabilities extremely disappointing.  The graphs are pretty but drilling down into the data and getting actually useful, in depth information is difficult to impossible.

I am hopeful that things will improve and we will start seeing these things delivered, but I definitely understand the frustrations that some in the community are feeling.

Since about 16.5 i've preferred XG over UTM9, and I groan a little inside every time I need to do something on a UTM9 box. XG is just so much easier to manage once you shake off the old UTM9 way of thinking (this took me a while).

The IPSEC issues that were introduced around v17 were definitely annoying, but for XG<->XG tunnels I moved over to RED tunnels which are far better as you get an actual interface. The small number of XG<->other tunnels that had to stay on IPSEC definitely caused some pain though. But it's not like this never happened with UTM9 - a new UTM9 release caused the web proxy to crash several times a day under high load and it was a long time before we got it fixed. This was way worse than having a tunnel that occasionally fails to start.

I was waiting anxiously for the promised UTM9 -> XG migration tool, but now I really don't think i'd use it. I can't see how it could take a config from UTM9 and put it into XG without the result being an unmaintainable mess - the two things are just too different. Give me something that can export the network and host definitions to a spreadsheet where I can review them, and then import them into XG. I'll rewrite the rules myself.

My wishlist at the moment is:

• Proper commandline ping instead of that half baked busybox version
• SSH direct to a shell, instead of into that silly menu
• commandline accessible (and grep-able) firewall logs. Actually this is probably something I can do myself with appropriate psql commands but I haven't tried yet
• NTP server to keep all my switches with the right time without having to allow them access to servers or to the internet

But most of those should come when XG actually hit feature parity with UTM9

James