Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 240 replies
  • Subscribers 91 subscribers
  • Views 627578 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v17: what's coming next

AlanT

Hi Everyone, 

You're all overdue for an update on current and next steps, so I wanted to take some time to share a brief update. Since v16 launched last year, we've seen a huge increase in deployments worldwide! It's great to see that the feedback and effort you've provided has really been helpful to shape a successful v16 launch! Thank you to everyone who has used XG, and shared your feedback. It's been immensely valuable, and a big factor in the success thus far.

We've also launched v16.05 (Also called 16.5 sometimes, by lazy people like me..) which closed off the last high-level feature gap between XG and UTM9. I've seen some questions on why this release didn't contain more, so I'll take a moment to go over why we released only what we did.

Earlier in 2016, we launched Sophos Sandstorm on both UTM9 and Sophos Web Appliance, to MUCH greater success than we had initially expected. This resulted in far greater demand to launch it on XG, and left us with a tough choice. We could delay v16 significantly, or leave Sandstorm until v17, as originally planned. We believed that delaying v16 by even a few more months, would have caused significant problems for our existing XG partners, and waiting until v17 to launch Sandstorm was just too far out. With that in mind, we looked at what it would cost to deliver Sandstorm sooner. Our web and email teams were already going to begin working on Sandstorm as soon as they finished with v16, so if we limited the features in a release to just Sandstorm, a 16.05 release was possible, without causing a meaningful delay to v17. If we included more features, quality testing would take too long. With this in mind, we decided to launch a highly focused 16.05 release, dedicated to delivering Sophos Sandstorm by end of December. This would get 16 out when it was needed, and also get Sandstorm out close enough to the 16 launch, that we could reduce the problems caused by 16 not having it. So far, the decision has proven to be justified, as the launch of 16.05 has significantly accelerated the already fast growing v16. This sort of smaller feature release, on a fast timetable, isn't something we normally want to do - but in this case, the circumstances called for it.  

While our web and email teams were working on v16.05, the rest of our teams began working on v17, and we're marching towards a beta start around April or May. I can't go into too much detail on all of it just yet, but here are some if the highlights of what you can expect:

  • Troubleshooting and Visibility
    • Improved log viewer v2 - Unified view of all log sources, better filtering and searching, improved readability and display of log contents, unified view of live and historical logs
    • Improved Log Retention - Persistent storage of logs, retained for 1-2 weeks, to improve troubleshooting issues that are days old
    • More insightful log contents - firewall logs will now log meaningful reasons for "invalid" packet drops, web logs will include more details for troubleshooting
    • Rich Policy Test - Enter criteria to check,such as source, destination, user, etc.. and find out what firewall rule will allow or block it, what policies will be applied, and for web traffic, a full analysis of what rule within the web policy will be matched, and what action will be shown to the user
  • Firewall Rule Management - sliimer layout, custom grouping, cool design
  • IPsec VPN engine Improvements - IKEv2, Suite-B protocols, Reliability Upgrades
  • NAT Business rule improvements - Object based, more familiar to UTM9 users, more powerful
  • Synchronized Security - changing game for application control
  • Email - UX Improvements, Spam improvements, Outbound relay
  • Web - streaming improvements, faster content filtering
  • Zero-touch firewall deployments (not strictly part of v17, but part of a parallel project)
  • Licensing and Registration- more usable, less mandatory

This forum has a heavy hand in what shapes our roadmap, but it isn't the only source. For example I and other PMs have frequent calls with customers and partners, and even competitor's customers and partners. Usability study participants, Sophos support, and ideas.sophos.com, also contribute valuable feedback. Quite often these sources are at odds with the community feedback. It rarely differs in whether a feature is desirable or not, but it often differs in importance, and we have to factor all of it into our planning. 

I mention this, because I know that after reading the above list, there will be immediate questions about "what about feature X?", or "Why not feature Y?". To that, I say:

  • If we're not doing it in v17, we're more than likely still planning it, but the order of priority might might be different than you prefer
  • Some of you will disagree with one feature being chosen over another, and perhaps even disagree very strongly. Just know that this doesn't mean we're ignoring your feedback. The majority of the features and focus of v17 are driven by requests coming from these forums. We're listening!
  • The above list isn't exhaustive, or detailed. What you're looking for might still be planned for v17, but I can't outline all the details just yet. Stay tuned for the start of beta.

Finally, I want to call out a group of features I know you're going to ask about. Renaming/disabling interfaces, and other objects. It's obviously important, and highly desired in the community. Some more enabling/disabling options may be added in v17, but not interfaces, and there won't be improvements in what you can rename just yet, either. I know it's a big annoyance for some of you not have those features, but we need to do it right. (Bring on your apple, copy/paste analogies.. :) ) I worked with the teams to see if we could come up with a plan that included at least interface enabling/disabling in v17, but it wasn't practical. There are hidden costs, that aren't obvious, and there are also other projects in the works, that will significantly reduce those costs. At the risk of being too much of a tease in this post, we have a plan to implements enable/disable, renaming, and many other ui usability niceties everywhere. It depends on completing a project that's been in the works for a while, that I can't discuss just yet. Rest assured, it's all coming, and you're going to like the results! Be patient, and stay tuned!

Best Regards,

Alan Toews

Sr. Product Manager, XG Firewall

 

 

 

One last tease.. 

    



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    No arguments there!  I made the mistake two years ago of drinking the KoolAid, being new to Sophos and looking for a different firewall vendor just to broaden my offerings.  I had a nine site installation I was going to do Sonicwall, but the client already the Sophos ES1100 and endpoint, so figured would be a good fit.  That installation ranks as one of the very worst experiences in thirty years in IT.  I can't count the unbilled hours getting the XG to do basic things, and the untold time, lost productivity to the customer, etc. while figuring out broken things like Win 10 updates totally jamming the Internet due to XG's security features, security features which seemed to do nothing, total lack of visibility, and on and on and on.  I upgraded my in-house NFR unit to V17, and didn't see nearly the overhaul I was hoping for, plus with the news that it was breaking a lot of S2S VPN I wasn't going to roll it at that client.  Luckily that client just got bought out and the new owner will likely replace everything with their standards and I can wash my hands of it.  I recently sold my NFR unit and will never touch anything from Sophos again.  The only reason I'm even responding to this was because I still had auto-notifications set for this thread from way back and have been skimming the recent spurt of posts out of some morbid curiosity. 

  • 0 in reply to DavidPeterson

    I've been wondering how the updates have been since I tried to switch from Sonicewall to XG over a year ago.  Luckily I didn't waste time and removed them and sent them back in time for a refund.  What a disaster XG seems to be! 

  • 0

    We have recently migrated from Fortigate to Sophos XG (cost factor) and the product is full of disappointment.This is no way near to an enterprise standard. I cannot understand how sophos could release v17 without testing  IPSEC VPN.  Sophos XG is no way near to any enterprise firewalls with respect to stability.

  • 0 in reply to Support Chn

    Hah, I can't understand how V15 & 16 made it out the door.  I think at least V15 was not positioned as fully baked product, but nearly two years after V16 released I'd have to call the whole thing very much in the developmental stage, and from the high level view, don't think it is ever going to be right. As lferrara stated, the foundations of the code seem to be greatly flawed, and it's hard to build a house on sand.

  • 0 in reply to DavidPeterson

    I understand VPN is provided by StrongSwan https://www.strongswan.org/ and wireless by OpenWRT https://openwrt.org/ ...  It may be the same idea with the remaining modules of XG.  So who's writing codes really ?

  • 0 in reply to lferrara

    It is truly disheartening to read a veteran like Luk (Iferrara) is hanging it up.

    I have shared my mind on the subject of XG several times, but I'll summarize it again.  As a customer, I am satisfied with what I am getting with XG for the money.  I have stated before that I am paying far less than I paid for Cisco Meraki MX firewalls and I get a lot more, and the Cisco Meraki MX firewalls had their own problems, so I accept the premise that no software is perfect and that sometimes, bugs happen.

    Having said that, v17 has been, from my perspective, a bit disappointing.  I think we were all hoping that with the improvements in v16, that we were really going to see some momentum with v17 and it hasn't really translated.  I have personally had problems with v17 that I did not have in v16.  First there was the lockup problem with 17GA (that bug bit me).  After I rolled back to v16, when I went to upgrade to v17 again after the lockup bugs were dealt with, the upgrade blew up my XG so bad that I had to re-image it entirely.  Luckily I had a good backup and restored and so I was back in business.  A week ago I had the awarrenhttp service crash out of nowhere (I had not made any changes to the XG in days) and I was unable to restart it (503 error when trying from the CLI), I had to reboot the appliance to get it back running.  And while I don't use it anymore (thankfully), the IPsec woes are frankly indefensible.  I appreciate changing to a new engine brings challenges but it is a total failure in the entire process that it a) made it through the beta in this broken manner and b) 6 maintenance releases later still doesn't work well or reliably.  IPsec isn't exactly cutting edge tech and it is definitely something that many use.  

    Lastly, there is a perception out there in the power user community at least that XG does not have feature parity with UTM and that that was something that has been promised several times now.  There is still no migration tool from UTM.  There is also a perception that it is missing useful features that other products have.  I am not here to judge what feature it should or should not have, although some that are missing (anti-port scan, DHCPv6-PD for instance) seem to be even in cheap Chinese home routers, so it is a bit difficult to understand why they are missing in action in an enterprise grade product.  I would also add that I find the reporting capabilities extremely disappointing.  The graphs are pretty but drilling down into the data and getting actually useful, in depth information is difficult to impossible.

    I am hopeful that things will improve and we will start seeing these things delivered, but I definitely understand the frustrations that some in the community are feeling.

  • 0 in reply to lferrara

    I feel your pain.  Thanks for all your previous comments.

    xg17MR6 = crap vs, utm IS gold!

    I cant get port 443 to open to a hosted service for a major client on XG

    Been down for 3 days.  Sophos to call back -- they have not.  Day 3!!!!!!!!!!!!!  FFS.  I don't want to go to work today.  5:30 AM client rang.  very angry. 

  • 0 in reply to DomusRegis

    This has been about 1.5 years ago, but twice when I called support they called back at like 2-3am!  Really?  Are you freakin' kidding me?  Suffice to say I missed their calls. 

  • 0 in reply to Bill Roland

    Since about 16.5 i've preferred XG over UTM9, and I groan a little inside every time I need to do something on a UTM9 box. XG is just so much easier to manage once you shake off the old UTM9 way of thinking (this took me a while).

    The IPSEC issues that were introduced around v17 were definitely annoying, but for XG<->XG tunnels I moved over to RED tunnels which are far better as you get an actual interface. The small number of XG<->other tunnels that had to stay on IPSEC definitely caused some pain though. But it's not like this never happened with UTM9 - a new UTM9 release caused the web proxy to crash several times a day under high load and it was a long time before we got it fixed. This was way worse than having a tunnel that occasionally fails to start.

    I was waiting anxiously for the promised UTM9 -> XG migration tool, but now I really don't think i'd use it. I can't see how it could take a config from UTM9 and put it into XG without the result being an unmaintainable mess - the two things are just too different. Give me something that can export the network and host definitions to a spreadsheet where I can review them, and then import them into XG. I'll rewrite the rules myself.

    My wishlist at the moment is:

    • Proper commandline ping instead of that half baked busybox version
    • SSH direct to a shell, instead of into that silly menu
    • commandline accessible (and grep-able) firewall logs. Actually this is probably something I can do myself with appropriate psql commands but I haven't tried yet
    • NTP server to keep all my switches with the right time without having to allow them access to servers or to the internet

    But most of those should come when XG actually hit feature parity with UTM9

    James

  • 0

    I came from the Microsoft ForeFront TMG world and also helped manage a couple of older Astaro firewalls.   I trail ran a Meraki MX and a Sophos XG v15.  Quite honestly, after working out some little bugs, the Sophos XG product has been extremely stable for us.  The Meraki was a piece of crap...one of the worst firewalls I ever had to work on (simply didn't do what they said it would).

     

    Our HQ is still running 16.05.6 because I've been lazy (and we have a bunch of IPSec tunnels) but all our sub offices are running the latest v17.  If they would finally get the ability to disable "unsafe" cyphers into the UI then my wish list would be complete (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/84480/failing-pci-scans---how-do-i-disable-tls-1-0-and-block-des-3des).  But with that said each update seems to be more stable and add more features then the last.

     

    I can't imagine going back to the UTM/Astaro interface after working with the XG for the last couple years.

     

    A lot of points people are raising are valid but luckily don't affect me and overall I'm happy with the XG product especially compared to the alternatives out there that are either 5x the cost or don't do what they say they do.