Shutting XG down until v17 available

I got the XGs before I realized all the layer 3 routing I have going on,  its like I need the firewall to be a gateway with 3 ports in a WAN bridge.  I got excited earlier but realized I couldn't specifiy which wan port to use on the IPsec site-to-site connection. 

Maybe I need to configure the XG in bridge mode and wait for v17 to do more for me, I don't know.

I am surprised you stuck with XG for this long. I really gave it another shot after v16 but random things like QoS would stop working after a few days. Fired up the UTM again during christmas holidays and it has been rock stable other than one bad sophos update[:$] I don't know why they are having such a hard time with XG. I guess when the base is unstable/poorly thought through, you can add all the features in the world and the product still sucks. 

Congrats on retirement I guess, hopefully you will have more time to beta test XG17 and maybe just maybe they will fix some of the bugs[:D]

Hi All,

I am using XG at home and on some small customers (XG 135) and it is working quite good. It depends on the feature you need. Email protection is still poor and troubleshooting is challenging.

Loggin is still a nightmare, IPS sometimes goes to 100% and sometimes you have to disable microapp-discovery.

HTTPS scan and Web Engine are working much better on UTM9. It uses another engine and the there is a big difference. For example, on UTM9, ADS are always blocked. On XG, even with HTTPS Scan enabled, on youtube, ADS are still displayed. XG needs a lot of improvements otherwise moving UTM9 users to XG will be difficult....rather the risk is that UTM9 users move to another vendor!

Some basic features are still missing but configuring policies in one place is much better. I really hope to see a big improvement in stability on v17 for IPS, WAF.

Country blocking is not working by design from WAN to LAN. So I agree with you but I have seen a big change from v15 to v16 so I expect to see another big improvement on v17.

Let's see and wait...

Hi Luk, I generally liked XG after using it for a while. It is really not that bad if you don't compare it to UTM9 but I just can't get past certain quirks of XG. As you have mentioned, a lot of people are having trouble with IPS module in current version. I generally disable IPS on my home firewalls as a personal choice. However on XG, layer 7 categorization is tied with IPS. So if you disable IPS from services, your application control rules and application based QoS rules stop working because IPS is disabled. Using a resource heavy snort IPS module instead of netfliter to even classify traffic for dashboard reports is just plain crazy.

I generally found that webfiltering even with ATP enabled in XG seems snappier compared to UTM9, however the categories are a mess and don't always block stuff like ads that UTM9 blocks without a problem. Also, the exceptions are much granular and flexible in UTM9, so in the end UTM9 still wins.

I never really tried MTA after the beta because it didn't have a few things that I really needed in my environment. To be honest, I only use country blocking for help with incoming SMTP spam. Since MTA is not really upto par in XG, I didn't have the need to block incoming traffic but the fact still remains that country blocking doesn't work.

They have been promising better logging since v15. Lets see if v17 can have real logs that don't disappear after a reboot. Other little things that Michael Dunn has revealed that nobody really ever explained clearly such as: 

• DNS traffic being intercepted by https module in XG 
• Microapp detection allowing regular https connections without firewall rules

just drive me crazy[:$]

Web filtering on utm rocks. It is using another engine and the difference is clear. Other vendors are using ips to block applications, so Sophos is going on this direction with XG, why? Utm even on application is working much better.

Logging astaro wins with no even chance for XG.

Mta is not complete on XG.

Let's see if XG v17 improves all the current instability otherwise in Sophos they have to go back on some features and think seriously to listen to us and to use some of the engines used by UTM9.

On enterprise installation, utm still wins with no doubts!

HI All, 

Its true that Sophos drive is towards XG instead of UTM and Cyberoam . We do expect major changes in the next version as well. 

Hi Billybob,

I stuck with it because I was able seperate my wife's requirements and mine. I also had the luxury of two internet connections from different ISPs, one native IPv6 not supported on XG and one using IPv6 tunnels (also not fully supported on XG). I was able to experiment and fall back to the UTM if setup failed.

I could try out settings for different requests in the forum and not cause too  much grief also I could learn a different way of configuring a firewall which is not that relevant after I retire other than self interest.

And us you said, XG lost when comparing to the UTM which I already have working and meeting my requirements.

Didn't quite last until v17b, just installed 16.0.5.2-mr2. The story has lots of fixes, none that I can see in a quick scan of the menus.

Changed the home user memory to somewhere between 4 and 5.3gb in stead of 6. Was previously 8gb.

Fix list shows an AP upgrade, not downloaded as part of the upgrade onto my XG, still shows Jan 31 7.0.001 version.

Let the XG run overnight, to see what other little surprises arrive.

They can probably see too many free loaders using home license instead of the appropriate commercial license. I guess Sophos is feeling v17 will be worth charging money for if they are enforcing ram limits.

Keeping my fingers crossed. Glad you are testing XG again

I will let it run for another 24 hours because the memory report has strange values that don't make sense and mail reporting is doing what I expect of it, but no mention in the fix list.