Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 7288 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem accesing https sites without https decryption

Mast_01

Hello,

running XG 16.0.5.1 MR1 i set up a simple rule allowing internal network to internet(lan to wan rule) with the premade "block explicit pages" web filter set and NO https decryption or scanning.

so this should essentyially ignore https traffic save for url scanning(AFAIK), turns out it's NOT working, customer has a ton of issues with https pages:

they give http 500 error, skype voice don't work, teamviewer conenctions fail, etc.

i see nothing blocked in the web access log.

 

so what's going on?, why is it breaking my https connections, i don't want to disable all scanning as that's a no-go but as it is i must do so to make this work, i'm not interested on https scanning as that breaks skype when using AD auth



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    just did it.. now it works... un-friggin-believable..

     

    not going to comment further as there's no need to keep beating a dead horse, XG is officially off my sales/recommendation list, never going to sell anything but UTM, the metric ton of bugs and serious issues it has is not worth the small amount of "benefits" it brings

Children
  • 0 in reply to Mast_01

    Xg is still young and has to improved a lot before to be an enterprise Next generation firewall. I hope and I think that it will be a great product into next years.

    Regarding micro-app discovery Michael Dunn replied on another post and he explained the micro-app error and they will fix it on v17.

    V17 should bring a lot of improvements in terms of stability.

    So let's wait!

  • 0 in reply to lferrara

    Luk,

    but that's the thing, Sophos is brutally promoting this everywhere(all my local sophos contacts keep doing webcaats and videos, training, etc etc, ALL FOR XG and UTM is totally abandoned, there's not even the slightest mention of it anywhere) but this software is not even in beta state, it should not be sold in the current state even less "killing" UTM in favor for this....

  • 0 in reply to Mast_01

    Mast,

    Sophos is pushing a lot on XG and UTM will be abandoned as soon XG will be ready, nothing wrong against that.

    As you said, XG is not ready for certain installation, too many bugs, no ETA for some bug fixes, performance, missing feature, etc.

    I am still using UTM in big installation and XG in small one.

    Sophos did not understand that if a new customer tries XG and it fails to satisfy him, Sophos looses customers (and this is happening already ).

    In every company sales is promoting stuff while Engineers are more cautious.

    So they have a lot of pressure and some bugs are fixed but other come out.

    If you think that even disabling an interface is not possible....

    If XG fails even with version  v17, a lot of business will be lost and even Gartner will think about where to move Sophos in which quadrant.

    The only way we have is to believe in this project and to keep reply feedback, opinions and to help Engineers here.

  • 0 in reply to lferrara

    The complete abandonment of UTM9 is what irks me the most. Granted there are too many vendors now peddling next gen firewalls and UTMs these days but astaro had the best product when sophos got a hold of it. Then someone decided to buy cyberoam and the development is severely lacking. 

    I have seen this before in other companies back before the dot com bubble. By going public, companies get a huge infusion of cash and everybody jumps on board to guide you in the "best" direction. I believe cyberoam acquisition and full speed ahead development of that platform is the result of that. Some VP somewhere thinks that cyberoam was great, sold sophos the idea that development would be cheap and since they had already acquired astaro, it seemed like a no brainer to abandon expensive development in germany and take the best features from UTM9 and infuse them with cyberoam.

    The problem is that either the API or the code writers are having a hell of a time infusing these products together. They are also trying too many things at one time (probably marketing pressure). New gui that astaro users hate and cyberoam users scratched their heads over was introduced in v15. After that didn't go well, they changed it again in v16 and now it seems there would be some huge changes in v17. They keep on adding awarren daemons; for example exim has worked fine ever since the beginning of astaro. When they ported that to XG, awarrenSMTP showed up that is nowhere near as complete as UTM9. 

    I am not saying everything is bad with XG, all I am saying is that they are not even infusing open sourced daemons that have worked in enterprise environments for decades and have been used in UTM9 into XG. Maybe its licensing, GNU license keeps changing so I am not sure what the requirement is these days for large corporations using certain open sourced products but XG only seems to be using linux and then adding layers of internally developed daemons that have already been developed and stable for years as open source.

    In any case, I will stick with UTM9 as long as possible as I almost have emotional attachment to it[:$]. I hope sophos gets it right one of these days with XG because if v17 is a failure, somebody at sophos will have to rethink the whole XG fiasco.

    Regards

    Bill

  • 0 in reply to Billybob

    the issue is further compounded when you can't "escape" XG, for example, for stock and price reasons i ended up getting 3 cyberoam CR15 appliances, these appliances can only be "upgraded" to XG... no path to UTM possible.(they're roughly equivalent to a XG105ish)

     

    never going to do it again even if i need to wait 60 days for the "native" XG units which can be UPGRADED to UTM like i did in another customer with an XG135 that i converted to UTM from day 0, customer looked me funny and said "why aren't we using the new SF instead of the UTM" i told him "there's still no feature parity" mind you this was in v15 days....

    now one of those cyberoam units ended up in this same customer... a HUGE ton of issues since installed, which requires all manner of unsightly console hacking to workaround(IF there's even one), when the IT guy also connected to manage it he simply said "this is pure garbage" and i went "told'ya"