Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 15530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How is it going so far?

Ashen1

Hi guys,

 

How's your Sophos XG firewall experience so far? I've been deploying and administering this technology since it's beta release and I've had a roller-coaster ride with this one up to now and i'm kinda enjoying the challenge, sometimes frustrating but all in all it's been a rewarding one.

 

Hope you can share yours, 

 

Thanks,

 

Rap



This thread was automatically locked due to age.
  • 0

    Rap,

    the XG is crazy and make it working is really challenging (some times). Understanding what's wrong it is a nightmare. I have been using it since beta too at home (never rolled back to UTM) and I have installed it on some small customer (XG 210 for example) and it working quite good. Still logging and reports are not complete, MTA is not working and complete at the moment but I can say that:

    • web filtering is easy to use and allows multiple profiles easily (waiting for Sophos URL filtering instead of WINGc)
    • IPS on Sophos Appliance is working good and it is per rule based
    • WAF uses template and it is easy for customers to use WAF module
    • VPN S2S it is easy to setup and all in 2 tabs (UTM requires more than 2 tabs)
    • Command line helps (even if commands are not using a standard. Sometimes the switch "show" it is at the end and sometimes at the beginning)

    It is improving a lot and it is more stable (as I read from Community users). MR3 integrates almost 100 bug fixes so wating for v17.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

     

    I agree in what you say that "XG is crazy", yet I can't wait to see how it mature and improve in the next version release.

     

    Thanks for sharing,

     

    Regards, 

    Rap

  • 0 in reply to Ashen1

    I have written about XG many times and I will give you a short version.

    XG is great for home use or maybe really small shops where logging is not a big concern but with the current logging capabilities, I would not recomment it for any complicated setups.

    I like granular QoS in XG but again, it is geared toward home user. You can do all kind of fancy things with QoS, throttling apps and regular web surfing alike. However, no QoS on interfaces makes it useless for example if you have multiple WAN interfaces with different bandwidths.

    The dashboard is nice to look at but I never really can tell exactly how much bandwidth is being used by glancing at it. All the other information about services/performance etc is pretty useless. I get alerts about new firmware for APs and REDs although I don't have any attached to XG... weird.

    Simple DNAT like Source internal Network  SERVICE NTP  Destination Internet .... DNAT to internal NTP server is not possible with XG gui. So the GUI is powerful but weak at the same time.

    Although VPN is pretty easy, you have to define internal network/LAN again in a separate place for configuring VPN although you have already defined LAN network. This seems like an extra step to me.

    Tab layout is still confusing to me because I don't use XG every day. When I turn the VM back on, I get confused when looking for certain things.

    Still no way to turn off interfaces and RENAME them even after v17. I don't understand how is that so hard if you say interfance name ANYTHING on port 1 is always eth1 on the appliance. But AlanT says time and time again (copernicus beta) that this is very time consuming.

    Luk has already explained the big items, I realize that I am mostly complaining about things that effect me personally but XG seems so close to being perfect but so far from it in reality.

  • 0

    I just came to the XG from Meraki MX land.  Before that I was using Microsoft TMG/ISA since 2000.  I'll share my experiences so far and my thoughts in general.

     

    First of all, out of the box I used the wizard to configure the XG and at the end I ended up with a configuration that didn't work.  Well, let me back up, it mostly didn't work.  I could get internet access, but policies didn't work and static routing didn't work.  I decided to just do a factory wipe and configure manually from scratch.  When I did that, everything has been working well and no unexpected problems or anomalies.  I don't know if something I put in the wizard created a config that it didn't like or what, but I would advise a manual config out of the gate if possible.  Getting STAS SSO working was a major challenge out of the gate as well, it didn't work well at all but after a few days, it all magically started working (I am unsure as to why exactly although I have a few ideas).  Other than that, everything seems to work very well and I am mostly happy.  As Luk said above, they just released MR3 that had a ton of bug fixes and v17 will hopefully be a great release as well.  I also just got a RED 15 and adding it to the XG was a very simple affair and it "just works" which is why I got it, it will be replacing a pfSense box at a remote site connected back to the XG over IPsec. 

     

    In comparison to the Meraki this device is replacing, I think the XG is a 1000 times more powerful.  I get far better throughput; the malware scanning, IPS, application control, and content filtering is far superior.  It is far more configurable.  It is significantly cheaper as well.  I know a lot of people complain about the logging (and I get their point) but the logging on XG is already better than you're going to get from Meraki. 


    To me, the way this product operates, especially with the rules, is a lot like the Microsoft TMG product, so it feels very natural to me and makes logical sense.  It is a bit rough around the edges in some areas, but its clear Sophos is improving it at a steady pace and while I know the UTM people seem to loathe it I think it s a good product and feel like its a good choice for people. 

  • 0 in reply to Billybob

    Hi Billy,

     

    Thanks for sharing the short version of your review, this one's good read though.

     

    Regards,

  • 0 in reply to Bill Roland

    Hi Bill,

     

    I could not agree more, XG has it's own fair share of pros and cons. but we'll have to wait with the next version release and see how XG would improve

     

    keep in touch.

     

    Regards,

  • 0

    I have use it at home since v15 and had tested it at work two times.

    In all i like the interface (without experience with sg may help here), but it didn't possible to use at work yet.

    It lacks on features, the biggest for me is VPN. Site to site vpn to linux vms behind nat, and country based routing through vpn tunnel currently is not possible.

    Beside that client base SSO is broken in recent releases and it still hasn't fixed. STAS requires gui but all of ours domain controllers are using server core now, it also very unrealiable when i test it.

    I hit some mysterious very poor ips speed problem (software appliance on decent hardware with not much activity in cpu), hope it isn't a issue on hardware appliance