Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 7878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Known (and unknown) sophos XG bugs

AleksandrIvanov

Hello

 

Since we tired of waiting for sophos to fix some critical issues(for us) we are moving to Palo Alto firewalls.

I thought maybe I should share confirmed and unconfirmed issues in case someone cares (since support is just closing tickets if you dont respond)

 

1. case id 6656005 - time zones are 6+ years old on sophos xg > leading to incorrect time in our country(RU).

Case opened 25 Oct 2016, Confirmed bug on 23 Nov. In 7 month sophos caouldn't update damn "tzdata" packet on their firewalls) ok...

 

2. case id 6697114 - latency degradation (voip degradation) with turned on IPS engine

Confirmed somewhere in november and i suppose still not solved on 100% because there was no response regarding this ticket and our IPS license expired so we cant check.

 

3. case id 6788352 ( most annoying) - DHCP relay not working after reboot.

Opened at 13 Dec 2016. I suppose its still not confirmed and at the moment its closed by sophos because we didnt respond. We tried to help them but I suppose sophos dont have test lab and they always ask you to do their work (why dafuq im paying for support i dont know) and debug all kind of stuff.

So how to reproduce - simple lan/wan config, sophos acting as router (no NAT). LAN for example 192.168.0.0/24, WAN - 192.168.1.0/24. Clients in Lan, DHCP server in WAN.

Create DHCP relay rule on LAN interface pointing do DHCP server on WAN side (192.168.1.10) for example. Check that its working, reboot box and tada! its not working anymore.

Recreation of this DHCP relay rule solves issue. So every time we reboot or update our box we need to recreate dhcp relay rule :D



This thread was automatically locked due to age.
  • 0

    AleksandrIvanov,

    every system has bugs and there is no one that is immune, however I agree with your choice because XG is still immature after 18 months and things are going slowly either.

    We hope to have v17 soon and that most of the bugs are fixed soon, otherwise XG project will fail too.

    Palo Alto firewalls are more stable: application control and IPS are working very good.

    It always depends on what you are looking for.

    In my opinion UTM9 is still the best UTM to use today even with its limitations (IPS for example).

    Good luck!

  • 0 in reply to lferrara

    Yeah, I understood it too late that we should buy SG instead of XG line.

    XG line at the moment has in my opinion perfect GUI navigation and other nice things like AP/RED (no other company has this plugNplay)

    I just dont understand why its taking 7+ month to update "tzdata" package. Its a damn linux inside and just 1 package needs to be upgraded. Ok, im repeating myself, sorry)

  • 0 in reply to AleksandrIvanov

    I was stunned, to say the least, to find out yesterday that DHCPv6-PD is not available in XG, and subsequently to see a list of missing/unsupported IPv6 related items in XG.  This, from a supposedly "next generation firewall" is frankly baffling to me.  I hope v17 addresses these shortcomings but I don't see any mention of them in AlanT's v17 thread, so I am not holding my breath. 

     

    I really like XG and think its a great solution, and since I did not come from the UTM side I don't have that to compare it to, but I have to admit, some of the bugs/missing features in the product are real head scratchers.  Luckily no show stoppers for me, but confusing nonetheless.