We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
I played with XG at home. I used a crude configuration, using XG Firewall inside VMWare Workstation running on top of Windows, which could only monitor traffic coming from the host PC. So some of my results may be skewed by my weak test environment.
XG Upsides:
XG seems to be a true firewall that understands Intranet, DMZ, and Internet as foundational concepts.
XG has a "Sophos Learning" option which can be enabled. In my perfect world, all of my "uncategorized" links should be forwarded to Sophos for categorization, at least daily. So I wondered if the Learning option was the answer to my dreams, but I never found a detailed explanation of what data gets shared or how Sophos uses it. By comparison, I have not seen any evidence or documentation to suggest that UTM provides feedback to Sophos or McAfee. One would think that if UTM blocks a lot of hostile content from www.example.com, that the reputation of that site would be automatically downgraded. If it happens, I don't know how, and I am sure that UTM Uncategorized sites do not get automatically processed.
XG Downsides:
Web filtering combines the concepts of "Category" and "Reputation" into a single item. I view this as a blunder.
UTM Web Filtering uses category and reputation scores are a combination of Sophos and McAfee (TrustedSource) research. XG uses only Sophos data. Posts in these forums complain that the XG database information is (or was at some point in the past) significantly inferior to the UTM database.
I found the XG user interface very difficult to read. Maybe my eyes are too old. I also found the user interface generally harder to understand than expected, especially since it is intended to be easier to use than UTM. I never really understood how to map my entire UTM configuration into the XG test environment, so that I could say "X is comparable, Y is a new capability, Z is a missing capability".
Posts in the forum complain that XG logs are purged after 30 days. My greater complaint was that the logged data seemed too limited to be useful.
Overall, I concluded that XG was a long way from replacing UTM. Fortunately, I froze my UTM environment at 9.408, so the roof has not caved in on me as it has for others who upgraded.
XG is still missing many features compared to wonderful UTM9.
Web filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
For the rest, web filtering is still missing Regex on Policy&Filter (it is available only on exception tab) but the way they designed the web filtering is fantastic in my opinion. You can decide if you want to use a single firewall rules, attach a Web Profile and customize that web profile for all users using groups/users or create multiple firewall rules using on each one a web profile.
Network Protection, finally, has IPS per rule. On UTM9 IPS is working globally and no way to configure IPS per single firewall rule and no way to create and import Custom IPS rules. What we complained is that XG is using too much space per each single firewall rule. Imagine with 300/400 firewall rules. On v17, they are reducing the space taken by each firewall rule.
XG is improving a lot and even with latest MR is more stable and bugs are reduced. We expect to have the rest of the features in v17 and v18.
So my advice is to always try the XG as you normally do for any new products (or things in a life) and understand/compare what you like and what you do not.
WAF and Wireless features are almost the same on both XG and UTM9.
Regards
What else is missing from the v16 of XG
1/. country blocking - selective
2/. NTP proxy
3/. DNS proxy
4/. mail proxy - MTA partial
5/. logs that live longer than a restart
6/. connection report that shows real connections and does not include devices removed from the network some time previously.
7/. IPv6
8/. DHCP linked to DNS
What does work,
mail scanning as long as you use the configured ports in XG, if you use other ports for mail well that doesn't work. You cannot add additional port to the mail scanning rule. XG does not abide by the mail rfc regarding port 465.
Mail use reporting, just a joke.
Somewhere in the UTM there is a report to Sophos of the url categories, but can't find it at the moment.
Looking forward tot eh much promised v17.
lferrara said:Web filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
This is really a complaint about where the categorization data comes from and its quality, not about functionality. Sophos will not be using McAfee categorization data in XG, ever. Instead, Sophos will be trying to improve its own native categorization quality. Its interesting but I rarely hear about issues with categorization data quality, except for some people who think it is terrible. Anything that the community can do to help Sophos improve data quality will in turn help the community of XG users. Please use the contact link here and "Submit a sample" of a Web Address for individual sites. https://secure2.sophos.com/en-us/support/contact-support.aspx
Unfortunately "not as good as UTM9" is not a constructive, actionable, thing that we can use. If anyone wants to work more deeply in this, let me know in PM.
v17 brings in a new way of SFOS getting the categorization data, however the source is the same.
lferrara said:For the rest, web filtering is still missing Regex on Policy&Filter (it is available only on exception tab) but the way they designed the web filtering is fantastic in my opinion. You can decide if you want to use a single firewall rules, attach a Web Profile and customize that web profile for all users using groups/users or create multiple firewall rules using on each one a web profile.
We're proud of the work we did in designing how the web filtering is configured. It might be confusing at the beginning because there are multiple ways of doing things, but it is also flexibility for the needs of different admins. As far as I recall, v17 will not bring any new RegEx support to existing fields. However I know there is a desire to update some things in the future, and anything new will have RegEx where appropriate.
Michael,
I am submitting wrong urls all the time to Sophos Website. Regex are missing at the moment on include domains inside policies and I really hope you will add them soon. Unfortunately if the web filtering is not working as expected, people note that and they complain (the same happens if a spam email is not blocked). Nothing is perfect but on UTM9 you have done a great job using both URL Scanning engines.
Regards
Michael,
I am submitting wrong urls all the time to Sophos Website. Regex are missing at the moment on include domains inside policies and I really hope you will add them soon. Unfortunately if the web filtering is not working as expected, people note that and they complain (the same happens if a spam email is not blocked). Nothing is perfect but on UTM9 you have done a great job using both URL Scanning engines.
Regards
