We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
I played with XG at home. I used a crude configuration, using XG Firewall inside VMWare Workstation running on top of Windows, which could only monitor traffic coming from the host PC. So some of my results may be skewed by my weak test environment.
XG Upsides:
XG seems to be a true firewall that understands Intranet, DMZ, and Internet as foundational concepts.
XG has a "Sophos Learning" option which can be enabled. In my perfect world, all of my "uncategorized" links should be forwarded to Sophos for categorization, at least daily. So I wondered if the Learning option was the answer to my dreams, but I never found a detailed explanation of what data gets shared or how Sophos uses it. By comparison, I have not seen any evidence or documentation to suggest that UTM provides feedback to Sophos or McAfee. One would think that if UTM blocks a lot of hostile content from www.example.com, that the reputation of that site would be automatically downgraded. If it happens, I don't know how, and I am sure that UTM Uncategorized sites do not get automatically processed.
XG Downsides:
Web filtering combines the concepts of "Category" and "Reputation" into a single item. I view this as a blunder.
UTM Web Filtering uses category and reputation scores are a combination of Sophos and McAfee (TrustedSource) research. XG uses only Sophos data. Posts in these forums complain that the XG database information is (or was at some point in the past) significantly inferior to the UTM database.
I found the XG user interface very difficult to read. Maybe my eyes are too old. I also found the user interface generally harder to understand than expected, especially since it is intended to be easier to use than UTM. I never really understood how to map my entire UTM configuration into the XG test environment, so that I could say "X is comparable, Y is a new capability, Z is a missing capability".
Posts in the forum complain that XG logs are purged after 30 days. My greater complaint was that the logged data seemed too limited to be useful.
Overall, I concluded that XG was a long way from replacing UTM. Fortunately, I froze my UTM environment at 9.408, so the roof has not caved in on me as it has for others who upgraded.
XG is still missing many features compared to wonderful UTM9.
Web filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
For the rest, web filtering is still missing Regex on Policy&Filter (it is available only on exception tab) but the way they designed the web filtering is fantastic in my opinion. You can decide if you want to use a single firewall rules, attach a Web Profile and customize that web profile for all users using groups/users or create multiple firewall rules using on each one a web profile.
Network Protection, finally, has IPS per rule. On UTM9 IPS is working globally and no way to configure IPS per single firewall rule and no way to create and import Custom IPS rules. What we complained is that XG is using too much space per each single firewall rule. Imagine with 300/400 firewall rules. On v17, they are reducing the space taken by each firewall rule.
XG is improving a lot and even with latest MR is more stable and bugs are reduced. We expect to have the rest of the features in v17 and v18.
So my advice is to always try the XG as you normally do for any new products (or things in a life) and understand/compare what you like and what you do not.
WAF and Wireless features are almost the same on both XG and UTM9.
Regards
What else is missing from the v16 of XG
1/. country blocking - selective
2/. NTP proxy
3/. DNS proxy
4/. mail proxy - MTA partial
5/. logs that live longer than a restart
6/. connection report that shows real connections and does not include devices removed from the network some time previously.
7/. IPv6
8/. DHCP linked to DNS
What does work,
mail scanning as long as you use the configured ports in XG, if you use other ports for mail well that doesn't work. You cannot add additional port to the mail scanning rule. XG does not abide by the mail rfc regarding port 465.
Mail use reporting, just a joke.
Somewhere in the UTM there is a report to Sophos of the url categories, but can't find it at the moment.
Looking forward tot eh much promised v17.
lferrara said:Web filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
This is really a complaint about where the categorization data comes from and its quality, not about functionality. Sophos will not be using McAfee categorization data in XG, ever. Instead, Sophos will be trying to improve its own native categorization quality. Its interesting but I rarely hear about issues with categorization data quality, except for some people who think it is terrible. Anything that the community can do to help Sophos improve data quality will in turn help the community of XG users. Please use the contact link here and "Submit a sample" of a Web Address for individual sites. https://secure2.sophos.com/en-us/support/contact-support.aspx
Unfortunately "not as good as UTM9" is not a constructive, actionable, thing that we can use. If anyone wants to work more deeply in this, let me know in PM.
v17 brings in a new way of SFOS getting the categorization data, however the source is the same.
lferrara said:For the rest, web filtering is still missing Regex on Policy&Filter (it is available only on exception tab) but the way they designed the web filtering is fantastic in my opinion. You can decide if you want to use a single firewall rules, attach a Web Profile and customize that web profile for all users using groups/users or create multiple firewall rules using on each one a web profile.
We're proud of the work we did in designing how the web filtering is configured. It might be confusing at the beginning because there are multiple ways of doing things, but it is also flexibility for the needs of different admins. As far as I recall, v17 will not bring any new RegEx support to existing fields. However I know there is a desire to update some things in the future, and anything new will have RegEx where appropriate.
Michael,
I am submitting wrong urls all the time to Sophos Website. Regex are missing at the moment on include domains inside policies and I really hope you will add them soon. Unfortunately if the web filtering is not working as expected, people note that and they complain (the same happens if a spam email is not blocked). Nothing is perfect but on UTM9 you have done a great job using both URL Scanning engines.
Regards
Hello Michael,
I think you definitely do not have to feel injured if lferrara has expressed his opinion to the quality XG vs. UTM9. I fully agree with him and I could add from my own experience many other very important reservations of the XG and the quality of the implemented security functions. Such as the STAS, and its reliability in day-to-day operation is totally sad. And I do not even mention absolutely insufficient documentation for implementation and deployment the STAS.
The reality is that the XG v16.05 is far from achieving the UTM v9 security level implementations. Yes, the XG x16 has some interesting security features (such as the Security Heartbeat) that UTM v9 does not have and never will have. But it's a pity that this one other great feature can not (unfortunately) compensate for a lot of other non-implemented security features.
Hand to heart, if everything in XG was really perfect, we would not have done what is good and what is worse in UTM v9 or XG.
alda
Michael, I would have to agree with Luk to some extent in that I have found the quality of the Sophos categorization to be, well, inconsistent. Case in point, one of our domains that we have had for many years that just points to our main website, was mis-categorized as "Sexually Explicit" for no apparent reason, but the domain it pointed to was correctly categorized as General Business. I have submitted numerous incorrect categorizations that were wildly off base. I understand this happens and it is what it is, and as I haven't used UTM9 I cannot compare, but it definitely seems to be worse than whatever Meraki uses.Michael Dunn said:lferraraWeb filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
This is really a complaint about where the categorization data comes from and its quality, not about functionality. Sophos will not be using McAfee categorization data in XG, ever. Instead, Sophos will be trying to improve its own native categorization quality. Its interesting but I rarely hear about issues with categorization data quality, except for some people who think it is terrible. Anything that the community can do to help Sophos improve data quality will in turn help the community of XG users. Please use the contact link here and "Submit a sample" of a Web Address for individual sites. https://secure2.sophos.com/en-us/support/contact-support.aspx
Unfortunately "not as good as UTM9" is not a constructive, actionable, thing that we can use. If anyone wants to work more deeply in this, let me know in PM.
v17 brings in a new way of SFOS getting the categorization data, however the source is the same.
Understand I am not trying to be argumentative here, but I have to disagree with your statement that '"not as good as UTM9" is not a constructive, actionable, thing that we can use." Of course it is; you can do a comparative analysis to discover why people feel XG is deficient. And while I haven't used the UTM9, I already know the answer: you are using a smaller/single categorization sample for XG. Of course as XG's source grows and the quality improves, people will care less and less about this.
Michael, I would have to agree with Luk to some extent in that I have found the quality of the Sophos categorization to be, well, inconsistent. Case in point, one of our domains that we have had for many years that just points to our main website, was mis-categorized as "Sexually Explicit" for no apparent reason, but the domain it pointed to was correctly categorized as General Business. I have submitted numerous incorrect categorizations that were wildly off base. I understand this happens and it is what it is, and as I haven't used UTM9 I cannot compare, but it definitely seems to be worse than whatever Meraki uses.Michael Dunn said:lferraraWeb filtering is working much better on UTM9 because as DouglasFoster wrote, UTM9 is using both Sophos and McAfee engine (we will missing it). In fact some ADS and other websites are not correctly blocked.
Relying only on one engine is always a POF. We hope that in Sophos they will think about that and add McAfee even on XG. Maybe Michael Dunn can have a look at this question and take note of it.
This is really a complaint about where the categorization data comes from and its quality, not about functionality. Sophos will not be using McAfee categorization data in XG, ever. Instead, Sophos will be trying to improve its own native categorization quality. Its interesting but I rarely hear about issues with categorization data quality, except for some people who think it is terrible. Anything that the community can do to help Sophos improve data quality will in turn help the community of XG users. Please use the contact link here and "Submit a sample" of a Web Address for individual sites. https://secure2.sophos.com/en-us/support/contact-support.aspx
Unfortunately "not as good as UTM9" is not a constructive, actionable, thing that we can use. If anyone wants to work more deeply in this, let me know in PM.
v17 brings in a new way of SFOS getting the categorization data, however the source is the same.
Understand I am not trying to be argumentative here, but I have to disagree with your statement that '"not as good as UTM9" is not a constructive, actionable, thing that we can use." Of course it is; you can do a comparative analysis to discover why people feel XG is deficient. And while I haven't used the UTM9, I already know the answer: you are using a smaller/single categorization sample for XG. Of course as XG's source grows and the quality improves, people will care less and less about this.
