We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
I used to worry about UTM being phased out in favor of XG. We are end users, just use the product that best fits your needs and let sophos worry about their offerings. If XG matures to a reasonably good product, I am sure there sales will reflect that otherwise there are a wide range of vendors offering similar products. If you are a home user, then being able to use XG or UTM free of charge is a no brainer. I don't even want to hear the complaints from home users. If you think there is a better alternative, by all means move on. I just extended my 100 IP home license that I got in 2007 for beta testing for another 3 years. Sophos was glad to extend that for me no questions asked instead of telling me to move to the auto generated 50IP license.
These are little things and I am one of sophos' harshest critics but to be honest, how many other organizations let you constantly bash them like this openly on their forums. Go read pfsense forums and read the feedback from the devs/mods. They tell you to take a hike at every step. Generally paid vendors are courteous in emails and I have had good experience with most vendors. But that support is paid for by the end user. This is an open forum where sophos employees like Michael Dunn are taking the time out of their busy schedule to answer questions. However the bashing never stops. I am not trying to criticize or stopping anyone from expressing their opinion. All I am saying is that please criticize all you want but please be mindful of the fact that sophos is allowing you to express your opinion on a forum owned by them without any censorship or consequences to your speech. It doesn't hurt to say thank you once in a while.
The capabilities of XG have been discussed extensively. While there is a lot of good things happening at sophos, some things don't change. Here is the wishlist from v16 beta... you guys can judge for yourself how many things have been improved since last year https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing
As far as URL categorization, Michael Dunn already gave his views in this thread https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80869/youtube-and-ads---sometimes-they-are-not-blocked/326999#326999 and I will give XG a chance with sxl categorization. However DouglasFoster makes some excellent points about the categorization database and the areas that sophos needs definite improvement.
As far as is it worth changing to XG, here is a long thread with feedback from AlanT on the future and the reason things are the way they are https://community.sophos.com/products/unified-threat-management/f/general-discussion/90762/time-to-move-on/329963#329963
I am an XG evangelist; I came from Meraki and this product is light years ahead of their stuff. Having said that, it does have its own set of head scratching deficiencies and I think its ok to talk about that and its also ok to disagree with Sophos. Certainly I respect Michael and Alan and appreciate their willingness to "get their hands dirty" with us in the community. That speaks very well for Sophos and pays far more dividends than maybe even they realize. In any event I've seen enough in the bug fix cadence to know that Sophos is serious about XG and I think (hope?) that v17 is going to be the one that puts it over the top.
Reply to categorization issues:
UTM uses categorization data that is purchased from McAfee. UTM also uses Sophos Labs security data, which does categorization but only of malware and similar sites. Note that UTM "Reputation" is actually from McAfee and not Sophos Labs.
XG uses categorization data is is produced by Sophos (initially from Cyberoam). In 16.5 it does not use Sophos Labs security data. In 17 it will.
Though the Sophos Labs security data is important, it is not relavent to the categorization issues people are having. For the purposes of this discussion, both UTM and XG have one categorization engine.
I can tell you that we do have an ongoing comparison of the Sophos categorization data versus other data. The most common domains visited by our customers get them most effort spent in comparison. Difference where typically-blocked categories are involved (such as malware, adult, criminal) get more effort. Domains not currently categorized get more effort. Uncommonly used domains (for example a secondary domain name that redirects to your main site) may not get re-analyzed if 0.01% of our customer categorization requests use that domain name.
Its a fact of life that we cannot re-analyze every single site we have in our db by hand. In 2016 there were an estimated 350 million domain names registered. That is ignoring subdomains and path - which can change the categorization. It is a bloody huge data set and we have to focus on the sites most visited by our customers, and possess the most security risk if we get it wrong. I'm not trying to excuse us. But I'm saying that we already do a lot of work in trying to get the quality right.
As for why we get categorization wrong, it can be due to specific urls that are submitted, or due to poor guesses by automatic systems. For example, I know that a Tibet sports domain was classified as Gambling because it had sports content and contained "bet" in the domain name.
If a customer says "not as good as data from McAfee" and I go to the categorization team and they tell me that they are doing millions of data quality comparisons against McAfee a day then its hard to move forward in a way that will help that customer.
If a customer says "We are using the XG as a ad-blocker to prevent banner ads. When we go to news sites like nbc.com and cnn.com we are served ads that we think should have been blocked due to categorization. We have no problem with the quality of the security data, its advertising that gives us the most problems" then that is something that is much easier to action.
I'm not injured by the complaints, I want the feedback. We just need to be careful that if we say "overall good, but I don't like XYZ" then everyone focuses on XYZ and forgets about the overall good. The number of times that I've left a movie and talked with friends afterwards about its flaws and problems you would assume from listening that I didn't like them movie when in fact I did. My own area of expertise is in Web, and I want it to be the best. I'm a software tester - it is my job to complain about issue. Categorization, which is data, is not something that I can affect as much as other things, but it is an area where I have great interest. I cannot comment or help in non-Web areas.
Can anyone confirm that submitting an XG URL for recategorization is working - are changes being made? I don't know about allowing for batch sending of recat requests, but I'll forward the issue.
Reply to RegEx:
We don't really have it documented well. I'll see if I can get a KB written. The following is based on some testing that I've just done.
There are basically three ways to internally allow things that are incorrect policy
- Custom Category with Domain
- Custom Category with Keyword
- URL Group
None of them allow for RegEx, and each are slightly different on their matching.
- Custom Category with Domain
- Text is a verbatim string that must include domain name and optionally may include path
- Automatic wildcard on either side (allows more subdomains and more path)
- If text does not contain a slash (eg path) then it will match anywhere in domain name
- example.com
- mail.example.com matches
- myexample.com matches
- example.com/foobar matches
- example.com.co.uk matches
- sample.com/example.com does mot match
- If text contains a slash (eg path) then it will match end of domain name and beginning of path
- example.com/foobar
- example.com/foobar matches
- example.com/foobar/morestuff matches
- sample.com/example.com/foobar does mot match
- example.com.co.uk/foobar does not match
- Custom Category with Keyword
- Text is a verbatim string that will match anywhere in domain name or path
- Automatic wildcard on either side
- example.com
- sample.com/example.com matches
- URL Group
- Text is a verbatim string that will match the right-side in domain name. Path not allowed.
- Automatic additional subdomains on left side, any path is allowed
- unlike custom categories it is FQDN-aware. It is rightmost only of domain name, and allows subdomains but not extra characters to the domain.
- example.com
- mail.example.com matches
- myexample.com does not match
- example.com/foobar matches
- example.com.co.uk does not match
- sample.com/example.com does mot match
I do not think we have specific plans yet, but we are thinking of improving things. However we need to be careful that anything we do is either backwards compatible, or has a clear migration. This ties our hands a bit.
Reply to RegEx:
We don't really have it documented well. I'll see if I can get a KB written. The following is based on some testing that I've just done.
There are basically three ways to internally allow things that are incorrect policy
- Custom Category with Domain
- Custom Category with Keyword
- URL Group
None of them allow for RegEx, and each are slightly different on their matching.
- Custom Category with Domain
- Text is a verbatim string that must include domain name and optionally may include path
- Automatic wildcard on either side (allows more subdomains and more path)
- If text does not contain a slash (eg path) then it will match anywhere in domain name
- example.com
- mail.example.com matches
- myexample.com matches
- example.com/foobar matches
- example.com.co.uk matches
- sample.com/example.com does mot match
- If text contains a slash (eg path) then it will match end of domain name and beginning of path
- example.com/foobar
- example.com/foobar matches
- example.com/foobar/morestuff matches
- sample.com/example.com/foobar does mot match
- example.com.co.uk/foobar does not match
- Custom Category with Keyword
- Text is a verbatim string that will match anywhere in domain name or path
- Automatic wildcard on either side
- example.com
- sample.com/example.com matches
- URL Group
- Text is a verbatim string that will match the right-side in domain name. Path not allowed.
- Automatic additional subdomains on left side, any path is allowed
- unlike custom categories it is FQDN-aware. It is rightmost only of domain name, and allows subdomains but not extra characters to the domain.
- example.com
- mail.example.com matches
- myexample.com does not match
- example.com/foobar matches
- example.com.co.uk does not match
- sample.com/example.com does mot match
I do not think we have specific plans yet, but we are thinking of improving things. However we need to be careful that anything we do is either backwards compatible, or has a clear migration. This ties our hands a bit.
One thing which I do want to say. Years ago, Sophos purchased Asatro. The new UTM competed against some existing products (standalone web/email appliances) but Sophos did not kill the existing products. Instead large effort was put into making the Astaro UTM 8 into Sophos UTM 9, which is now a really really good product. Now Sophos purchased Cyberoam, which again completes against some existing products. But Sophos is not killing the existing products. Instead we are putting large effort into the making the Cyberoam product into Sophos XG. The dev effort we are doing right now with the former Cyberoam product is very similar to the dev effort we did with the former Asatro product. And I think that eventually it will turn into a product that is just as good.
One point, however, is that XG is *not* a replacement for UTM. There is no automatic migration path from UTM 9.5 to XG 17.0. To my knowledge there is a product roadmap for UTM stretching for years. XG is not a UTM killer. It is a competing product with similar but different abilities. Just like an iPad is not a iPhone killer - different products, different market.
Thanks for this Michael. This is very helpful for me as it's not documented very well (if at all). Just knowing wildcards are automatic and implied answers the frustrating issues I have experienced with trying to get these working correctly.
Documentation is something I hope Sophos puts more resources into as part of the support push. Just having proper documentation would alleviate a number of support calls alone.
Thanks,
John
Michael,
you are a machine on writing stuff.
I appreciate your point of view and your feedbacks. Here we are because we have some passions in Sophos as you do (but we do not get paid for that [:P]). Anyway just few points about your replies:
I really believe that XG will succeed in v17 and more in v18. Bridging is still a useless on XG at the moment but here we are! We will be here to complain when it is required and we will be here to say "Guys, you did a great job". In my opinion XG will be more Enterprise ready than UTM9 if the missing features will be added.
Here there are some missing features and complaints from other community users. Feel free to contact US when you need a feedback. I am always available for a phone call (last week I had a conversation with a Product Manager of another Sophos Product Line in order to give him some feedbacks).
Hello Michael,
I really do not know if you mean the last paragraph in your answer seriously?
If there will not been a migration tool to migrate the configuration from UTM9 to XG why would the satisfied UTM9 users switch to XG? It does not make sense, it is very illogical ....
And do you really think UTM9 and XG are not identical products and XG is not UTM9 killer, do you believe it?
I really not.
alda
Michael,Michael Dunn said:One thing which I do want to say. Years ago, Sophos purchased Asatro. The new UTM competed against some existing products (standalone web/email appliances) but Sophos did not kill the existing products. Instead large effort was put into making the Astaro UTM 8 into Sophos UTM 9, which is now a really really good product. Now Sophos purchased Cyberoam, which again completes against some existing products. But Sophos is not killing the existing products. Instead we are putting large effort into the making the Cyberoam product into Sophos XG. The dev effort we are doing right now with the former Cyberoam product is very similar to the dev effort we did with the former Asatro product. And I think that eventually it will turn into a product that is just as good.
One point, however, is that XG is *not* a replacement for UTM. There is no automatic migration path from UTM 9.5 to XG 17.0. To my knowledge there is a product roadmap for UTM stretching for years. XG is not a UTM killer. It is a competing product with similar but different abilities. Just like an iPad is not a iPhone killer - different products, different market.
I can only speak for me, but when I was shopping for a firewall to replace my Meraki and I investigated Sophos, I can tell you that as a customer who had no previous interaction with Sophos that there is a very strong belief out there among the sales channels/resellers and even end users that XG is meant as an eventual replacement for UTM. If its the case that XG is not being positioned as the ultimate replacement for UTM, then I would suggest that your sales channels have not gotten that memo.
Michael, first off, thank you for participating in the forum. I have had multiple frustrations with what has seemed to be silence from Sophos - we know that the community is talking to each other, but does Sophos follow what is being said? In the Ideas forum, which is not curated to my expectations, is anyone really noticing what goes in there, or is it all too overwhelming to use? Feedback tells us that we are being heard. Thanks, even if we get difficult.
For lferrara and others who are frustrated:
When I bought UTM, I knew instinctively that one product which attempts to do many things will be unlikely to be best at any of them. Traditionally, organizations bought multiple devices for multiple functions. But UTM did a lot for the price, and I was not likely to get funding for the alternatives which were much more expensive. So I bought UTM, kept my tired-and-true spam filter, and kept my tried-and-true firewall. Overall, UTM has done better than expected. The web filtering has been very effective. The spam filtering function is behind my original spam filter, and it catches stuff that other one allows through. OTP has been a big help with PCI compliance. WAF has helpful but harder to use than expected. I have had some buyer's remorse as I learned things about the UTM architecture which should be clearly documented but are not. And I have been heartbroken at the recent spate of UTM product release problems. But overall, it has been money well spent because our defenses have been effective.
So, I think the lesson from this long discussion is this:
Since we have to block the bad guys daily, we need to fight with the best tools that we can find within the funding that we can mobilize. We will not necessarily find one box that does it all. But we can still hope that the box that we already bought will do it all (at no extra cost!)
:)
Douglas,
we are here to improve the product. Most of us are coming frm UTM9 and we can compare the products. Community is used to help other people (I am trying to do it everyday) and to give to Sophos feedbacks on what we found on the IT field. The goal of an UTM is to try to link aggregate multiple features inside one product. This is not simple and of course you cannot expect to have a all-in-one product which performs better than a one specific box. For example, Email Filtering makes more sense to have a dedicated appliance/product that integrates more features than UTM.
Personally, I am a kind of person that says "well done" whent the job has been performed perfectly and to criticize when something is not build or performed well. My critics are always costructive and not disruptive!
I know other people on community that complain here like my point of view. It does not make sense for us to have a previous appliance that performed well "web filtering using Mcafee SXL" and not it does not. I do like XG for many things (it is more Enterprise than UTM9, even if many features are missing) but we really hope that in Sophos they will think about the bad filtering is on XG at the moment. As I said I am looking forward to testing v17 and then come back and prepare a new "what is still missing on v17" on community so everyone can add their point of view, feedbacks, etc.
For Sophos, having critics is something powerful and positive at the same time. Feedbacks are the input for features requests, House of Quality Model. https://en.wikipedia.org/wiki/Quality_function_deployment
OTP is still useless because it still has some limitations: for example, you cannot activate OTP for Admin account, otherwise SFM stops working; enabling OTP for SSL VPN breaks SAA; OTP cannot be used for WAF;
WAF needs some other improvements before being the real ISA Server /TMG replacement. I came from ISA 2004. Email filtering = useless at the moment compared to UTM.
So it always depends on how you use your XG/UTM and where you use it. On small installation, it can compete with others and win because XG/UTM is reach in features but on big installation, the way to win is still long.
(Having only one box in order to ensure security it is not the best way to protect users and organization. This is against the "defense in depth" model. On customers where I can, they have 2 UTM/Firewall, different brand; different IPS, etc...Sorry but I am a Security Architect and even if XG will be perfect, multiple defense tools need to be implemented. Security can be overcome at any time.
Of course ensuring security is something not only based on IT stuff. People and Processes are also involved. ) This sentence is something not related to XG/UTM in general...
Anyway let's post and see what Sophos has in plan for v17 and v18.
Hi all,
I am not in product management, sales, or marketing. I don't know anything about the messaging that is going out to partners and customers. I know that internally, currently, the majority of the product development effort is in XG. But I also know that there is development work for UTM and that as far as I know there are no current plans to kill to UTM. Sure, Sophos would prefer new customers to use XG. I think that early on (v15 and maybe v16) there was a hope that XG would replace the UTM but I think for at least the last year there has been an understanding that this isn't going to happen for years. I hope my son will someday replace me - that doesn't mean my son is out to "kill" me.... I hope. :) But it is something that is going to happen in the future.
--
Please note that there will be almost no difference in web categorization between v16.5 and v17. I do not want to have people getting the wrong expectation. The "security data" categorization will improve but not ads or uncategorized sites. We are also improving how the box talks to the cloud servers but that wont affect the data quality, and should be invisible to the user and admin.
--
The message that gets passed around is important. Lots of the categorization people care about blocking things security and porn, and they don't care as much about shopping and entertainment categories. So when they here a generic "we need to improve categorization" they may interpret it as doing MORE security and porn, and therefore less things like Ads. That is why I want to make sure that people are specific about what categorization problems they are having. If the problem is blocking Ads, the message that the Product Owners need to hear "We want Ad Blocking to be a selling feature, and the categorization of Ads is a high priority". If the problem is uncategorized site, be specific that this is the issue. Then use those more specific wordings when you talk to your Sophos contacts (not just this thread).