Is it worth changing to an XG version?

I used to worry about UTM being phased out in favor of XG. We are end users, just use the product that best fits your needs and let sophos worry about their offerings. If XG matures to a reasonably good product, I am sure there sales will reflect that otherwise there are a wide range of vendors offering similar products. If you are a home user, then being able to use XG or UTM free of charge is a no brainer. I don't even want to hear the complaints from home users. If you think there is a better alternative, by all means move on. I just extended my 100 IP home license that I got in 2007 for beta testing for another 3 years. Sophos was glad to extend that for me no questions asked instead of telling me to move to the auto generated 50IP license.

These are little things and I am one of sophos' harshest critics but to be honest, how many other organizations let you constantly bash them like this openly on their forums. Go read pfsense forums and read the feedback from the devs/mods. They tell you to take a hike at every step. Generally paid vendors are courteous in emails and I have had good experience with most vendors. But that support is paid for by the end user. This is an open forum where sophos employees like Michael Dunn are taking the time out of their busy schedule to answer questions. However the bashing never stops. I am not trying to criticize or stopping anyone from expressing their opinion. All I am saying is that please criticize all you want but please be mindful of the fact that sophos is allowing you to express your opinion on a forum owned by them without any censorship or consequences to your speech. It doesn't hurt to say thank you once in a while. 

The capabilities of XG have been discussed extensively. While there is a lot of good things happening at sophos, some things don't change. Here is the wishlist from v16 beta... you guys can judge for yourself how many things have been improved since last year https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing 

As far as URL categorization, Michael Dunn already gave his views in this thread https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80869/youtube-and-ads---sometimes-they-are-not-blocked/326999#326999 and I will give XG a chance with sxl categorization. However DouglasFoster makes some excellent points about the categorization database and the areas that sophos needs definite improvement.

As far as is it worth changing to XG, here is a long thread with feedback from AlanT on the future and the reason things are the way they are https://community.sophos.com/products/unified-threat-management/f/general-discussion/90762/time-to-move-on/329963#329963 

I am an XG evangelist; I came from Meraki and this product is light years ahead of their stuff.  Having said that, it does have its own set of head scratching deficiencies and I think its ok to talk about that and its also ok to disagree with Sophos.  Certainly I respect Michael and Alan and appreciate their willingness to "get their hands dirty" with us in the community.  That speaks very well for Sophos and pays far more dividends than maybe even they realize.  In any event I've seen enough in the bug fix cadence to know that Sophos is serious about XG and I think (hope?) that v17 is going to be the one that puts it over the top. 

Reply to categorization issues:

UTM uses categorization data that is purchased from McAfee.  UTM also uses Sophos Labs security data, which does categorization but only of malware and similar sites.  Note that UTM "Reputation" is actually from McAfee and not Sophos Labs.
XG uses categorization data is is produced by Sophos (initially from Cyberoam).  In 16.5 it does not use Sophos Labs security data.  In 17 it will.
Though the Sophos Labs security data is important, it is not relavent to the categorization issues people are having.  For the purposes of this discussion, both UTM and XG have one categorization engine.

I can tell you that we do have an ongoing comparison of the Sophos categorization data versus other data.  The most common domains visited by our customers get them most effort spent in comparison.  Difference where typically-blocked categories are involved (such as malware, adult, criminal) get more effort.  Domains not currently categorized get more effort.  Uncommonly used domains (for example a secondary domain name that redirects to your main site) may not get re-analyzed if 0.01% of our customer categorization requests use that domain name.

Its a fact of life that we cannot re-analyze every single site we have in our db by hand.  In 2016 there were an estimated 350 million domain names registered.  That is ignoring subdomains and path - which can change the categorization.  It is a bloody huge data set and we have to focus on the sites most visited by our customers, and possess the most security risk if we get it wrong.  I'm not trying to excuse us.  But I'm saying that we already do a lot of work in trying to get the quality right.

As for why we get categorization wrong, it can be due to specific urls that are submitted, or due to poor guesses by automatic systems.  For example, I know that a Tibet sports domain was classified as Gambling because it had sports content and contained "bet" in the domain name.

If a customer says "not as good as data from McAfee" and I go to the categorization team and they tell me that they are doing millions of data quality comparisons against McAfee a day then its hard to move forward in a way that will help that customer.

If a customer says "We are using the XG as a ad-blocker to prevent banner ads.  When we go to news sites like nbc.com and cnn.com we are served ads that we think should have been blocked due to categorization.  We have no problem with the quality of the security data, its advertising that gives us the most problems" then that is something that is much easier to action.

I'm not injured by the complaints, I want the feedback.  We just need to be careful that if we say "overall good, but I don't like XYZ" then everyone focuses on XYZ and forgets about the overall good.  The number of times that I've left a movie and talked with friends afterwards about its flaws and problems you would assume from listening that I didn't like them movie when in fact I did.  My own area of expertise is in Web, and I want it to be the best.  I'm a software tester - it is my job to complain about issue.  Categorization, which is data, is not something that I can affect as much as other things, but it is an area where I have great interest.  I cannot comment or help in non-Web areas.

Can anyone confirm that submitting an XG URL for recategorization is working - are changes being made?  I don't know about allowing for batch sending of recat requests, but I'll forward the issue.

Reply to RegEx:
We don't really have it documented well.  I'll see if I can get a KB written.  The following is based on some testing that I've just done.

There are basically three ways to internally allow things that are incorrect policy
- Custom Category with Domain
- Custom Category with Keyword
- URL Group


None of them allow for RegEx, and each are slightly different on their matching.

- Custom Category with Domain
   - Text is a verbatim string that must include domain name and optionally may include path
   - Automatic wildcard on either side (allows more subdomains and more path)
   - If text does not contain a slash (eg path) then it will match anywhere in domain name
   - example.com
      - mail.example.com matches
      - myexample.com matches
      - example.com/foobar matches
      - example.com.co.uk matches
      - sample.com/example.com does mot match
   - If text contains a slash (eg path) then it will match end of domain name and beginning of path
   - example.com/foobar
      - example.com/foobar matches
      - example.com/foobar/morestuff matches
      - sample.com/example.com/foobar does mot match
      - example.com.co.uk/foobar does not match

- Custom Category with Keyword
   - Text is a verbatim string that will match anywhere in domain name or path
   - Automatic wildcard on either side
   - example.com
      - sample.com/example.com matches

- URL Group
   - Text is a verbatim string that will match the right-side in domain name.  Path not allowed.
   - Automatic additional subdomains on left side, any path is allowed
   - unlike custom categories it is FQDN-aware.  It is rightmost only of domain name, and allows subdomains but not extra characters to the domain.
   - example.com
      - mail.example.com matches
      - myexample.com does not match
      - example.com/foobar matches
      - example.com.co.uk does not match
      - sample.com/example.com does mot match

I do not think we have specific plans yet, but we are thinking of improving things.  However we need to be careful that anything we do is either backwards compatible, or has a clear migration.  This ties our hands a bit.

One thing which I do want to say.  Years ago, Sophos purchased Asatro.  The new UTM competed against some existing products (standalone web/email appliances) but Sophos did not kill the existing products.  Instead large effort was put into making the Astaro UTM 8 into Sophos UTM 9, which is now a really really good product.  Now Sophos purchased Cyberoam, which again completes against some existing products.  But Sophos is not killing the existing products.  Instead we are putting large effort into the making the Cyberoam product into Sophos XG.  The dev effort we are doing right now with the former Cyberoam product is very similar to the dev effort we did with the former Asatro product.  And I think that eventually it will turn into a product that is just as good.

One point, however, is that XG is *not* a replacement for UTM.  There is no automatic migration path from UTM 9.5 to XG 17.0.  To my knowledge there is a product roadmap for UTM stretching for years.  XG is not a UTM killer.  It is a competing product with similar but different abilities.  Just like an iPad is not a iPhone killer - different products, different market.

Thanks for this Michael.  This is very helpful for me as it's not documented very well (if at all).  Just knowing wildcards are automatic and implied answers the frustrating issues I have experienced with trying to get these working correctly.

Documentation is something I hope Sophos puts more resources into as part of the support push.  Just having proper documentation would alleviate a number of support calls alone.

Thanks,

John

Thanks for this Michael.  This is very helpful for me as it's not documented very well (if at all).  Just knowing wildcards are automatic and implied answers the frustrating issues I have experienced with trying to get these working correctly.

Documentation is something I hope Sophos puts more resources into as part of the support push.  Just having proper documentation would alleviate a number of support calls alone.

Thanks,

John