We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
We have the UTM9 version ... Is it worth changing to an XG version and is still going on a lot of problems and fixes?
Michael,
you are a machine on writing stuff.
I appreciate your point of view and your feedbacks. Here we are because we have some passions in Sophos as you do (but we do not get paid for that [:P]). Anyway just few points about your replies:
I really believe that XG will succeed in v17 and more in v18. Bridging is still a useless on XG at the moment but here we are! We will be here to complain when it is required and we will be here to say "Guys, you did a great job". In my opinion XG will be more Enterprise ready than UTM9 if the missing features will be added.
Here there are some missing features and complaints from other community users. Feel free to contact US when you need a feedback. I am always available for a phone call (last week I had a conversation with a Product Manager of another Sophos Product Line in order to give him some feedbacks).
Thanks for the detailed explanation Michael, we appreciate it and we're looking forward to improvements.
Hello Michael,
I really do not know if you mean the last paragraph in your answer seriously?
If there will not been a migration tool to migrate the configuration from UTM9 to XG why would the satisfied UTM9 users switch to XG? It does not make sense, it is very illogical ....
And do you really think UTM9 and XG are not identical products and XG is not UTM9 killer, do you believe it?
I really not.
alda
Michael,Michael Dunn said:One thing which I do want to say. Years ago, Sophos purchased Asatro. The new UTM competed against some existing products (standalone web/email appliances) but Sophos did not kill the existing products. Instead large effort was put into making the Astaro UTM 8 into Sophos UTM 9, which is now a really really good product. Now Sophos purchased Cyberoam, which again completes against some existing products. But Sophos is not killing the existing products. Instead we are putting large effort into the making the Cyberoam product into Sophos XG. The dev effort we are doing right now with the former Cyberoam product is very similar to the dev effort we did with the former Asatro product. And I think that eventually it will turn into a product that is just as good.
One point, however, is that XG is *not* a replacement for UTM. There is no automatic migration path from UTM 9.5 to XG 17.0. To my knowledge there is a product roadmap for UTM stretching for years. XG is not a UTM killer. It is a competing product with similar but different abilities. Just like an iPad is not a iPhone killer - different products, different market.
I can only speak for me, but when I was shopping for a firewall to replace my Meraki and I investigated Sophos, I can tell you that as a customer who had no previous interaction with Sophos that there is a very strong belief out there among the sales channels/resellers and even end users that XG is meant as an eventual replacement for UTM. If its the case that XG is not being positioned as the ultimate replacement for UTM, then I would suggest that your sales channels have not gotten that memo.
I have recently been worki g through yhe web filtering database issues you surveyed. Previously, my UTM was configured to warn on uncategorized. I would find tbe click-and-proceed items and get tbem categorized. It was perhaps 10 items per day.
Eventually, we decided that warn was indefensible as a security policy, so now we block and we are seeing about 500 uncatrgorized urls per day. The difference is the embedded URLs that did not have a click to proceed previously.
So clearlh the problem is huge.
So Michael ,
We will check how good will be the Web Filtering on v17 Engine and let you know.
If the results are the same or almost the same, you have to consider to use Mcafee even on XG. Loosing customers and credibility is the worste thing you need at the moment. On this you did already a great job with XG v15 and email filtering on v16. Relying on a single engine is not a good choice. I have complaints even for SEA, where Sophos is losing ground compared to other email appliances that use multiple AS engine. Losing ground means losing customers!
So if this will be the case take note to include Mcafee in v17.5. Let me give you a real example:
On utm 9 with 4000 users using web filtering I created 15 exceptions at all. On the same customers Fortigate (we had a benchmark with them) the web filtering was poor like XG. Many ads were not blocked and video inside allowed categories were playing. Utm 9 won for this reason.
On my XG I already have more than 40 exceptions because ads are not blocked as expected like dangerous websites, spyware, etc. I have submitted all of them to Sophos websites but web is changing everyday and I cannot spent hours on submitting urls that should be blocked at the beginning. Mcafee is using a magic formula, we do not know but they simply work. At the moment I am not happy at all with web filtering catch level and I am not alone....
Michael, first off, thank you for participating in the forum. I have had multiple frustrations with what has seemed to be silence from Sophos - we know that the community is talking to each other, but does Sophos follow what is being said? In the Ideas forum, which is not curated to my expectations, is anyone really noticing what goes in there, or is it all too overwhelming to use? Feedback tells us that we are being heard. Thanks, even if we get difficult.
For lferrara and others who are frustrated:
When I bought UTM, I knew instinctively that one product which attempts to do many things will be unlikely to be best at any of them. Traditionally, organizations bought multiple devices for multiple functions. But UTM did a lot for the price, and I was not likely to get funding for the alternatives which were much more expensive. So I bought UTM, kept my tired-and-true spam filter, and kept my tried-and-true firewall. Overall, UTM has done better than expected. The web filtering has been very effective. The spam filtering function is behind my original spam filter, and it catches stuff that other one allows through. OTP has been a big help with PCI compliance. WAF has helpful but harder to use than expected. I have had some buyer's remorse as I learned things about the UTM architecture which should be clearly documented but are not. And I have been heartbroken at the recent spate of UTM product release problems. But overall, it has been money well spent because our defenses have been effective.
So, I think the lesson from this long discussion is this:
Since we have to block the bad guys daily, we need to fight with the best tools that we can find within the funding that we can mobilize. We will not necessarily find one box that does it all. But we can still hope that the box that we already bought will do it all (at no extra cost!)
:)
Douglas,
we are here to improve the product. Most of us are coming frm UTM9 and we can compare the products. Community is used to help other people (I am trying to do it everyday) and to give to Sophos feedbacks on what we found on the IT field. The goal of an UTM is to try to link aggregate multiple features inside one product. This is not simple and of course you cannot expect to have a all-in-one product which performs better than a one specific box. For example, Email Filtering makes more sense to have a dedicated appliance/product that integrates more features than UTM.
Personally, I am a kind of person that says "well done" whent the job has been performed perfectly and to criticize when something is not build or performed well. My critics are always costructive and not disruptive!
I know other people on community that complain here like my point of view. It does not make sense for us to have a previous appliance that performed well "web filtering using Mcafee SXL" and not it does not. I do like XG for many things (it is more Enterprise than UTM9, even if many features are missing) but we really hope that in Sophos they will think about the bad filtering is on XG at the moment. As I said I am looking forward to testing v17 and then come back and prepare a new "what is still missing on v17" on community so everyone can add their point of view, feedbacks, etc.
For Sophos, having critics is something powerful and positive at the same time. Feedbacks are the input for features requests, House of Quality Model. https://en.wikipedia.org/wiki/Quality_function_deployment
OTP is still useless because it still has some limitations: for example, you cannot activate OTP for Admin account, otherwise SFM stops working; enabling OTP for SSL VPN breaks SAA; OTP cannot be used for WAF;
WAF needs some other improvements before being the real ISA Server /TMG replacement. I came from ISA 2004. Email filtering = useless at the moment compared to UTM.
So it always depends on how you use your XG/UTM and where you use it. On small installation, it can compete with others and win because XG/UTM is reach in features but on big installation, the way to win is still long.
(Having only one box in order to ensure security it is not the best way to protect users and organization. This is against the "defense in depth" model. On customers where I can, they have 2 UTM/Firewall, different brand; different IPS, etc...Sorry but I am a Security Architect and even if XG will be perfect, multiple defense tools need to be implemented. Security can be overcome at any time.
Of course ensuring security is something not only based on IT stuff. People and Processes are also involved. ) This sentence is something not related to XG/UTM in general...
Anyway let's post and see what Sophos has in plan for v17 and v18.
Hi all,
I am not in product management, sales, or marketing. I don't know anything about the messaging that is going out to partners and customers. I know that internally, currently, the majority of the product development effort is in XG. But I also know that there is development work for UTM and that as far as I know there are no current plans to kill to UTM. Sure, Sophos would prefer new customers to use XG. I think that early on (v15 and maybe v16) there was a hope that XG would replace the UTM but I think for at least the last year there has been an understanding that this isn't going to happen for years. I hope my son will someday replace me - that doesn't mean my son is out to "kill" me.... I hope. :) But it is something that is going to happen in the future.
--
Please note that there will be almost no difference in web categorization between v16.5 and v17. I do not want to have people getting the wrong expectation. The "security data" categorization will improve but not ads or uncategorized sites. We are also improving how the box talks to the cloud servers but that wont affect the data quality, and should be invisible to the user and admin.
--
The message that gets passed around is important. Lots of the categorization people care about blocking things security and porn, and they don't care as much about shopping and entertainment categories. So when they here a generic "we need to improve categorization" they may interpret it as doing MORE security and porn, and therefore less things like Ads. That is why I want to make sure that people are specific about what categorization problems they are having. If the problem is blocking Ads, the message that the Product Owners need to hear "We want Ad Blocking to be a selling feature, and the categorization of Ads is a high priority". If the problem is uncategorized site, be specific that this is the issue. Then use those more specific wordings when you talk to your Sophos contacts (not just this thread).
