Future of v17 and v18

Hey tom greene 

Make sure to keep an eye out on our Release Notes & News and Sub-groups for new updates and upcoming betas for future releases.

I'll also tag AlanT and talex in case they wanted to chime in with any further information.

Regards,

FloSupport | Sophos Community Engineer

Bump

If you read the error message the backup issue appears to be something very specific to your configuration.

Do you have auto update and install enabled on your pattern configuration?

Ian

Big_Buck said:

2017 and 2018 were dedicated to bug fixes and stability almost exclusively.  Seems to me the real improvement this year was the MTA.

 

Apart from the bits they've now broken. DKIM message body hashes for example - workaround is to bypass outbound scanning of internal mail servers that perform DKIM signing.

I did not know DKIM was busted on Sophos.

But that said for $900 a year, I have the much much more powerful and flawless Symantec Brigthmail MTA appliance.  With every functions you can imagine.

If you toast a single day debugging Sophos Mail Gateway, or Sophos MTA, you already blew up that amount of money.  It is pointless to persist with mail on any Sophos products.  Unless you have more than 500 Users I would say.

Paul Jr

Well the MTA in XG 17.5 doesn't do DKIM, but it's modifying messages beyond just whitespace changes such that the message body hashes are broken.

This is probably why others are also seeing MIME message headers in their mail clients - the MTA is modifying the messages sufficiently that the mail client is no longer capable of displaying them as intended.

Will be looking at options this year for better mail filtering and IPv6 support - the current and expected feature set just isn't there.

What I wished was a single yearly renewal.  But whatever I wish, there is no such thing as a UTM.  Because there is no such thing as unified thread management.  Soon or later, a component on the suite fails to bring the minimum.  That is true with Sophos, Sonic Wall, or whatever else.

So, since I am stuck with two renewals, I will also move to Symantec EndPoint Protection.  Flawless set it and forget it solution.  One reason I moved away from it was the disappearance of their Enterprise suite.  But I hear it is back.  Sophos SEC requires the same maintenance as anything else from Sophos. Chronophagus.

Not set for the firewall yet, but very basic features I require are not even on the radar.  I cannot live without a full DHCP or NTP anymore.  I hate to maintain a VM per subnet (DMZ, Production, et.c.) just for those roles.  And I cannot live without a workable log.

As for IPv6, I won't even try to implement this on XG since it REALLY means maintaining TWO firewalls.  As you now, rules, objects, and everything in IPv4 are totally separated with IPv6.

I do not save times with Sophos.  Everything is much longer and much harder to the Symantec/Checkpoint combination I had before.

By the way, the published set of new features for the next XG 17.5.x, probably in April 2019 since it is schedule in March 2019, is "better centralized Backups" ...

Other than that, I see nothing of any interest this year mentioned anywhere.

Paul Jr

Have you tried the SG product line (aka UTM)? Its much better than XG (IMHO).  I recently switched a customer from SG to XG and let me tell you, its been a painful transition.  (The reason for the switch was the integration between Intercept X and the XG firewall.)

Your right about DHCP and NTP, and don't forget about trying to make sense of the log files, either from the GUI or the command line...  My biggest complaint about XG is the logging.
That and the damn CSS (or whatever) that limits the width of the "viewing portal" on the web pages...
One last thing, SG supports getting certificates from Let's Encrypt automatically.  That means no more forgetting to renew and upload/install/waste 10s of minutes on a certificate.  I'm not sure what is worse, trying to remember what to do with certificate(s) and private key(s) after 1 or more years, or having to do it every 90 days or less...
Almost forgot about the ability to search the interface that SG has...  
I will to get off my soapbox now.

But, Symantec, seriously?  I honestly think your better off with Windows Defender.  I mean, lets face it, who has a more vested interest in protecting Windows than Microsoft?
To be honest, Sophos AV is the only 3rd party AV product I feel comfortable recommending anymore.  I only sell Sophos products because I understand what it is that they are trying to do and I believe that they are doing it well, (OK, XG has a long way to go...) and they are doing things that no one else is doing (at least I'm not aware of any other company doing it...)

Maybe your unaware of Symantec's  follies somewhat recently?

https://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/
From above link: "...they were using code derived from open source libraries like libmspack and unrarsrc, but hadn't updated them in at least seven years."
Meaning that the exploit was available for at least 7 years before 2016.  True it was a while ago, but seriously?  How about them as a Certificate Authority?

They used Symantec enterprise endpoint security in a prior job I was at and it was the worst software I've ever encountered.  

SG have become technically outdated.  No IKEv2 is more than enough to turn around.  BTW, IKEv3 is knocking at the door ...  Took me 18 months to migrate to XG.  I read your pain.

Let's talk about Symantec.  I know about what ZDNET posted in 2016.  But, I do not base my judgement only on "isolated" bad news.  I'm concerned mostly on consistency over the years.  Symantec had a very serious performance problem around 10 years ago.  But that is resolved.

1. Symantec's console is ligthyears ahead of Sophos.
2. Much easier to implement.  Hours versus weeks.
3. On all AntiVirus web sites, they are top rated consistently years after years.  Sophos varies a lot.  Mid 2017, they were rated below Microsoft Defender.  Ouch.

One of many sites I consult, showing some results.  https://www.av-test.org/en/, https://www.av-comparatives.org/, et.c.  Some players are almost always 100% catch rate. F-Secure, Bitdefender, Symantec, and Trend Micro.  Karpersky had some glitches last year, but are on top almost always.  What I do, I compile statistics for two, or three years.  When I can.  On many web sites.  I focus first on protection.  Then on performance.  Since four products are always there, I select one of them.  When I bought Sophos, it was there. Early 2017.  But then it felt drastically at the end of 2017. Based on my selection arguments, consistency over the years, I would not select Sophos or Kaspersky today.

One can think what he wants on Symantec, when many experts - which I consider i'm not - reports it is on the top 4 every single years ...

That said, according to my own arguments, I should select Bitdefender.  But since I have been using Symantec for so long, I found the little extra from Bitdefender is not worth the extra hassle.

Paul Jr

I am in the same situation with regards to Sophos and what to choose. I have an XG Firewall (Love / Hate relationship) and use Webroot AV.

The Webroot expires soon and I was considering a change to Sophos but I cannot justify the additional spend and not many people speak good of it. So do I want all my eggs in that basket or branch out and look at others such as Crowdstrike, ESET or remain with Webroot.

The clock is ticking.... hmmmmm

I am in the same situation with regards to Sophos and what to choose. I have an XG Firewall (Love / Hate relationship) and use Webroot AV.

The Webroot expires soon and I was considering a change to Sophos but I cannot justify the additional spend and not many people speak good of it. So do I want all my eggs in that basket or branch out and look at others such as Crowdstrike, ESET or remain with Webroot.

The clock is ticking.... hmmmmm

For your info, ESET is NEVER on top.  Consistently or not.

Paul Jr

I will most likely just renew Webroot for 12 months until I can work out who to dump a stack of cash with.

Although I notice they no longer appear in any comparisons

By reading through this thread, we should be close to getting v18 by around February 2031

V18 will go EAP in July, v18 is expected to ship late this year best case and early Q1 next year in the worst case.

Emile

Common sense dictates you take XG for what it does right now, and do not expect anything new in a predictable future.  Meaning, if XG cannot do what you need right now, use something else 3 or 4 years, and check XG again only then.  Ironing bugs in v18 will take 3 years. Much like v16/v17 - one and the same - which is clearly not ironed yet.  

I'm more convinced than ever Sophos should scrap XG altogether and pimp up everyone's favorite: UTM.

Paul Jr

Hi Paul Jr,

v18 is supposed to be a complete rewrite of XG.

History. I have said this bofore in other threads from memory. When Astaro was running the show they employed a forum member oto review available takeover firewalls. When  Sophos took over they decided to but what is now XG against much advice from forum members and the person they employed to review the offerings.

The reason why Sophos wanted a newer product was because the UTM was becoming too bloated and adding features was becoming very time consuming. If you compare the number of default services etc in UTM compared to the XG you being to understand why the UTM was bloated but a much better product.

Now hopefully V18 will fulfil the promises about a better and more flexible product that was supposed to ben the earlier versions of XG.

Looking forward to trying V18.

Ian

Hello

Complete re-write ?  I'm perplex because to my understanding, most of XG/SFOS core/features is Open Source.  For example, the mail gateway is EXIM. https://www.exim.org/  I doubt they would re-write this. 

I would described XG (i.e. SFOS) as a GUI that implement some of the features of the Open Source code used behind the scene, via CLI/scripts.

I suspect that Open Source code already has many features we are cruelly missing.  It will become available only in v18.

My 2 cents.

Paul Jr

Hello Paul,

V18 is a full redesign and kernel do over from the ground up that was started shortly after the release of v15.

This was done so that the systems can be designed to support the ASIC based hardware and fully diverge from Cyberoam and truly be the Sophos Firewall OS. Everything between v15 and v18 was jus feature/function tests for v18 and what is release later this year is the culmination of the experience of Astaro and the ambition of Sophos in the NSG market.

You misunderstand the depth of rewrite, they aren't going to redesign exim or snort, that would be stupid. They are redesigning how the the entire system is put together.

Emile

Hey that sounds promising. [Y]

But two questions about that:

1. Do you know when the EPA program will be started? (Mid or end of July?)

2. Can a home user participate?

Thank you.

This ASIC still has to be some form of RISC CPU.  Or "reduced" RISC in this case ... They did certainly not re-invented the wheel.

There are tons of development tools to migrate codes specifically for a CPU to another CPU.  They could run "as-is" on another CPU if they wish. Kind-of.  Or would it make any economical or strategic sense ?

As for the Kernel, for what I know, 99% of Kernels have disappeared from this planet.  Kernels eco-systems have been shrinking dramatically since the 90s.  Everything started to gravitate around two or three options.  No-one has the money, balls, or guts to rewrite a "Kernel" from scratch.  It's either Linux or Windows alike now.  Those Kernels that are really apart these days are "Real Time" kernels (we find in programmable controllers (PLC) or Numerical Controls (CNC) for example)

I assume Sophos play "Lego Bloc" with what's existing and while adding or removing Kernel features, they try to fit this to the actual high level code.  Like EXIM.

I suspect the complication at doing so is not because few very complicated things.  It's more because there are billions of simple things to go after.

When we see very simple things repeatedly broken, like DHCP, Reporting, and so on, and very simple features still absent like NTP management, we can only scratch our heads and wonder what kind of fight they have on the sub-basement called "Kernel".  

SFOS v15 was end of 2015 ... That’s a lot of time to re-write a “linux-based” Kernel … The real danger here, that we can already observe at the competition, is SFOS might reach obsolescence before it’s even born  !!!

Paul Jr