Pros/Cons of XG Firewall? - looking for some real world experience

Hi,

I like the UTM FW because it is very simple to configure and has many features. Updates should be handles with care ... Arround 2 years without problems. Wait 2 weeks and pay attention to the forum before installing updates and it will work.

In my opinion the XG isn´t fully developed now. Sometimes I have to format the report disk because of Updates, the UTM event viewer is much better, and the IPS updates for WAF and view others show "failed" because there are no updates for the last weeks. NAT rules for E-Mail servers are also more work than on a UTM.

If you are replacing an ASA then I would say the best benefits are:

• Web control and filtering
• Much higher frequency of updates
• NAT easier (despite what a lot of comments on here say)
• WAF easier to and only lets in what you want
• RED and in v16 IPSEC VPNs
• Overall performance for your £, € or $

The biggest downsides are:

• Stability not up to Cisco bomb proof levels but 17.0.1 is good for us
• Emaiil MTA isn't properly developed (but you wouldn't use an ASA for that either)
• Client VPN, ASA integration with RSA tokens etc. much better.

KM,

I have used Sophos SG UTM since version the end of version 1 and the release of version 2.  Over a year ago, I switched to XG Firewall and never looked back.  The SG Firewall is simple, straight forward, and capable of handling everything I have ever thrown at it - from large enterprises  and small businesses to large estates and small homes.  As CMR stated, updates come often, and they are quick and painless to deploy.  My favorite features are the integrated secure wireless and RED add-ons.

I have only one con: The Firewall is defaulted to Deny All while each Firewall Rule you create is based on Allow All - Drop and Reject seem to be cleanup rules.  For every User/Network Firewall Rule, You must select Allow All and then re-identify what you want to restrict/block through policies.  This is fine as long as you understand this is how the rules work in the XG Firewall.  I say this coming from using multiple SG UTM rules set in Deny ALL, in which, I turn on only what you want to allow and where I want it to go.

We started out with the XG105 model, and even though the number should have made it work, the devices was simply too slow and came nowhere near the official specs.

Also the throughput speeds we obtained were well below what you would expect.

At that point in time we also had lots and lots of problems with IPS, some websites behind the firewall (we are hosting them) stopped working properly and lots of false positives as well.

Sophos kept on saying the device was simply too slow for us. So based on this we bought a XG310, which for us was heavily overdimensioned.

Unfortunately also this device still gives us many headaches. Again IPS is screwing things up for us. Our customers are complaining that every x 100 requests, they suddenly get a very slow reaction of the servers. We investigated this using tcpdumps on the firewall itself, and we indeed see that sometimes clients experience 6 seconds of delays.

We tried excluding that server IP from IPS scanning, but even then the delays were happening.

So the only choice left for us was to completely stop the IPS service, only when we did that, the box was not generating delays anymore.

But you will also understand that defeats pretty much the purpose of having the box. 

Currently this case is still under investigation by Sophos, so I'm hoping for the best ...

Pros:

Easy interface 

Straight forward to configure in most cases

Good visibility on what is going on in your network

Cons:

The product is not mature nor stable, it's ok for an office, but to be honest, it cant compete in ISP / corporate markets

It's hard to reach the support, 30+ mins of holding the line before getting to a support tech are very common

Hope this helps you in making whatever choice you want to make