Pros/Cons of XG Firewall? - looking for some real world experience

Question

I am considering the XG Firewall (210 model) and would plan to implement it with high availability. I personally come from a Cisco background and have experience with the ASA line, but I wanted to see how these models compare and what others experiences are. 
 Please let me know any pros/cons you have encountered and if there are any gotcha moments to be aware of. 
 Thanks much. 
 KM

Rene P · Accepted Answer

Hi, 
 I like the UTM FW because it is very simple to configure and has many features. Updates should be handles with care ... Arround 2 years without problems. Wait 2 weeks and pay attention to the forum before installing updates and it will work. 
 In my opinion the XG isn&acute;t fully developed now. Sometimes I have to format the report disk because of Updates, the UTM event viewer is much better, and the IPS updates for WAF and view others show "failed" because there are no updates for the last weeks. NAT rules for E-Mail servers are also more work than on a UTM.

CMR · Answer

If you are replacing an ASA then I would say the best benefits are: 
 
 Web control and filtering 
 Much higher frequency of updates 
 NAT easier (despite what a lot of comments on here say) 
 WAF easier to and only lets in what you want 
 RED and in v16 IPSEC VPNs 
 Overall performance for your &pound;, &euro; or $ 
 
 The biggest downsides are: 
 
 Stability not up to Cisco bomb proof levels but 17.0.1 is good for us 
 Emaiil MTA isn't properly developed (but you wouldn't use an ASA for that either) 
 Client VPN, ASA integration with RSA tokens etc. much better.

David Birdsall · Answer

KM, 
 I have used Sophos SG UTM since version the end of version 1 and the release of version 2. Over a year ago, I switched to XG Firewall and never looked back. The SG Firewall is simple, straight forward, and capable of handling everything I have ever thrown at it - from large enterprises and small businesses to large estates and small homes. As CMR stated, updates come often, and they are quick and painless to deploy. My favorite features are the integrated secure wireless and RED add-ons. 
 I have only one con: The Firewall is defaulted to Deny All while each Firewall Rule you create is based on Allow All - Drop and Reject seem to be cleanup rules. For every User/Network Firewall Rule, You must select Allow All and then re-identify what you want to restrict/block through policies. This is fine as long as you understand this is how the rules work in the XG Firewall. I say this coming from using multiple SG UTM rules set in Deny ALL, in which, I turn on only what you want to allow and where I want it to go.