Restricted Advance Shell - examples of challenges

No, it does not! "Dropped by policy" basically means that any security feature that is enabled inside the smtp policy might have caused the mail to be rejected. It might aswell be Data protection or malware protection. I have tested this. This error that is being returned doesn't say anything about the actual reason, rendering it almost useless. Please do your research, you should know that.

Odd. The MTA in fact does this. Not the transparent SMTP scanning. 

Agree with Billybob on `iftop`. I hadn't thought of using Live Connections, so I've been trying them. Three issues: 1) Five seconds is a long time, 2) not as easy to stop refreshing when you want to look at something that just popped up that's odd, and 3) it's not clear what the Kbps time period is and not clear that it means Kbps and not KBps. The `iftop` command is snappy, you can freeze it immediately, and it gives you rates over multiple time periods so you can watch for more of an instantaneous and more of a continuous average at the same time.

Fast refresh in a GUI is probably a mistake, since it's pulling horsepower from the actual firewall job. So maybe allowing access via the CLI would be a good compromise?

As an example, I'm looking for an a machine that's streaming a multi-Mbps video stream. Using Live Connections sorted by download and viewing by IP, the machine bounces in and out of the top. Evidently there's some interaction of sorts between the 5 second refresh, what period of time Sophos is actually calculating over, and perhaps bursty streaming (as streaming programs overfill buffers and throttle themselves, I guess), it's frustrating to see the streamer in the top. Multiple refreshes can show apparently no download.

Snort rules are not released on an hourly basis. Snort community rules are free for home users and are released every day and are not 30 days behind. Regardless, I am not arguing against the benefits of having a full featured firewall doing everything for you and thats what made sophos/astaro so great for most of us home users. And as much as I have appreciated their full featured firewall free for home use, I am tired of their constant disregard and sometimes hostile stance against certain community members. 

Suricata has definite benefit over old snort version that is used in XG and SG. Only reason they stuck with snort is OpenAppId which is a logical choice for layer 7/nextgen firewall. As far as the netgate/pfsense employees behavior and their failures on certain releases, its well documented on reddit etc. and I am by no means advocating what any users should use here. In fact till a few years ago, it was a no brainer to run sophos software for free at home and if it still fulfills your needs, by all means use what you like.

I understand that Snort rules aren't released on an hourly basis. However Sophos checks for pattern updates on an hourly basis which means I could get them as soon as an hour after release. If you get your Snort rules for free, they are in fact delayed 30 days. That's one of the things they offer you for your shopping dollar: "get updates 30 days sooner".

I'm not sure if they offered the personal ($30/year) plan when I researched it before buying Sophos. All I remembered was the $400/year Business plan. (Though when I just looked at their website, they do still seem to differentiate the extent of rules they make available to personal versus business.)

Yes, Sophos uses old Snort, just running multiple copies because it isn't multithreaded. Which was Suricate's claim to fame. Which has apparently been negated with the latest Snort. Not saying Sophos' use case is better, just saying that Suricata has seemingly lost its main claim to fame (being multi-threaded) as an advantage. Seems to me that if you're not locked into a commercial vendor, why use Suricata?

PMParthwhilst I understand what you are trying to do here, I think your time (and our sanity) would be better spent by taking on board the frustration and anger of the posts here regarding the overall state and speed of XG development and focus on engaging with your customers properly

It's all very well asking us what we need when you take away console access (a decision you still haven't explained) but quite frankly, Sophos have a lousy record of implementing what customers want/need, so why should this be any different?

Let's have a quick look at the requested features - https://ideas.sophos.com/forums/330219-xg-firewall/filters/top. Sophos's dumping ground for customer needs.

Most requested feature - 1227 votes Let's Encrypt Integration
First requested in 2016, still not implemented

Second most requested feature -1002 votes Scheduled Installation of the AV Updates and Firmware Installation
First requested in 2016, still not implemented
If you have a 100 series XG, an update can cause the router to drop all connections for up to two minutes, everything blocked. Second line support agree this is completely unacceptable and their manager escalated this to product development asking them to make it a priority. This was about 18 months ago. I can't believe that implementing this as a scheduled task is difficult, it causes major issues but we are still waiting for it to be implemented.

677 votes Can we have live Bandwidth speeds for Interfaces?
First requested in 2015, Comment by Sophos This feature is under consideration for a future release in 2018
Still not implemented

660 votes Enable/Disable Interface
First requested in 2015, Comment by Sophos This is a high priority feature, and will likely be targeted as soon as possible after v17 ships
Still not implemented

Need I go on? IS ANYBODY AT SOPHOS LISTENING TO THEIR CUSTOMERS?!

I also have to wonder about the XGS hardware development and how much that is sapping development time for things we really need. The nerd in me says "this is cool" a dedicated Xstream Flow Processor for intelligent application acceleration. The businessman in me says "what is this going to give me that I can't get now?". As I understand it, this is about improving performance. But I can get better performance by buying a bigger firewall. Yes, that is at a cost, but at least I have an option. What I don't have an option about is the features that I need and don't have now. I would rather you spent your development time on features I need, not rewriting code for your "hot" new processor to do what the XG already does, just faster.

Lastly, I would just like to say that I think some people's frustration has been unfairly directed at LuCar Toni. He's here to deal with technical issues, he is not, as far as I know, responsible for product development. I am personally very grateful for the assistance he provides here which I have often found very useful.

That's actually the problem of XG(S).
Sadly sophos seems to ignore customer- and partner-requests, focusing on marketing and new features instead of improving essentials basics. ...but that will probably not change before UTM is EOL and more customers leaving...

It's great to have an visionary product - but an essential featureset and usability should not be discussed.

What about taking ideas.sophos.com offline as it's actually useless?

JasP scheduled firmware installation is already avaliable using sophos central since 2020 (see https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-central-xg-firmware-updating).

But in fact that shows how good ideas.sophos.com is maintained... as status of this request is not updated by now...

Only scheduled firmware installations are available.

The main issue is on the pattern updates, if the AV pattern gets updated on a low-end appliance - some traffic will either be dropped or blocked until the pattern is fully updated; By not being able to set a time schedule when those pattern updates should happen, anytime the AV pattern gets update you will have downtime depending on the appliance.

For me this was unnoticeable on my home appliance which had a Ryzen 3300x, but now I'm using a XG115w Rev.3 and It's really noticeable when the AV or IPS pattern gets updated.

As I said, this was taken up with Product Development by a senior Technical Support Manager and still it hasn't been sorted. Sophos Product Development don't even seem to listen to their own staff, what hope have we got?!