And Sophos kills off the SUM

I gave some insights about the movement to SFOS here: https://community.sophos.com/utm-firewall/f/utm-manager-formerly-acc/131045/sum-manager-eol-december-2022---how-to-migrate-xgs-to-central-with-xgs

But what do you mean by "Is slower then UTM"? Can you give us some context to this statement? 

I gave some insights about the movement to SFOS here: https://community.sophos.com/utm-firewall/f/utm-manager-formerly-acc/131045/sum-manager-eol-december-2022---how-to-migrate-xgs-to-central-with-xgs

But what do you mean by "Is slower then UTM"? Can you give us some context to this statement? 

Simple.  Click on connect.  Wait.  Click on next menu.  Wait.  Click on apply. Wait.  Every click we wait costs us money.  I know for a fact there are very large partners that manage a very large number of UTM through a SUM.  Why have they not moved?  Because the XG is so much faster?  NO!! You cant efficiently manage the XG product line.  Prove me wrong and I might change my opinion.  

Did you contact your local SE Folks to get a XGS demonstration? 

Do you have a way to manage XG centrally that I dont know about? 

Yes - Via Central. 

You can publish most of the needed configuration via Central. Most Partners start with one appliance, convert the configuration via XML into a Export. Then they push this XML to one firewall. This Firewall will be used to import the template to Central and will be applied to multiple firewalls. 

Most partners (especially in the MSP field) use migration scripts (Python) to convert any product config to XML format. I even wrote a small guide to convert this via notepad++ : https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122450/creating-xml-objects-with-notepad-for-mass-import

Then import this to one firewall - Import it to Central - Done. 

Most likely you do not need to do the busy work anymore, if you are able to use scripting / notepad++. Having the CSV is enough to create everything. 

Where is the list of all our firewalls?

How do we press one button and push a firmware update?

Why does it take literally seconds between mouse clicks on the XG menu?

Why does it take multiple times to attach to a XG firewall via Central?

UTM SUM = Update all firewalls quickly

UTM SUM = Quick logins to firewalls

UTM = No pause between mouse clicks on menu

UTM SUM = Lists all firewalls.  No need to track them via another method (excel spreadsheet)

Now I ask you.  Do you just work for Sophos and have done all their training, or do you also run or have run a business where you pay for your techs to make those mouse clicks?

I was promised a year ago that they would build an effective API to our PSA.  Not delivered

I was promised over a year ago you could easily manage XG via central.  Not delivered.

And today the ONLY effective central management for the UTM is being pulled.  

Besides none of my questions were directed at you.  You are an employee.  But just maybe someone will actually listen at Sophos and get this *** done.  Or does Thomas Bravo have so much control that they are willing to burn off all of the Sophos fans (used to be me) and find new ones.  Time will tell.  But my time is very short. 

Just to answer some of your points: 

How do we press one button and push a firmware update?

You can upgrade all firewalls within a group. Schedule or "now". 

Why does it take literally seconds between mouse clicks on the XG menu?

This should not be the case on potent hardware. For example the XGS Hardware is faster compared to a SG105. The difference between UTM and SFOS is basically the way those products interact with the configuration. UTM uses a middleware, SFOS uses a database approach. Which means, the database will be queried on each and every "click" as you say. This highly rely on hardware and if you give the OS a potent hardware like XGS, it is most likely quicker compared to UTM. 

Why does it take multiple times to attach to a XG firewall via Central?

This should not the case? So basically if you integrate a firewall within Central, it will create a token based connection and should stay there. I am not aware of any cases, which looses the connection. But for the next release, there is a easier way to integrate Central with a SFOS appliance via API credentials. 

UTM SUM = Update all firewalls quickly

As you can see above, this is possible. 

UTM SUM = Quick logins to firewalls

You can use Central to SSO to all appliances without the need of setting any site to site tunnels or even expose the webadmin. 

UTM = No pause between mouse clicks on menu

See above. 

UTM SUM = Lists all firewalls.  No need to track them via another method (excel spreadsheet)

You can track the customer firewalls and also the partner managed firewalls via Partner dashboard. No need to host a own solution for this purpose as Central is free. 

Now I ask you.  Do you just work for Sophos and have done all their training, or do you also run or have run a business where you pay for your techs to make those mouse clicks?

I basically advise partners and customer to migrate to SFOS in plenty of integrations. Therefore i know the blockers and limitations, which can come up. And for a customer with 200 firewalls for example, you should consider to revamp the entire network stack anyway. Most likely those customers run there entire config for 10 years + and there configuration is "old school", which means, there are rare security reports run, nobody knows what is going on in there network etc. Even network segmentation is not everywhere implemented in 2021. So it would be a good step to rethink there network: Like VLAN segmentation, like Firewall rules, like proxy implementation. Are you doing HTTPS decryption? If not, why not? Do you know the risk of running such networks in 2021? See: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

I was promised a year ago that they would build an effective API to our PSA.  Not delivered

Did you look at the PSA Integrations, which are today available? https://www.sophos.com/en-us/partners/managed-service-providers/integrations.aspx

I was promised over a year ago you could easily manage XG via central.  Not delivered.

There were some significant changes in the last months to Central. Maybe you should take a look at it. 

Ok fair point.  Let me clarify my question.  How can I press one button and update ALL of my firewalls?  Do you know how long it takes a tech to log into the Partner Portal then move to Central then find the customer then access their portal then click on firewall then find the firewall, then update the firmware?  Time it and get back to me.

In sum I can update hundreds of firewalls in under 5 clicks.  There is NO comparison.

"This should not be the case on potent hardware. For example the XGS Hardware is faster compared to a SG105. The difference between UTM and SFOS is basically the way those products interact with the configuration. UTM uses a middleware, SFOS uses a database approach. Which means, the database will be queried on each and every "click" as you say. This highly rely on hardware and if you give the OS a potent hardware like XGS, it is most likely quicker compared to UTM. "

• Dude I don't know what to tell you.  If you don't see the speed issues, then where have you been?  This has been an issue since day one.  I have seen it literally from XG 105 to XG 330 to XGS 116.  It is there and it continues.  
• The UTM interface runs circles around the shitty XG interface.  Period.

"This should not the case? So basically if you integrate a firewall within Central, it will create a token based connection and should stay there. I am not aware of any cases, which looses the connection. But for the next release, there is a easier way to integrate Central with a SFOS appliance via API credentials. "

• I don't know what to tell you. Happens all the time. Click connect wait for it to time out.  Click again.  Wait again.  Finally connects.  Multiple firewalls, multiple hardware, multiple clients.  

"UTM SUM = Update all firewalls quickly

As you can see above, this is possible. "

• Show me where I can do all the firewalls. at one time. 

"I basically advise partners and customer to migrate to SFOS in plenty of integrations. Therefore i know the blockers and limitations, which can come up. And for a customer with 200 firewalls for example, you should consider to revamp the entire network stack anyway. Most likely those customers run there entire config for 10 years + and there configuration is "old school", which means, there are rare security reports run, nobody knows what is going on in there network etc. Even network segmentation is not everywhere implemented in 2021. So it would be a good step to rethink there network: Like VLAN segmentation, like Firewall rules, like proxy implementation. Are you doing HTTPS decryption? If not, why not? Do you know the risk of running such networks in 2021? See: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf"

• I agree with this completely.
• Sophos does not have an effective way for MSP's to manage large number of firewalls currently
• Central is not a solution how it currently stands
• Before we can make this change we need the client to invest in new hardware
• Before we can make this change we need the tools in place to manage the whole stack.  This has been promised and not delivered.

"Did you look at the PSA Integrations, which are today available? https://www.sophos.com/en-us/partners/managed-service-providers/integrations.aspx"

• Yes. They suck. And Sophos knows they suck. 
• Did you ask when did Sophos promise they would give us a better PSA API? 
  • Answer first to second quarter 2021
  • Where do we stand today?
    • Its on hold
• Now your next question.  Why would our partners stay if we can't meet our promises?
  • Now that is a great question.  Why would we?

"

I was promised over a year ago you could easily manage XG via central.  Not delivered.

There were some significant changes in the last months to Central. Maybe you should take a look at it. "

• Do these changes allow us to manage large number of firewalls?
• Do these changes allow us to control the noise tickets we get get?
• Do these changes make it easier for us to identify threats for the clients that we manage?
• Do these changes allow us control over what clients to get notifications from?

Of course, there have been changes.  What I believed until recently was that Sophos was MSP friendly.  They are not.  And it looks to me that they are not making enough of an effort to become more MSP friendly. 

LuCar Toni I am sorry you stepped into this.  I have been a partner for 10+ years.  To ask me "have I this" and "that I that" honestly is not knowing your audience.  I have talked about this until I am blue in the face.  NO ONE that makes decisions is listening. 

So, I am here SCREAMING to see if anyone is listening because for me to move away from Sophos now will cost me tens of thousands of dollars.  And it would be interesting to see if I am the only one that complains or are there others that feel the same way.  

Ok fair point.  Let me clarify my question.  How can I press one button and update ALL of my firewalls?  Do you know how long it takes a tech to log into the Partner Portal then move to Central then find the customer then access their portal then click on firewall then find the firewall, then update the firmware?  Time it and get back to me.

In sum I can update hundreds of firewalls in under 5 clicks.  There is NO comparison.

Let me try again: You can use the API next quarter to do this with one click. Currently it is correct, SUM was build for a customer in mind, like Central. But SUM was also used by partners to manage there customers. Which is actually quite "problematic". Simply because you start to harvest data in one appliance for multiple customers. I know, there were some partners actually concern with this in Europe. Nevertheless, the approach in Central is differently, because Sophos now uses the context of tendants (per customers) to completely separate the instances. Now Sophos will bring together data in a partner setup. The next step is to open up API for firewall management. This means, you could simply integrate a "one button" script, which upgrades 1000 firewalls of all customers with one click. That is the plan to integrate this in the next release cycles. 

"This should not be the case on potent hardware. For example the XGS Hardware is faster compared to a SG105. The difference between UTM and SFOS is basically the way those products interact with the configuration. UTM uses a middleware, SFOS uses a database approach. Which means, the database will be queried on each and every "click" as you say. This highly rely on hardware and if you give the OS a potent hardware like XGS, it is most likely quicker compared to UTM. "

• Dude I don't know what to tell you.  If you don't see the speed issues, then where have you been?  This has been an issue since day one.  I have seen it literally from XG 105 to XG 330 to XGS 116.  It is there and it continues.  
• The UTM interface runs circles around the shitty XG interface.  Period.

So on my XGS136, i do not have any issue what so every with the integration of doing anything. Same for my SG450 and my Azure Appliance. My XG106 is quite unstable in the load, that is true. 

"This should not the case? So basically if you integrate a firewall within Central, it will create a token based connection and should stay there. I am not aware of any cases, which looses the connection. But for the next release, there is a easier way to integrate Central with a SFOS appliance via API credentials. "

• I don't know what to tell you. Happens all the time. Click connect wait for it to time out.  Click again.  Wait again.  Finally connects.  Multiple firewalls, multiple hardware, multiple clients.  

Oddly, maybe this is fixed with the next release for you. Because i never got approach by anybody (in this community or by any of my peers) about this issue. With the integration of API credentials, this would be easier. 

"UTM SUM = Update all firewalls quickly

As you can see above, this is possible. "

• Show me where I can do all the firewalls. at one time. 

See above. This is correct for the customer itself. If the customer uses 100 firewalls, he can do a single click upgrade. Login to Central, click on Firewall, click on the group, upgrade all - Now. 

"I basically advise partners and customer to migrate to SFOS in plenty of integrations. Therefore i know the blockers and limitations, which can come up. And for a customer with 200 firewalls for example, you should consider to revamp the entire network stack anyway. Most likely those customers run there entire config for 10 years + and there configuration is "old school", which means, there are rare security reports run, nobody knows what is going on in there network etc. Even network segmentation is not everywhere implemented in 2021. So it would be a good step to rethink there network: Like VLAN segmentation, like Firewall rules, like proxy implementation. Are you doing HTTPS decryption? If not, why not? Do you know the risk of running such networks in 2021? See: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf"

• I agree with this completely.
• Sophos does not have an effective way for MSP's to manage large number of firewalls currently
• Central is not a solution how it currently stands
• Before we can make this change we need the client to invest in new hardware
• Before we can make this change we need the tools in place to manage the whole stack.  This has been promised and not delivered.

It highly depends with the integrations you are running and the amount of changes you want to do. With the Partner Portal integration (template support), you can manage multiple firewalls in multiple tentends at the same time. It will simply push the config of your firewall to all customers, you select. The question is, how much work do you do locally. If its "object pushing" that is easily possible nowadays. If you want to change this on a complex level, the question is, what is your plan as a partner. 

Most MSP i know work with templates in XML format. They simple prepare everything as a XML import and deploy XML file 1 for customer "type" 1 and XML file 2 for customer type 2. Then they difference on a much broader scale between there customers. Because i see plenty of MSPs confusing MSP with reseller jobs. MSP basically should mean, as a MSP you are responsible for the configuration. When a MSP tells me, he wants to give access and full write permission to Central to his customer, this will lead likely to confusion and problems. 

"Did you look at the PSA Integrations, which are today available? https://www.sophos.com/en-us/partners/managed-service-providers/integrations.aspx"

• Yes. They suck. And Sophos knows they suck. 
• Did you ask when did Sophos promise they would give us a better PSA API? 
  • Answer first to second quarter 2021
  • Where do we stand today?
    • Its on hold
• Now your next question.  Why would our partners stay if we can't meet our promises?
  • Now that is a great question.  Why would we?

I was promised over a year ago you could easily manage XG via central.  Not delivered.

There were some significant changes in the last months to Central. Maybe you should take a look at it. "

• Do these changes allow us to manage large number of firewalls?

Yes. 

• Do these changes allow us to control the noise tickets we get get?

I am not able to answer this question. 

• Do these changes make it easier for us to identify threats for the clients that we manage?

Yes, as you can integrate the API into your MSP life. 

• Do these changes allow us control over what clients to get notifications from?

Yes, see APIs. 

Of course, there have been changes.  What I believed until recently was that Sophos was MSP friendly.  They are not.  And it looks to me that they are not making enough of an effort to become more MSP friendly. 

There are currently more efforts towards MSPs to get them better integrated. I can only highly recommend to get in touch with the Sophos MSP team, if you want to discuss this further. 

LuCar Toni I am sorry you stepped into this.  I have been a partner for 10+ years.  To ask me "have I this" and "that I that" honestly is not knowing your audience.  I have talked about this until I am blue in the face.  NO ONE that makes decisions is listening. 

I am just here to keep you up the speed, what is going on on the solution, Sophos is offering, because Central is getting new features every 4-6 weeks. And looking at the channel, often there are things not seen. Therefore this is just a open exchange between information. 

So, I am here SCREAMING to see if anyone is listening because for me to move away from Sophos now will cost me tens of thousands of dollars.  And it would be interesting to see if I am the only one that complains or are there others that feel the same way.