This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Looking to upgrade our UTM hardware - what are our options?

We're running a small SG115 unit at the office. It used to be quite sufficient for all our needs, however since a lot of things shifted to online work and the company has expanded we've had more and more trouble with performance.

The main culprit - Webserver Protection. This seems to be quite demanding when even a single client opens a lot of connections (example: a colleague working from home was restoring Nuget packages using our local DevOps Server feed as the source and this killed the SGs performance to such a degree that general internet connectivity was negatively affected).

I'm trying to find a way if I can't proxy our DevOps in some other way, but I'm also looking if upgrading the hardware is even a possibility. From what I can tell Sophos has a new line-up of network devices - the XGS series... which probably come preinstalled with the XG Firewall.

Now, to be honest, I'm not a fan of the XG Firewall. The entire control scheme seems a wee bit backwards AND it's still missing Let's Encrypt support, which I think kills it for us at this time. So... can the XSG series devices have UTM installed on them? Will Sophos be willing to convert / sell our current UTM license so that it works with a new XGS device should it be compatible?

This thread was automatically locked due to age.

Top Replies

jprusch over 2 years ago in reply to Jay Jay +1

Jay Jay I fully agree. For a paid license you get migration support from your Sophos partner and a specialised team at Sophos. This is to minimize efforts and risk. BUT: there is no such thing as "feature…

Parents

0 jprusch over 2 years ago

Can you post the dashboard of the performance graphs when you have a heavy usage of that box?
Cancel
Vote Up 0 Vote Down

Cancel
0 Mateusz Bender over 2 years ago in reply to jprusch

You mean this one? I've marked two instances where the UTM flat out failed to process DNS queries as it got overloaded.

In both instances the "culprit" was tracked to httpd processes hogging the CPU, and further investigation (using a web application firewall status page) showed there being numerous connections to our DevOps, all from a single IP, which I've then tracked to a colleague working from home. He had a VPN active, but since the VPN did not use our office as the default gateway he would be using the public IP of our DevOps (rather than the internal IP).

The issue was remediated after I asked my colleague to use a "default gateway" VPN and after I had restarted the webserver proxy service. Still, this is more of a workaround than a proper solution and that makes me nervous...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Mateusz Bender over 2 years ago in reply to jprusch

You mean this one? I've marked two instances where the UTM flat out failed to process DNS queries as it got overloaded.

In both instances the "culprit" was tracked to httpd processes hogging the CPU, and further investigation (using a web application firewall status page) showed there being numerous connections to our DevOps, all from a single IP, which I've then tracked to a colleague working from home. He had a VPN active, but since the VPN did not use our office as the default gateway he would be using the public IP of our DevOps (rather than the internal IP).

The issue was remediated after I asked my colleague to use a "default gateway" VPN and after I had restarted the webserver proxy service. Still, this is more of a workaround than a proper solution and that makes me nervous...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jprusch over 2 years ago in reply to Mateusz Bender

Your options are:
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to jprusch

I would recommend either SG135 or SG210. Software cost is the main point here.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mateusz Bender over 2 years ago in reply to jprusch

See my reply to LuCar Toni ... I'm not sure what's going on behind the scenes, but the reseller we're currently in contact with essentially told us any new SG units are impossible to get. If this is some ploy to get us to move to newer hardware and SFOS then it's rather dirty...

I wouldn't even mind moving to SFOS (and it's somewhat backwards configuration design when compared to UTM), but it lacks LE support and we need that.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Mateusz Bender

We have dozens of both models available.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to Mateusz Bender

Cześć Mateusz,

The reseller contact you're using is misinformed and should ask his management what the complete story is. Reading between the lines of the notice sent to Partners, Sophos will stop SG manufacturing in June and sell only remaining stock after June 30, 2023.

You might find it more cost-effective to change to the software version.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Jay Jay over 2 years ago in reply to BAlfson

Question is, does it make sense to invest in a product going EOL in a few years.....?
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Jay Jay

You can "convert" an SG model to an XG, there is an official procedure for that.

Given you have bought enough "horsepower" for your company, you want lose your invest.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mateusz Bender over 2 years ago in reply to Jay Jay

Probably not. On the flip side the annual costs for SFOS (as our reseller presented it) were astronomical compared to UTM. A jump from 500EUR to 3500EUR is rather insane!

And then SFOS still doesn't have LE support. Perhaps it's time to look for a new vendor entirely...
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Mateusz Bender

You should definitely ask another Sophos partner. Probably PM me?
Cancel
Vote Up 0 Vote Down

Cancel
0 Jay Jay over 2 years ago in reply to jprusch

jprusch I need to clarify my statement above. Using the term "product", I mean both the hardware and the software. While upgrading to a more powerful version of SG should amount to restoring a previous config file, upgrading to a whole new OS is more involved.

At one point there was a conversion utility, but not sure if that's still available. Also, due to lack of feature parity it's probably best to do the config manually anyway.

My point, if one is going to be changing software to anything else, they need to fully evaluate if the upgrade path makes sense. How well does the new software meet their needs.

Even as a home user, I dread redoing it as my config is not all that simple, with multiple vlans, granular firewall rules, several servers behind the firewall and so on. I only want to redo this once for the foreseeable future.
Cancel
Vote Up 0 Vote Down

Cancel