Alternative to Sophos UTM

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
I have been using Sophos UTM for years now and was pretty happy with it.
In recent times it started to show that its not the prime product any more;
I have now troubles with my RED (UTM2UTM/site2site) tunnel which has been down for weeks now after an update;
Also my trusty fw/http ruleset is not cutting it any more with more and more pages using https and Sophos inability to handle this properly (without having to invest even more time in configure https scanning on a per webpage level).

So at this point I wonder whether it might make sense to change products to another UTM tool or maybe a bunch of tools... but o/c I have not kept up with development.

Basically I am looking for the following functionality
  • Firewall
  • (Transparent) Web Proxy (ideally with AD integration for authentication mapping). I need time and user based whitelists. Predefined categories are a bonus, no need. Integration with web lists are another bonus. A smart way to allow singular Youtube videos would be great.
    What would be really great was proper http(s) request tracking - as it is now I need to manually debug and allow subrequests to other domains myself instead that being tracked by the proxy (think static and dynamic content providers all needing separate whitelists). O/c I do need blacklisting inside the automaton to block tracking/ads ;)
  • Site2Site VPN capabilities via DynDNS names, both sides NATed)
  • Syslog, SNMP, Netflow would be nice to have

If there is no better tool for this than Sophos then thats fine too, will migrate RED to a Site2Site VPN then and
will need to come up with a solution for the https sites...
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
No have not checked out anything else yet - will have a look - thanks :)
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
In addition to what Jannis has already mentioned, these products may also do the trick:
  • pfsense
  • vyos
  • Sophos XG
  • openwrt (on x86)
  • Untangle
  • ipfire
Of course I am not sure if all of them will do what you want.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Why both?
2 layer or functionality deficiency on either?

Edit: Or maybe pricing (after looking at Untangle'd webpage;))
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
It’s a bit sad that Sophos seems to have failed you with broken functions but maybe better luck with Sophos XG ?

I am not much help as I just decided to go with meraki except for lab use. Costs $$ but does exactly what I needed without essentially any attention from me. (Needed some filtering for kids)
I know I could have managed with with other options like pfsense but at the end you still spend a few $$ subscribing to services and a lot more management effort on my part.
 

Sogndal94

Senior IT Operations Engineer
Nov 7, 2016
114
72
28
Norway
I use Unangle for my home network and PFsense for lab.
Price is one of them. Config on Untangle is easy, thats why i use it ;)
Why both?
2 layer or functionality deficiency on either?

Edit: Or maybe pricing (after looking at Untangle'd webpage;))
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
It’s a bit sad that Sophos seems to have failed you with broken functions but maybe better luck with Sophos XG ?
Tried XG a while back and my experience was in line what I still read online - not there yet.

I mean I get its difficult - UTM has 20+ years development I guess (including Astaro) but probably doesn't cut it any more for new requirements; XG has potential but needs time (and they used up quite a bit already).

I cant really complain, its free for home, just annoying.

I might go $$ if I really found a great solution and its reasonable. Don't see myself dropping 300 quid/year just for that...
 

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
i built out a new box to provide all my networking needs and ended up using both pfsense and sophos UTM.
https://forums.servethehome.com/index.php?threads/the-powerrouter-one-beast-to-rule-them-all.25715/

I am using pfsense as an ATT router replacement and main access for WAN to LAN. It also provides vlan network for IOT devices that are separate from my home network. I am running pfblockingNG on pfsense only for WAN to LAN side with easy lists to block ads, tracking ,etc. The interface for pfsense LAN then feed down into multiple pfsense boxes to account for static ips i have and configuration for various online services, Games servers, Webpages, etc. I've had Sophos UTM for a long time and have it setup for my primary network. I run most of my rules for blocking apps/content in sophos UTM. I found it easier to setup then pfsense for these rules. Between pfsense main VM and sophos VM i have good amount of control. When a feature isnt in one, i look at the other one for it. For example, i use Sophos UTM for SSL VPN access to home network.

also as a side note, i have sophos XG VM, that i start up every few months and let it upgrade. I'm still waiting on a good sophos utm to xg migration tool so i dont need to manually redo my config.

Anyways your doing a bit more stuff with your setup then I am, but i figured i share my experience in case it helped.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
XG has been out years now, It would seem they never plan a migration tool from UTM.

nothing at all wrong with using multiple products , exactly what a lot of people do either for functionality or layering of security that hopefully has different vulnerabilities themselves.
 

azev

Well-Known Member
Jan 18, 2013
768
251
63
I've just recently migrated from UTM to XG (both free version) and I like the XG alot. It does take a bit to figure out how to navigate the features but once you figure it out its a pretty robust software.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
What kind of services are you able to run on XG? I am pretty sure it will do most basic things just fine, but I was always under the impression its not as variable (or full featured) as UTM.
But I have not used it beyond setting one up as simple GW for a couple of vlans
 

azev

Well-Known Member
Jan 18, 2013
768
251
63
There are 2 reason why I used XG or UTM previously; the web filtering function and email (spam and virus).
I created a separate network at the house for all both of my kids wireless devices to filter bad content on the internet and it works great.
XG also have features that forces youtube to turn on restricted mode via network config and can't be disabled manually.(Both my kids had figured out how to disable restricted mode manually before)
The XG also function as a mail smart host for the house, providing spam filtering and virus scanning for all ingress and egress email from my home mail server.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
I would also like to recommend OPNsense as it is a very robust and flexible open source firewall that will run on almost anything.
The configuration via the GUI is easy, and it has a wide range of capabilities with all of the plugins available.

For your VPN's I would look closely at Wireguard, which is built in, trivial to configure and blazing fast.
It makes OpenVPN and IPSEC look ancient in comparison :)
Or you could use zerotier if you want more of a meshed setup, and hopefully they'll also add Nebula VPN support soon.

It has full syslog-ng, snmp and netflow built in.

You might also want to look into the added functionality Sensei offers as well - https://www.sunnyvalley.io/sensei
There's a free version, with more features opened up if you start paying.
 

sd11

New Member
Jun 2, 2016
28
1
3
39
How does AV/Malware/web filtering work? Do you install a local SSL cert from XG? Essentially MITM?
 

azev

Well-Known Member
Jan 18, 2013
768
251
63
How does AV/Malware/web filtering work? Do you install a local SSL cert from XG? Essentially MITM?
my understanding is that it works like a proxy system. XG is capable of MITM to decrypt ssl traffic for inspection but I never tried it.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
How does AV/Malware/web filtering work? Do you install a local SSL cert from XG? Essentially MITM?
Pretty much every product on the market is stuck doing MITM ssl decryption using a cert if you want deep inspection of encrypted traffic.

Although you can still do some cool stuff with the CNI details in the cert and other signature based stuff without decryption.

Just depends how deep you need to go :D