Sophos XG

Discussion in 'Networking' started by Evan, Aug 29, 2017.

  1. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,684
    Likes Received:
    391
    I am interested to know why there appears to be little love for sophos xg home version (or even UTM) from everybody.

    Does it miss something or not do what it should do ?
    Is the 4 cpu / 6gb a limit ?
    Does everybody just prefer open source OPNsense of PFsense ?
    Worried that they will suddenly remove the product ?

    Seems to be the best free or almost free for home use UTM product, other options seem less capable or cost $$
     
    #1
  2. StammesOpfer

    StammesOpfer Active Member

    Joined:
    Mar 15, 2016
    Messages:
    378
    Likes Received:
    122
    XG is still a work in progress and not always super intuitive.
    UTM has a 50 IP limit which you may hit surprisingly fast especially since people have issues with IPv6 counting as a second device and it doesn't seem to forget devices very quickly (at all?) there are tricks around to bypass this limit but then is it worth it?
    pfSense just has a ton of data out there and if you do have an issue the community has probably already done whatever you are looking for.
     
    #2
    gzorn likes this.
  3. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,761
    Likes Received:
    1,103
    This, mostly. I couldn't even do simple experiments with Sophos without crashing into this limit. Its not worth it - I if liked it I'd just be frustrated because I have no intention of paying their premium prices to take this limit off.

    Similar thinking drives others away too.
     
    #3
  4. KioskAdmin

    KioskAdmin Active Member

    Joined:
    Jan 20, 2015
    Messages:
    156
    Likes Received:
    32
    50 IP is like a small home network nowadays. IP's get eaten by phones, tablets, IP cameras, so it's almost impossible to use for a home lab.

    pfSense is what you want.
     
    #4
  5. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,684
    Likes Received:
    391
    50 IP limit is the older UTM version, the newer XG is cpu/memory limited only.

    Can pfsense do a more UTM function, all I read is that is a clunky at best for malware detection and so on. When I last used it I found it difficult to setup but that's a bit ago and versions back so I will for sure try again I just could not figure out why people disliked sophos. @gigatexal can educate me on pfsense :)
     
    #5
  6. StammesOpfer

    StammesOpfer Active Member

    Joined:
    Mar 15, 2016
    Messages:
    378
    Likes Received:
    122
    XG I don't find limiting other than it's features and usability. Give XG a shot and if it does what you want and you like it then you are set. I tried it probably 2 years ago and didn't like it. I imagine it is better now but pfSense does everything I want it too.

    The same argument could be made for every other firewall/router distro. Why not: IPCop, Smoothwall, ClearOS, Untangled, Zentyal, DD-WRT, etc. I feel like I have tried most of them and I always end up back at pfSense sometimes it is after a day, sometimes a year but I always come back to it.
     
    #6
    gigatexal likes this.
  7. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,648
    Likes Received:
    482
    Haha not sure I can
     
    #7
  8. NashBrydges

    NashBrydges Member

    Joined:
    Apr 30, 2015
    Messages:
    73
    Likes Received:
    19
    I've been running Sophos XG at home for about a year now. Upgraded from the older UTM. To be frank with you, I'm never looking back. This is the best version of Sophos firewall so far. Sure it is missing some features that the UTM had but I don't use those features.

    I have mine running as a VM on a Dell R230 and as a VM, it easily saturates my gigabit internet connection. The older UTM couldn't do this as a VM. This firewall is significantly more powerful for high bandwidth applications.

    I'm running 78 VMs + 42 other devices + however many devices are added when family comes over. The hardware limitations of the home version haven't been an issue at all. The CPU runs around 20% and memory at max 50% with everything running full tilt.

    My recommendation, check out the features you need and if the XG has what you need, give it a try. You won't regret it.
     
    #8
    zeynel likes this.
  9. Nnyan

    Nnyan Member

    Joined:
    Mar 5, 2012
    Messages:
    114
    Likes Received:
    24
    Sophos UTM or XG isn't the most intuitive interface, there is a learning curve just figuring out where everything is. But then again it's the same thing with pfSEnse and OPNSense. They also take up more resources to run. Having said that if you're willing to put in the time I actually like it better than pfSense/OPNSense. I started off running UTM when it was from Astaro and was fine with it. After a long series of happenstance I ended up with pfSense and then OPNSense and for one reason or another never switched back. I've tried XG a number of times and I'm seriously considering making it active again.
     
    #9
  10. Aestr

    Aestr Active Member

    Joined:
    Oct 22, 2014
    Messages:
    813
    Likes Received:
    235
    I don't have much experience at all with XG or UTM, but as to your question about why you don't see it mentioned more here and in other communities I feel a huge part is inertia.

    When software like pfSense becomes the de facto standard it makes it very difficult for others to take much of that market share without truly disruptive features. As mentioned above, because of it's success pfSense has already seen almost any question you could ask be answered and when new users see that they decide to go with the product they find the easiest to research. Those users in turn ask questions that add to the knowledge pool and some of them will sing it's praises leading to even more users hopping on and repeating the cycle.

    If all of options in the market were to launch today with no history or user bias we would likely see a different distribution. Since that's not going to happen we'll see more of the same until someone comes along with some exclusive killer features or pfSense makes some big mistake.
     
    #10
    StammesOpfer likes this.
  11. realtomatoes

    realtomatoes Active Member

    Joined:
    Oct 3, 2016
    Messages:
    243
    Likes Received:
    31
    yeah, that ip limit was bad but with that gone, might as well check out new version. good for a fun weekend.
     
    #11
  12. Davewolfs

    Davewolfs Active Member

    Joined:
    Aug 6, 2015
    Messages:
    312
    Likes Received:
    29
    Everyone talks pfsense. Sophos UTM is fantastic and much more user friendly IMHO. 50 IPs is fine for my home.

    No limit on the new version but I've read it's not quite there yet (depending on what you need).
     
    #12
  13. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,684
    Likes Received:
    391
    Just started to play with it (not with an internet connection yet) to take a look.

    The comments about XG not being quiet ready date back a while now, I have seen much more recent info saying he newer updates in the last 6-9 months have really brought it up to scratch.

    Apparently it's also fine on the home version to do active/passive failover as well (not active/active) so it looks like it will be my future FW for a while.
    I just need to experiment with MAC address HA take over and make that work as I want and so on but looks promising.

    Anybody knows is it makes use of AVX instructions at all ? (I may well have a use for c3000 yet depending on how the 8-core's benchmark)
     
    #13
  14. realtomatoes

    realtomatoes Active Member

    Joined:
    Oct 3, 2016
    Messages:
    243
    Likes Received:
    31
    this is what my woman calls a perfect excuse to buy a new toy. ;)
     
    #14
  15. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,684
    Likes Received:
    391
    Well the 8-core has the same cache (16M) as the 16-core, and at about $430 initial price is not too bad, certianly compares with the D-1521 but no 10G onboard but for a minimal power consumption footprint to run a cluster to handle firewall and always on duty it may have a place.
     
    #15
  16. realtomatoes

    realtomatoes Active Member

    Joined:
    Oct 3, 2016
    Messages:
    243
    Likes Received:
    31
    yeah, an 8 core with 10G would be a killer board.
     
    #16
  17. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,798
    Likes Received:
    374
    I love UTM (use it at work) but the biggest reason I could never run it at home is that you can create a client OpenVPN connection to a VPN service such as PIA. People have been asking for this feature for years but Sophos doesn't appear interested in adding it. This missing feature along with the UP limit made pfsense the obvious choice.

    I looked at XG a few years back but it was still very new and missing a lot. Does anyone know if XG allows client OpenVPN connections? If so I'd take a second look at it for sure.
     
    #17
  18. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,684
    Likes Received:
    391
    V16.5 (Aug 2017) IPSec,L2TP,PPTP,SSL,Cisco
    So no openvpn available. I assume never since I Guess they don't want to compile in the required kernel extension to their product.
     
    #18
  19. ruffy91

    ruffy91 Member

    Joined:
    Oct 6, 2012
    Messages:
    71
    Likes Received:
    11
    The SSL VPN is standard conform OpenVPN on TCP 443, but you can change to UDP and use any port you want. You can download the ovpn config on the user portal if you choose "older OS" or something like this.
    There is one limitation in regards to pfsense/OPNsense. You have only one single OpenVPN Server per firewall.
     
    #19
  20. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,798
    Likes Received:
    374
    Yes but on top of using pfsense as an OpenVPN server I also use it as a VPN client to Private Internet Access. I have three concurrent client connections that I've then created a Gateway group out of. I then have firewall rules that send all traffic to and from an alias list of IPs through that gateway. I don't believe I can replicate this setup on any Sophos firewall.
     
    #20
Similar Threads: Sophos
Forum Title Date
Networking How good is Ubiquiti's Security Gateway compared to Sophos UTM? Jan 7, 2018
Networking Processor for Sophos UTM Oct 15, 2017
Networking Sophos XG VLANS + Unifi Oct 15, 2016
Networking Sophos XG VPN Issues Apr 21, 2016
Networking Sophos utm - Dual wan routing based on lan source ip ?. Apr 11, 2016

Share This Page