Sophos XG

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
I am interested to know why there appears to be little love for sophos xg home version (or even UTM) from everybody.

Does it miss something or not do what it should do ?
Is the 4 cpu / 6gb a limit ?
Does everybody just prefer open source OPNsense of PFsense ?
Worried that they will suddenly remove the product ?

Seems to be the best free or almost free for home use UTM product, other options seem less capable or cost $$
 

StammesOpfer

Active Member
Mar 15, 2016
382
134
43
XG is still a work in progress and not always super intuitive.
UTM has a 50 IP limit which you may hit surprisingly fast especially since people have issues with IPv6 counting as a second device and it doesn't seem to forget devices very quickly (at all?) there are tricks around to bypass this limit but then is it worth it?
pfSense just has a ton of data out there and if you do have an issue the community has probably already done whatever you are looking for.
 
  • Like
Reactions: gzorn

PigLover

Moderator
Jan 26, 2011
3,073
1,378
113
...UTM has a 50 IP limit which you may hit surprisingly fast especially ...
This, mostly. I couldn't even do simple experiments with Sophos without crashing into this limit. Its not worth it - I if liked it I'd just be frustrated because I have no intention of paying their premium prices to take this limit off.

Similar thinking drives others away too.
 

KioskAdmin

Active Member
Jan 20, 2015
156
32
28
51
50 IP is like a small home network nowadays. IP's get eaten by phones, tablets, IP cameras, so it's almost impossible to use for a home lab.

pfSense is what you want.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
50 IP limit is the older UTM version, the newer XG is cpu/memory limited only.

Can pfsense do a more UTM function, all I read is that is a clunky at best for malware detection and so on. When I last used it I found it difficult to setup but that's a bit ago and versions back so I will for sure try again I just could not figure out why people disliked sophos. @gigatexal can educate me on pfsense :)
 

StammesOpfer

Active Member
Mar 15, 2016
382
134
43
XG I don't find limiting other than it's features and usability. Give XG a shot and if it does what you want and you like it then you are set. I tried it probably 2 years ago and didn't like it. I imagine it is better now but pfSense does everything I want it too.

The same argument could be made for every other firewall/router distro. Why not: IPCop, Smoothwall, ClearOS, Untangled, Zentyal, DD-WRT, etc. I feel like I have tried most of them and I always end up back at pfSense sometimes it is after a day, sometimes a year but I always come back to it.
 
  • Like
Reactions: gigatexal

gigatexal

I'm here to learn
Nov 25, 2012
2,870
577
113
Portland, Oregon
alexandarnarayan.com
50 IP limit is the older UTM version, the newer XG is cpu/memory limited only.

Can pfsense do a more UTM function, all I read is that is a clunky at best for malware detection and so on. When I last used it I found it difficult to setup but that's a bit ago and versions back so I will for sure try again I just could not figure out why people disliked sophos. @gigatexal can educate me on pfsense :)
Haha not sure I can
 

NashBrydges

Member
Apr 30, 2015
86
24
8
55
I've been running Sophos XG at home for about a year now. Upgraded from the older UTM. To be frank with you, I'm never looking back. This is the best version of Sophos firewall so far. Sure it is missing some features that the UTM had but I don't use those features.

I have mine running as a VM on a Dell R230 and as a VM, it easily saturates my gigabit internet connection. The older UTM couldn't do this as a VM. This firewall is significantly more powerful for high bandwidth applications.

I'm running 78 VMs + 42 other devices + however many devices are added when family comes over. The hardware limitations of the home version haven't been an issue at all. The CPU runs around 20% and memory at max 50% with everything running full tilt.

My recommendation, check out the features you need and if the XG has what you need, give it a try. You won't regret it.
 
  • Like
Reactions: zeynel

Nnyan

Active Member
Mar 5, 2012
140
41
28
Sophos UTM or XG isn't the most intuitive interface, there is a learning curve just figuring out where everything is. But then again it's the same thing with pfSEnse and OPNSense. They also take up more resources to run. Having said that if you're willing to put in the time I actually like it better than pfSense/OPNSense. I started off running UTM when it was from Astaro and was fine with it. After a long series of happenstance I ended up with pfSense and then OPNSense and for one reason or another never switched back. I've tried XG a number of times and I'm seriously considering making it active again.
 

Aestr

Well-Known Member
Oct 22, 2014
939
350
63
Los Angeles
I don't have much experience at all with XG or UTM, but as to your question about why you don't see it mentioned more here and in other communities I feel a huge part is inertia.

When software like pfSense becomes the de facto standard it makes it very difficult for others to take much of that market share without truly disruptive features. As mentioned above, because of it's success pfSense has already seen almost any question you could ask be answered and when new users see that they decide to go with the product they find the easiest to research. Those users in turn ask questions that add to the knowledge pool and some of them will sing it's praises leading to even more users hopping on and repeating the cycle.

If all of options in the market were to launch today with no history or user bias we would likely see a different distribution. Since that's not going to happen we'll see more of the same until someone comes along with some exclusive killer features or pfSense makes some big mistake.
 
  • Like
Reactions: StammesOpfer

Davewolfs

Active Member
Aug 6, 2015
337
31
28
Everyone talks pfsense. Sophos UTM is fantastic and much more user friendly IMHO. 50 IPs is fine for my home.

No limit on the new version but I've read it's not quite there yet (depending on what you need).
 

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
Just started to play with it (not with an internet connection yet) to take a look.

The comments about XG not being quiet ready date back a while now, I have seen much more recent info saying he newer updates in the last 6-9 months have really brought it up to scratch.

Apparently it's also fine on the home version to do active/passive failover as well (not active/active) so it looks like it will be my future FW for a while.
I just need to experiment with MAC address HA take over and make that work as I want and so on but looks promising.

Anybody knows is it makes use of AVX instructions at all ? (I may well have a use for c3000 yet depending on how the 8-core's benchmark)
 

realtomatoes

Active Member
Oct 3, 2016
248
32
28
42
Anybody knows is it makes use of AVX instructions at all ? (I may well have a use for c3000 yet depending on how the 8-core's benchmark)
this is what my woman calls a perfect excuse to buy a new toy. ;)
 

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
Well the 8-core has the same cache (16M) as the 16-core, and at about $430 initial price is not too bad, certianly compares with the D-1521 but no 10G onboard but for a minimal power consumption footprint to run a cluster to handle firewall and always on duty it may have a place.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,467
620
113
I love UTM (use it at work) but the biggest reason I could never run it at home is that you can create a client OpenVPN connection to a VPN service such as PIA. People have been asking for this feature for years but Sophos doesn't appear interested in adding it. This missing feature along with the UP limit made pfsense the obvious choice.

I looked at XG a few years back but it was still very new and missing a lot. Does anyone know if XG allows client OpenVPN connections? If so I'd take a second look at it for sure.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
V16.5 (Aug 2017) IPSec,L2TP,PPTP,SSL,Cisco
So no openvpn available. I assume never since I Guess they don't want to compile in the required kernel extension to their product.
 

ruffy91

Member
Oct 6, 2012
71
11
8
Switzerland
The SSL VPN is standard conform OpenVPN on TCP 443, but you can change to UDP and use any port you want. You can download the ovpn config on the user portal if you choose "older OS" or something like this.
There is one limitation in regards to pfsense/OPNsense. You have only one single OpenVPN Server per firewall.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,467
620
113
The SSL VPN is standard conform OpenVPN on TCP 443, but you can change to UDP and use any port you want. You can download the ovpn config on the user portal if you choose "older OS" or something like this.
There is one limitation in regards to pfsense/OPNsense. You have only one single OpenVPN Server per firewall.
Yes but on top of using pfsense as an OpenVPN server I also use it as a VPN client to Private Internet Access. I have three concurrent client connections that I've then created a Gateway group out of. I then have firewall rules that send all traffic to and from an alias list of IPs through that gateway. I don't believe I can replicate this setup on any Sophos firewall.