Sophos XG

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Evan

Well-Known Member
Jan 6, 2016
3,346
601
113
Yes but on top of using pfsense as an OpenVPN server I also use it as a VPN client to Private Internet Access. I have three concurrent client connections that I've then created a Gateway group out of. I then have firewall rules that send all traffic to and from an alias list of IPs through that gateway. I don't believe I can replicate this setup on any Sophos firewall.
Probably ways but if you have it working in pfsense probably not worth spending the time to try Sophos. Not a very common use case though.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,520
652
113
Probably ways but if you have it working in pfsense probably not worth spending the time to try Sophos. Not a very common use case though.
Maybe not creating a gateway group of two or more client connections but for home users it's actually quite common to want/need your firewall to be able to act as a VPN client to a VPN service.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
601
113
Maybe not creating a gateway group of two or more client connections but for home users it's actually quite common to want/need your firewall to be able to act as a VPN client to a VPN service.
But in most situations that's done by the router in front... at least that's the likley logic Sophos is using given the target enterprise audience.
 

realtomatoes

Active Member
Oct 3, 2016
252
33
28
44
i was looking to download the UTM and i got this page then nothing after i click on the links.
am i doing something wrong?
upload_2017-9-11_19-31-45.png
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,520
652
113
But in most situations that's done by the router in front... at least that's the likley logic Sophos is using given the target enterprise audience.
I'm not sure I understand the use case you are referencing. Every firewall I've worked on (including my current Sophos UTM firewall at work), there is no router in front. The ISP provides a WAN connection that is then connected to and setup as an interface in the firewall and used as the default gateway in most cases. A client VPN connection could (if supported) be setup as a similar interface and used to route certain traffic out of it instead of the WAN interface.
 

realtomatoes

Active Member
Oct 3, 2016
252
33
28
44
how compute hungry are your XG VM/appliance?
i fired up my XG VM (bridege mode) with 4 vcpu and 6Gb running on a 2660v2 and it was using up 25-35% of my cpu.
 

Nnyan

Active Member
Mar 5, 2012
171
65
28
Sacramento CA
I just tried XG again this weekend. Got it installed but couldn't get any connectivity (I know it's all off by default) but only had a few minutes to play with it. Not as lightweight (obviously) as pfSense/OPNSense and you can "feel" it in the sluggish responses to the UI. I'll try working it some more when I get a chance.
 

Chris Web

New Member
Sep 12, 2017
23
3
3
44
I tried it a year ago. I remember it looked good but was some reason I didn't use it. I probably need to look at it again.

Sent from my HTC 10 using Tapatalk
 

realtomatoes

Active Member
Oct 3, 2016
252
33
28
44
ok, i'm definitely not running this on a vm. with this running, my aio esxi slows to a crawl taking with it the rest of the vms. lol

i wonder if a j1900 (mentioned in another thread here) is enough compute for an XG.
 

Chris Web

New Member
Sep 12, 2017
23
3
3
44
ok, i'm definitely not running this on a vm. with this running, my aio esxi slows to a crawl taking with it the rest of the vms. lol

i wonder if a j1900 (mentioned in another thread here) is enough compute for an XG.
What resources are you giving it? That might be why I ditched it

Sent from my HTC 10 using Tapatalk
 

Evan

Well-Known Member
Jan 6, 2016
3,346
601
113
That's strange, I am testing in a VM and seems ok but little load, not using too much cpu at all. been busy to swap it into use to see how it handle any load.

The official XG appliances from Sophos run 2 and 4 core Atom in the lower models.
 

realtomatoes

Active Member
Oct 3, 2016
252
33
28
44
That's strange, I am testing in a VM and seems ok but little load, not using too much cpu at all. been busy to swap it into use to see how it handle any load.

The official XG appliances from Sophos run 2 and 4 core Atom in the lower models.
yeah, i was wondering what it was crunching too.
when i first built it, i had it on an isolated vswitch. gui was reachable and the esxi wasn't going nuts. decided to move it to my local network and configured it to run on bridge mode. that's when it started going nuts. lol
 

Dww0311

Member
May 19, 2017
49
7
8
57
UTM has a 50 IP limit which you may hit surprisingly fast
50 IP active within the UTM itself, i.e. the UTM is handing them out and routing them.

As long as you handle your DHCP and routing elsewhere (I run DHCP on Windows 2016 servers and route by way of Cisco 29xx & Cat 3560G's), you can effectively park an unlimited number of IP addresses behind UTM 9.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,520
652
113
How does Sophos not have an in place upgrade option from UTM to XG? That eliminates a large amount of users from being able to move to XG, especially myself (at work).
 
  • Like
Reactions: nitrobass24

Evan

Well-Known Member
Jan 6, 2016
3,346
601
113
How does Sophos not have an in place upgrade option from UTM to XG? That eliminates a large amount of users from being able to move to XG, especially myself (at work).
They must have some config export import toolkit atleast ? If not pretty poor, does not affect me but as you say a lot of business and bigger installs would need something or else never migrate. Not that they seem to be in any hurry to get people off UTM are they ?
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,520
652
113
They must have some config export import toolkit atleast ? If not pretty poor, does not affect me but as you say a lot of business and bigger installs would need something or else never migrate. Not that they seem to be in any hurry to get people off UTM are they ?
As far as I've seen they do not. If someone knows better correct me if I'm wrong but I can't find anything that allows me to migrate my config (over 4000 definitions, etc.) from UTM to XG.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,520
652
113
They probably sell it as a service (migration from UTM to XG)
Nope, they promised a Migration Tool by the end of the summer. Now they are saying early 2018. Also, if you use most of the features in UTM don't even think about migrating for at least a year as XG is missing many features I use in UTM.