I’ve been using a Sophos UTM9 virtual appliance for some time now. Originally my intention was to just test out its features as I was already using a pfSense VM to isolate my lab environment from my live environment, however I started to see the massive potential in the device and eventually retired pfSense in order to make use of the easy to use interface, free AV, web filtering and client VPN with 2FA. The UTM has worked faultlessly and I’m astounded that something so refined is available for free to the public with a very reasonable allowance of 50 internal IP addresses and when I’d heard Sophos had released a shiny new appliance, their XG product, I was keen to give it a test drive.
I very quickly noticed the XG was completely different from the UTM in terms of the UI, having lost the nice drag and drop objects from firewall rules as well as condensing the navigation down to six categories: Dashboard, Reports, Policies, Protection, System and Objects. I really didn’t have any time to work out the navigation so quickly abandoned the VM and there it laid dormant until just last week…
XG vs UTM
The UTM kindly notified me that I was using 48 out of 50 IP addresses and that new devices would fail to work when exceeded. Now, I’m definitely a network geek so have a couple of IP cams, a NAS, two laptops and a desktop, a couple of VMs and perhaps 3 or 4 phones – but certainly not 50 IP’d devices that would have went through the firewall. What I suspect has happened is that in commissioning and decommissioning several VMs as part of studying since the UTM was installed it has indeed observed 48 IPs pass through it and that there is either no aging of the entries or the aging period is quite long. I did issue a command in the shell of the appliance I’d found after some Googling but had no joy so decided it was time to power on the XG (which is still free and allows for an unlimited amount of IPs, instead restricted to 4 cores and 6GB RAM) and get myself acquainted with the UI.
Once I’d work out the logic of the UI, I setup some basic rules and the first thing that hit me was that to create just a simple rule which on on ASA or UTM would follow a pattern of <#><action> <src> <dst> <port> the XG had several extra options such as the Zone, NAT rules, Malware Scanning and Web Filtering. My first thought was that this could quickly become an administrative headache in a client environment, where multiple network rules reference different web filtering policies in different places. Also, when creating a rule it isn’t possible to define the position of the rule until it is created – you only get the choice of Top or Bottom and to make matters worse, the rule is automatically enabled when added which is a deviation from the UTM’s behaviour and could cause huge problems in a production environment if not thought out fully. Lastly, it isn’t possible to group rules as you could in the UTM which is a shame.
XG Rule Options
While we’re on the subject of rules, when troubleshooting these I’d found the logging to be less than intuitive as the interfaces cannot be renamed they show as PortA, PortB, PortC etc which isn’t particularly helpful and likewise the interface requires a scroll to the bottom of the page in order to then scroll right within the inset frame to see the suppressed details from the log entries at the top of the page, resulting in a dance of scrolling around to see all the details. Also despite having plenty of space to display the rule name, the XG instead shows a far from practical rule number. I can imagine spreadsheets, screenshots and printouts being on network admins desks to reference when reading the logs. Bad times.
XG Rule #s rather than names, and scroll required to bottom in order to then scroll right in the frame
When it comes to web filtering I was always impressed with the UTMs ability to identify sites I’d blocked, but for categories like advertising or download sites I’d setup the UTM to present a warning dialogue with the option to click a ‘proceed’ button. Sadly this feature hasn’t carried across to the XG and the actions are limited to block or allow.
Also for web access, I’ve not found a feature to time internet access to particular categories used perhaps to restrict social media sites to 1 hour at lunch time. While this was in the UTM, the XG only has the ability to apply a quota to all web surfing, not individual categories. A step backwards in my books.
XG vs. UTM Quota options
For authentication, setting up RADIUS in the UTM was a piece of cake. I was able to setup a NAS Identifier clause in the NPS policies to differentiate user portal, VPN and admin console access with ease. For the XG this is a different story sadly and I was unable to get RADIUS to work. The RADIUS server was authenticating and allowing connections but the user portal would not progress the logon with no error displayed or indication that there was an issue in the logs. I’d tried different browsers, different machines and different user accounts with no success and instead had to resort to using the Active Directory server type which although it works is not how I’d personally like to control authentication. I’ve also had issues with using remote authentication to gain access to the administration console, which was something I’d easily setup in the UTM.
I’d made use of the free centrally managed AV on the UTM on my home devices and appreciated the way you could apply certain controls through the AV agent. The XG sadly does not have any native AV offering, instead directing customers to the Sophos Cloud for client protection tied into the Security Heartbeat feature, requiring additional thought if migrating a client that made use of the UTM AV.
Last but not least, for a security appliance the lack of 2FA is a big deal. I was so excited when I’d set this up on my UTM and would have expected this on the XG so the lack of it is a real disappointment, certainly when clients are needing 2FA for compliance purposes.
To end on a positive, I’m enjoying the dashboard and reporting features which allow at a quick glance a very useful picture of the network health. No doubt Sophos will be addressing many if not all of the issues I’ve highlighted above but for now I’d think long and hard about deploying the appliance into a production environment at a client site.