For over two years, we have only commissioned XG firewalls with the SFOS or installed the SFOS on SG appliances. Admittedly, the XG Firewall was an absolute horror in the first versions and only usable in a few environments. With version 16 it slowly got better and we dared to realize at least smaller projects with it. Starting with v16.5, we then relied completely on the XG for new projects and have never looked back to the UTM since.
To clear things up right at the start: When I talk about the XG Firewall, I mean the XG appliance series with the Sophos Firewall OS (SFOS). However, we also support SG appliances on which we simply have the SFOS installed. That works flawlessly 🙂
After having implemented several projects with XG Firewall, I wanted to share which 7 reasons make XG Firewall a better choice in my eyes than the SG series with the UTM operating system. So with this article I would like to contribute my part to the UTM vs. XG debate. 🥊
01 – Development
Today, when I look for a new app for my smartphone or for the computer, I pay special attention to when the app was last updated. If I can’t find a changelog, I look at the social account, e.g. Twitter. Any activity older than a year is dead to me and the app definitely doesn’t make it onto my smartphone or computer.
Granted, it’s not quite as bad with the UTM firewall. But the update cycles have been extremely extended. In the past, there was an update for the UTM pretty much every month. Today it is still good every 4 months and new features are almost none.
The reason is this: Sophos has about 300 developers working on the SFOS and UTM operating system. But only about 5% of these developers are still working on the UTM operating system. The rest is working on the XG Firewall. So here you can also see from the manufacturer where the priorities lie.
Every now and then, a new feature gives UTM users some hope again. But actually, they have been looking for a recipe for a long time to make the XG palatable to the loyal followers without losing them to another manufacturer. As a former UTM user, however, I know that you’re not so quick to switch systems unless you really have to. So as long as the UTM is not finally discontinued, there is simply no reason for the majority to switch.
Looking at the roadmap for the two operating systems, the list for the SFOS is extremely long and the plans go well beyond 18 months. In the case of UTM, features have been dropped from the roadmap in the past or pushed further and further back. A prominent example here is IKEv2. The feature was on the roadmap for a long time and was postponed again and again and finally even removed from the roadmap altogether. After an outcry in the community, it was added back and is now scheduled for release in version 9.8 next year.
Sophos Firewall OS is completely different and that is the first reason why we love it. About every seven weeks we can look forward to new MR – Maintenance Releases and 1 to 2 times a year there is a MINOR Release with a lot of new features. The Sophos Firewall OS therefore went from “good” to “very good” in the last few months. The system is not quite where it should be and still has a few shortcomings. But for such a young OS, the progress is still very great!
02 – Hardware
The Sophos XG Firewall hardware and that of the SG series are identical in terms of CPU, RAM, memory and ports. A small exception here is the Sophos XG 86 and XG 106, which are not available in the SG series. The two smallest models here would be the SG 85 and SG 105, but they have less RAM and storage than the XG 86 and XG 106. But basically it is possible to install the SFOS of the XG Firewall on a SG hardware without any problems. The license can then be migrated 1:1.
We have explained how to install the SFOS on a Sophos SG appliance in a KB post: Installing Sophos XG Firewall OS on an SG Appliance
A new hardware series is expected next year, which is currently called “XGS”. At this point, we cannot yet say whether this will immediately replace the XG series. In any case, only the SFOS is still mentioned as a compatible operating system. No new release is planned for the SG series.
What also clearly speaks for an XG firewall with SFOS, at least at the moment, is the support of the new APX access points! The access points, which were launched back in July 2018 and feature the new Wave 2 standard, are still only compatible with XG Firewalls and Central. Sophos always said that they would never make the APX access points compatible with the UTM. For us, this step also always made complete sense! This is NextGen hardware, which was only developed for NextGen firewalls.
Shaking our heads, we can now announce that Sophos has backtracked on this plan. APX access point support is coming for the UTM! Support is planned for UTM 9.7, which is scheduled for release at the end of the year.
03 – Licensing
The licensing of the XG Firewall is not completely different from that of the UTM. Nevertheless, there are some important advantages.
The basic license for an XG Firewall Appliance is included free of charge. You can find out which features are included in a separate article about the Base License. But here are the most important features that you can enjoy for free:
- Wireless Protection
- SSL VPN or Sophos Connect Client
- IPsec VPN connections
You probably know the FullGuard Bundle, which unlocks all modules except Sandstorm on the firewall. With the FullGuard Plus Bundle you also get Sandstorm.
For the XG series, there is also the popular EnterpriseGuard Bundle. This bundle is a real alternative to the FullGuard bundle, because it already covers the needs of most customers. With the EnterpriseGuard Bundle you get the Network and Web Protection including the Sophos Premium Support. Wireless Protection is already included free of charge in the basic license. This means that only very few customers still have to resort to the more expensive FullGuard Bundle if there is actually still a need to protect e-mails and web servers.
04 – Firewall rules
Now let’s get to the more technical part of why, in my eyes, SFOS comes out on top compared to the UTM operating system.
The firewall rules have become much clearer in SFOS. If you have more than just 10 firewall rules, which should probably be the case in most environments, they can be excellently grouped in SFOS. The following screenshot from my XG Firewall at home should also clarify this. Here, all IoT devices have their own network and the firewall rules for them are all combined into one group.
If you then take a closer look at a group, you will quickly find out through which individual firewall rules traffic still passes and which rules are possibly no longer used. This representation helps to identify and remove superfluous rules.
Unlike the UTM, in SFOS I can give a firewall rule its own name. Longer comments are also possible within a rule, for example to record who created this rule and what this rule was once created for.
- Each rule gets an ID, with which I can look up in the log, which traffic goes through this rule.
- You can see at a glance whether the IPS or the web filter is active for a rule, for example.
Regarding firewall rules, I could theoretically tell you many more advantages that underline why I would never go back to a UTM. But I’ll leave it with the main arguments listed above, which should already convince every firewall admin. 🙂
Even though a lot of things have been improved with the SFOS in terms of firewall rules, there is one very annoying disadvantage with the SFOS compared to the UTM. Saving a firewall rule takes a good 4-10 seconds with the XG 86 to XG 135 firewalls! This circumstance should first be improved in v18 and then completely fixed in v19.
05 – Log Viewer
Even after several years on the XG Firewall, the Log Viewer is still an absolute highlight! This makes it quick and easy to check logs right from the GUI. But before I lose too many words about it here, just watch the following video:
06 – Sophos Central
No, do not be afraid! I’m not even going to get into Sophos Synchronized Security, which Sophos’s marketing department has turned into the slogan of the century. But if it helps you trade in your UTM for an XG, then of course we’re happy to jump on the bandwagon. Did you know that with Synchronized Security on the XG Firewall you can see which applications are running on the endpoints? 😂 So yes, Synchronized Security will also bring forth other ingenious possibilities in the future!
With regard to Central, we now come to a function that is still in its infancy, but has enormous potential. I am talking about Central Firewall Management. This makes it possible to link the firewall to Central and manage it through it. Such a link can already be made now, but the really interesting features are yet to come! I can’t reveal too much here yet, unfortunately, but if Sophos gets it right, it could end up managing for SDN. We can expect new features as early as the end of this year.
07 – Firmware updates
As we said before, we always find updates good. The saying never change a running system is absolute nonsense when it comes to the firewall. We also picked this up once before in a previous post about the need for firewall updates.
You probably understood that updates are important. But updates are also very dangerous, because it can happen that afterwards not everything works as smoothly as before. From admins who are afraid of this, you can always hear the above-mentioned saying. 😅
To counteract the threat of updates a bit, there are a few improvements on the XG Firewall:
- The updates of access points and REDs are detached and no longer integrated in the firewall update. Thus, the REDs can be updated without restarting the firewall.
- If a firewall update did not work and you want to revert to the previous version, this is possible with a few clicks.
This article has now become a bit longer than I originally had it in mind. I have listed here seven reasons that, in my opinion, should encourage every UTM friend to switch. I too once adored the UTM, but especially in the points of future security, updates and a clear vision, our mind suggested the change early on and we have never regretted it so far! When it comes to the UTM vs. XG comparison, the XG clearly has the more impressive fighting weight on the scales for us. So be brave or much more reasonable (😅) and use an XG Firewall for your next project. Once this step is taken, you can begin migrating your UTMs to the SFOS.
Even though the SFOS really offers many excellent features, you might already get the feeling that this article was written through rose-colored glasses. That’s why I’ll add a short chapter with the disadvantages, because as I said, the SFOS is still a very young operating system and there are indeed still some things that don’t run quite as optimally.
Speed from GUI
- Loading or saving firewall rules still takes too long and not the way you want it to.
- Generating reports or even system resources definitely needs a speed boost.
* As mentioned in the article, these things will be better with v18 and resolved with v18.5.
- Unfortunately, it is not possible everywhere to rename created entries afterwards. These include zones, wireless networks, active firewall NAT ports, IPS protection policies, web server protection policies, IPsec policies and more.
* The reason for this is that the developers of Cyberoam Firewall, which is still the basis for the SFOS, used the name for these objects in the database as the primary key. Of course, this makes it rather difficult to rename afterwards. However, this is also being worked on and the first improvements are expected with v18.
- Created NAT rules can no longer be edited when they are active. You have to deactivate them first, edit them and then activate them again.
* Shall be fixed with v18.
- The notifications are still worlds better with the UTM system. There you can be notified about practically everything by e-mail. The SFOS offers virtually no options in this regard. With SFOS 17.5 MR4, there has been some improvement in this regard, but it is still far from offering these options that we took for granted with the UTM.
* Shall be further improved with v18.
I often refer to v18 in this article, which is supposed to bring many improvements. According to Sophos, v18 should still be released at the end of 2019. However, we consider this timing to be very optimistic and think that the 1st quarter of 2020 is more accurate as a release date. 😅