7 reasons why the XG Firewall (SFOS) is better than the UTM
For over two years now, we have only put XG Firewalls into operation with the SFOS or installed the SFOS on SG appliances. To be honest, the XG Firewall was an absolute nightmare in the first versions and could only be used in a few environments. With version 16 it slowly got better and we dared to realize at least smaller projects with it. Starting with v16.5 we completely used XG for new projects and have never looked back on UTM since.
To get rid of this right from the start, when I talk about the XG Firewall, I mean the XG Appliance series with the Sophos Firewall OS (SFOS). But we also manage SG appliances, on which we simply installed the SFOS. That works fine. 🙂
After we have already implemented several projects with the XG Firewall, I wanted to tell you what 7 reasons make the XG Firewall a better choice than the SG series with the UTM operating system. With this article I would like to contribute my part to the debate UTM vs. XG. 🥊
01 - Development
Today, when I’m looking for a new app for my smartphone or computer, I pay special attention to when the app was last updated. If I can’t find a changelog, I look at the social account, e.g. Twitter. Any activity older than one year is dead to me and the app will definitely not make it to my smartphone or computer.
I admit, it’s not that bad with the UTM Firewall. But the update cycles have been extremely extended. There used to be an update for the UTM almost every month. Today it’s about every 4 months and there are hardly any new features.
The reason is this: Sophos has about 300 developers working on the SFOS and UTM operating systems. But only about 5% of these developers are still working on the UTM operating system. The rest are working on the XG Firewall. So you can also see from the manufacturer where the priorities are.
Every now and then they give the UTM users some hope with a new feature. But actually they have been looking for a recipe for a long time to make the XG appealing to loyal followers without losing it to another manufacturer. But as a former UTM user I know that you don’t change a system that quickly if you don’t really have to. So as long as the UTM is not finally discontinued, there is simply no reason for the majority to change.
If you look at the roadmap of the two operating systems, the list for the SFOS is extremely long and the plans go far beyond 18 months. With the UTM, functions have been removed in the past from the roadmap or moved further and further back. A prominent example here is IKEv2. The feature was on the roadmap for a long time and was moved again and again and finally even removed completely from the roadmap. After an outcry in the community, it was added again and will be released in version 9.8 next year.
With the Sophos Firewall OS, things look completely different and that’s why this is the first reason we love the system. Approximately every seven weeks we are happy about new MR - Maintenance Releases and 1 or 2 times a year there is a MINOR release with lots of new features. The Sophos Firewall OS has therefore gone from “good” to “very good” over the last few months. The system isn’t quite where it should be yet and still has a few flaws. But for such a young OS, the progress has been very big!
02 - Hardware
The Sophos XG Firewall hardware and the SG series are identical in terms of CPU, RAM, memory and ports. A minor exception is the Sophos XG 86 and XG 106, which do not exist in the SG series. The two smallest models would be the SG 85 and SG 105, which have less RAM and memory than the XG 86 and XG 106. However, it is basically possible to install the SFOS of the XG Firewall on SG hardware. The license can then be migrated 1:1.
We have explained how to install SFOS on a Sophos SG appliance in a KB post: Install Sophos XG Firewall OS on a SG Appliance
In the next year a new hardware series is expected, which currently listens to the name “XGS”. We can’t say at this point if it will replace the XG series. In any case, only the SFOS will be mentioned as a compatible operating system. No new release is planned for the SG series.
What also speaks clearly for an XG Firewall with SFOS at the moment is the support of the new APX Access Points! The access points, which were launched in July 2018 and feature the new Wave 2 standard, are still only compatible with XG Firewalls and Central. Sophos has always said that APX access points would never be compatible with the UTM. For us, this step always made perfect sense! This is NextGen hardware, which was developed only for NextGen Firewalls.
Shaking our heads, however, we can now announce that Sophos has rowed back on this plan. APX access point support will come for UTM! Support is planned for UTM 9.7, which will be released at the end of the year.
03 - Licensing
The licensing of the XG Firewall is not completely different from the licensing of the UTM. Nevertheless, there are some important advantages.
The base license of an XG Firewall Appliance is included free of charge. You can find out which features are included in a separate article about the Base License. But here are the most important things you can enjoy for free:
- Wireless protection
- SSL VPN or Sophos Connect Client
- IPsec VPN connections
You probably know the FullGuard Bundle, which unlocks all modules except Sandstorm on the Firewall. With the FullGuard Plus Bundle you also get Sandstorm.
For the XG series there is also the popular EnterpriseGuard Bundle. This bundle is a real alternative to the FullGuard Bundle, because it already covers the needs of most customers. With the EnterpriseGuard Bundle, you get Network and Web Protection, including Sophos Premium Support. Wireless protection is already included free of charge in the base license. As a result, only very few customers have to choose the more expensive FullGuard Bundle as long as there is still a need to protect Emails and Web Servers.
04 - Firewall rules
Let’s now come to the more technical part, why in my opinion the SFOS is ahead of the UTM operating system.
The Firewall rules have become much clearer for SFOS. If you have more than 10 Firewall rules, which should be the case in most environments, they can be grouped in SFOS very well. The following screenshot of my XG Firewall from home should illustrate this. Here all IoT devices have their own network and the Firewall rules are grouped together.
If you then take a closer look at a group, you will quickly find out through which individual Firewall rules traffic still passes and which rules may no longer be used. This helps to detect and remove unnecessary rules.
In contrast to UTM, I can give a Firewall rule its own name in SFOS. Within a rule, longer comments are also possible, for example to record who created this rule and what this rule was made for.
- Each rule gets an ID, so I can check in the log which traffic goes through this rule.
- You can see at a glance whether the IPS or the web filter is active for a rule or not.
Regarding Firewall rules, I could theoretically give you many more advantages that underline why I would never go back to a UTM again. But I’ll leave it with the main arguments listed above, which should already convince every Firewall admin. 🙂
Even if SFOS has been improved a lot regarding Firewall rules, there is a very annoying disadvantage compared to UTM with SFOS. Saving a Firewall rule takes between 4-10 seconds for XG 86 till XG 135 Firewalls! This circumstance will be improved in v18 first and then completely fixed in v19.
05 - Log Viewer
Even after several years on the XG Firewall, the Log Viewer is still an absolute highlight! This makes it quick and easy to check logs directly via the GUI. But before I lose too many words about it, have a look at the following video:
06 - Sophos Central
No, don’t be afraid! I’m not going to come up with Sophos Synchronized Security, from which Sophos’s marketing department has kicked off the slogan of the century. But if it helps you trade in your UTM for an XG, then of course we’ll jump on the train. Did you know that with Synchronized Security on the XG Firewall you can see which applications are running on the endpoints? 😂 So yes, Synchronized Security will bring even more ingenious possibilities in the future!
But let’s now come to a feature regarding Central that is still in its early stages, but has a huge potential. I’m talking about Central Firewall Management. This makes it possible to link the Firewall to Central and manage it over it. Such a connection can already be made but the really interesting functions are yet to come! I can’t tell you too much here yet, but if Sophos does it right, it could end up being a management for SDN. We can expect new features by the end of this year.
07 - Firmware Updates
As I said, we always like updates. The saying never change a running system is absolute nonsense when it comes to the Firewall. We’ve already mentioned this in an earlier post about the need for Firewall updates.
I’m sure you guys understand that updates are important. But updates are also very dangerous, because it can happen that not everything works as smoothly as before. From admins who are afraid of it, you will always hear the above quote. 😅
In order to reduce the risk of updates, there are some improvements on the XG Firewall:
- The updates of access points and REDs are detached and no longer integrated in the Firewall update. Thus the REDs can be updated without restarting the Firewall.
- If a Firewall update did not work and you want to return to the previous version, you can do this with a few clicks.
This article is now a bit longer than I originally had in mind. I’ve listed seven reasons here that in my opinion should encourage every UTM friend to change. I used to adore UTM too, but especially in terms of future security, updates and a clear vision, our minds suggested the change early on and we have never regretted it! When it comes to the comparison UTM vs. XG, the XG clearly has the more impressive combat weight on the scales for us. So be brave or much more reasonable (😅) and rely on an XG firewall for your next project. Once this step has been taken, you can start migrating your UTMs to the SFOS.
Even though the SFOS offers many excellent features, you might get the feeling that this article was written through pink glasses. That’s why I’m going to add a short chapter with the disadvantages, because SFOS is still a very young operating system and there are some things that don’t work so well yet.
Speed of the GUI
- Loading or saving Firewall rules still takes too long and not the way you want.
- Generating reports or system resources needs definitely a speed boost.
* As already mentioned in the article, these things will be better done with v18 and solved with v18.5.
- Unfortunately it is not always possible to rename entries afterwards. This includes for example zones, wireless networks, active firewall NAT ports, IPS protection policies, web server protection policies, IPsec policies and some more.
* The reason for this is that the developers of the Cyberoam firewall, which is still the basis for the SFOS, used the name for these objects in the database as the primary key. Of course, this makes renaming the objects afterwards rather difficult. But this is also being worked on and first improvements are expected with v18.
- Created NAT rules can no longer be edited if they are active. You must first deactivate them, edit them and then reactivate them again.
* To be corrected with v18.
- The notifications in the UTM system are a lot better. You can be notified of practically anything by email. The SFOS offers almost no options in this respect. With SFOS 17.5 MR4 something has been improved, but there are still not these possibilities offered, which we took for granted at the UTM.
* To be further improved with v18.
In this article I often refer to v18, which is supposed to bring many improvements. According to Sophos, the v18 will be released by the end of 2019. However, we are very optimistic about this timing and believe that the first quarter of 2020 will be more accurate. 😅
Sophos has independently compiled a datasheet for the comparison of UTM vs. XG. It lists in tabular form which features are already included in SFOS and which things will be added with v18.