Sophos Cyberoam UTM Review

I like the remote VOIP routing through the VPN.

Valuable Features

Site to Site VPN, and local web filtering.

Improvements to My Organization

The ability to have a site to site VPN, yet have the users use their local internet rather than sending all traffic back to our main site is crucial to their day to day operations. Remote VOIP phone system routing through the VPN we have extension connections to those remote campuses.

Room for Improvement

We have issues with IPS and DoS attacks taking down a couple of our sites. I've changed the IPs of the external interfaces yet the attacks still happen and the Firewall will disconnect the VPN connection as well as stop all internal traffic from flowing externally. I am still able to HTTPS to the external interface, but it takes a full reboot of the appliance to get any traffic flowing again.

Deployment Issues

Deployment only has one snag. Our VOIP system initially tried to communicate over the internet before the VPN connection is active. Once that happened, unsuccessfully, the phone switch stops trying. But support was able to diagnose the problem and come up with a solution to keep traffic blocked going to the internet, causing it to wait for the VPN to be active and traffic flow successfully.

Stability Issues

Seems like the main instability I have found is with my Austin site and the DoS attacks that take down the VPN and internet ability for the local site. I have 7 remote sites and this is the only one that has these issues regularly.

Scalability Issues

Yes, currently with the Sophos buy out of Cyberoam. My CR15iNG models show not to be upgradable to the new Sophos IOS. Meaning I have to purchase new equipment to get any of the new features and performance. Causing me to investigate other firewalls.

Customer Service and Technical Support

Customer Service:

I have always had great luck with customer service. I have been with them for so long that they know me and are pretty responsive to any issues I've had. I have had hardware issues in the past and received a replacement the next day. I've also been on the phone for quite some time for them to diagnose an issue I have and come up with a good solution. While their support is not in the US, I have not had a problem getting someone on the phone when I call.

Technical Support:

There is always another level. First level of support is very capable of helping with configuration issues. While when something more complicated is in need they have engineers to speak with and view your appliance to be sure they have all the information and diagnose appropriately.

Previous Solutions

We used Cisco firewalls prior. They worked great, were more complicated to setup and cost significantly more initially and to renew each year.

Initial Setup

Very straightforward for setup. I had a few issues with my VOIP setup but once that was figured out setup for all other sites was a snap.

Implementation Team

In-House deployment.


Much less travel expense. Even when I have issues, as with my Austin site, I'm able to rectify them remotely in most cases. With the Cisco I had to travel if I was needing to change the configuration.

Pricing, Setup Cost and Licensing

These, CR15iNG remote/small office firewalls, units are pretty inexpensive and renewal pricing is well worth the support cost. They do not have a hardware replacement support agreement at this time with Cyberoam. I do believe Sophos is changing that portion of the support agreement though.

Other Solutions Considered

Not really, we had the Cisco in place. We had a vendor at the time that was really high on Cyberoam as they have done the evaluation of others for us.

Other Advice

I liked the product so much I purchased one for my home as well.

Prior to Sophos taking over I had a great sales support staff and technical staff. Since that has lagged a bit. I'm hoping that with my upgrade to the Sophos OS that will change, if I stay with their product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
author avatarOrlee Gillis

When you've needed to reboot your appliance after a site is taken down, have there been any practical damages to your productivity?

author avatarFred Fish

Our remote sites are limited personnel, only 1-3 staff, so when the site is not working and requires the reboot the impact has already happened. They are effectively offline for everything including the VOIP communication back to our network. Only local calls work due to the analog trunks.
But, the switch reboots and starts working within 5 mins of the command.

author avatarOrlee Gillis

How have you dealt with the impact until now? Do you have any suggestions for other/future users?

author avatarFred Fish

We have made many configuration changes to the firewall to avoid the DDoS or IPS attacks. We have options with a few IPs and many firewall settings that have assisted in lessening the frequency of the outages. With the 7 remotes sites I have only this one has the problem so I have assumed it is an external attack to the site.
I have a Single Pane of Glass I watch while I'm at work and can usually correct any issues within minutes of the problem happening, so impact is less. I also receive emails from my main firewall (CR500iNG-XP) when the IPsec tunnel drops to alert me when I'm not at my desk. The users onsite don't have much impact as they are mobile quite often and this happens when they are not in the office or is corrected rather quickly.
If the office was staffed more extensively I would certainly have to come up with a better solution. Maybe even swapping the firewall altogether. But with our budgets that is not an option for the non-profit.

author avatarOrlee Gillis

Have you been as successful as you would like in avoiding these DDoS or IPS attacks?

author avatarFred Fish

Definitely not. Any downtime due to an attack is not a success. I've fought this for far too long with no rhyme or reason to the attacks. Can't block IPs and the built in counter measures, I believe, cause the device to stop allowing traffic.

author avatarOrlee Gillis

Are there any individual changes you can suggest that would minimize this downtime that you've been experiencing?

author avatarFred Fish

Changes I've made that have helped a bit, limited the external exposure of the FW to attack. Which sounds logical, but I need to be able to manage the device from a remote location and do not have dial in abilities.
Basically eliminate ICMP responds to the WAN as well as HTTP responses. I've added specific IPs when I note the traffic on more than one instance, and even a few ranges of other countries.
As I mentioned before I have options for multiple IPs so I change it from time to time when hits become troublesome. That means changing my VPN settings on both ends as well. But, that is less downtime then having the denial of service issues.

author avatarOrlee Gillis

Have you always had this access to multiple IPs? Do you have recommendations for users that don't have that option?

Sign Up with Email