Sophos Cyberoam UTM Review

I like the remote VOIP routing through the VPN.


What is most valuable?

Site to Site VPN, and local web filtering.

How has it helped my organization?

The ability to have a site to site VPN, yet have the users use their local internet rather than sending all traffic back to our main site is crucial to their day to day operations. Remote VOIP phone system routing through the VPN we have extension connections to those remote campuses.

What needs improvement?

We have issues with IPS and DoS attacks taking down a couple of our sites. I've changed the IPs of the external interfaces yet the attacks still happen and the Firewall will disconnect the VPN connection as well as stop all internal traffic from flowing externally. I am still able to HTTPS to the external interface, but it takes a full reboot of the appliance to get any traffic flowing again.

What was my experience with deployment of the solution?

Deployment only has one snag. Our VOIP system initially tried to communicate over the internet before the VPN connection is active. Once that happened, unsuccessfully, the phone switch stops trying. But support was able to diagnose the problem and come up with a solution to keep traffic blocked going to the internet, causing it to wait for the VPN to be active and traffic flow successfully.

What do I think about the stability of the solution?

Seems like the main instability I have found is with my Austin site and the DoS attacks that take down the VPN and internet ability for the local site. I have 7 remote sites and this is the only one that has these issues regularly.

What do I think about the scalability of the solution?

Yes, currently with the Sophos buy out of Cyberoam. My CR15iNG models show not to be upgradable to the new Sophos IOS. Meaning I have to purchase new equipment to get any of the new features and performance. Causing me to investigate other firewalls.

How are customer service and technical support?

Customer Service:

I have always had great luck with customer service. I have been with them for so long that they know me and are pretty responsive to any issues I've had. I have had hardware issues in the past and received a replacement the next day. I've also been on the phone for quite some time for them to diagnose an issue I have and come up with a good solution. While their support is not in the US, I have not had a problem getting someone on the phone when I call.

Technical Support:

There is always another level. First level of support is very capable of helping with configuration issues. While when something more complicated is in need they have engineers to speak with and view your appliance to be sure they have all the information and diagnose appropriately.

Which solution did I use previously and why did I switch?

We used Cisco firewalls prior. They worked great, were more complicated to setup and cost significantly more initially and to renew each year.

How was the initial setup?

Very straightforward for setup. I had a few issues with my VOIP setup but once that was figured out setup for all other sites was a snap.

What about the implementation team?

In-House deployment.

What was our ROI?

Much less travel expense. Even when I have issues, as with my Austin site, I'm able to rectify them remotely in most cases. With the Cisco I had to travel if I was needing to change the configuration.

What's my experience with pricing, setup cost, and licensing?

These, CR15iNG remote/small office firewalls, units are pretty inexpensive and renewal pricing is well worth the support cost. They do not have a hardware replacement support agreement at this time with Cyberoam. I do believe Sophos is changing that portion of the support agreement though.

Which other solutions did I evaluate?

Not really, we had the Cisco in place. We had a vendor at the time that was really high on Cyberoam as they have done the evaluation of others for us.

What other advice do I have?

I liked the product so much I purchased one for my home as well.

Prior to Sophos taking over I had a great sales support staff and technical staff. Since that has lagged a bit. I'm hoping that with my upgrade to the Sophos OS that will change, if I stay with their product.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Sophos Cyberoam UTM reviews from users
...who work at a Manufacturing Company
...who compared it with Sophos XG
Add a Comment
Guest
9 Comments

author avatarOrlee Gillis
Consultant

When you've needed to reboot your appliance after a site is taken down, have there been any practical damages to your productivity?

author avatarFred Fish
Top 10Real User

Our remote sites are limited personnel, only 1-3 staff, so when the site is not working and requires the reboot the impact has already happened. They are effectively offline for everything including the VOIP communication back to our network. Only local calls work due to the analog trunks.
But, the switch reboots and starts working within 5 mins of the command.

author avatarOrlee Gillis
Consultant

How have you dealt with the impact until now? Do you have any suggestions for other/future users?

author avatarFred Fish
Top 10Real User

We have made many configuration changes to the firewall to avoid the DDoS or IPS attacks. We have options with a few IPs and many firewall settings that have assisted in lessening the frequency of the outages. With the 7 remotes sites I have only this one has the problem so I have assumed it is an external attack to the site.
I have a Single Pane of Glass I watch while I'm at work and can usually correct any issues within minutes of the problem happening, so impact is less. I also receive emails from my main firewall (CR500iNG-XP) when the IPsec tunnel drops to alert me when I'm not at my desk. The users onsite don't have much impact as they are mobile quite often and this happens when they are not in the office or is corrected rather quickly.
If the office was staffed more extensively I would certainly have to come up with a better solution. Maybe even swapping the firewall altogether. But with our budgets that is not an option for the non-profit.

author avatarOrlee Gillis
Consultant

Have you been as successful as you would like in avoiding these DDoS or IPS attacks?

author avatarFred Fish
Top 10Real User

Definitely not. Any downtime due to an attack is not a success. I've fought this for far too long with no rhyme or reason to the attacks. Can't block IPs and the built in counter measures, I believe, cause the device to stop allowing traffic.

author avatarOrlee Gillis
Consultant

Are there any individual changes you can suggest that would minimize this downtime that you've been experiencing?

author avatarFred Fish
Top 10Real User

Changes I've made that have helped a bit, limited the external exposure of the FW to attack. Which sounds logical, but I need to be able to manage the device from a remote location and do not have dial in abilities.
Basically eliminate ICMP responds to the WAN as well as HTTP responses. I've added specific IPs when I note the traffic on more than one instance, and even a few ranges of other countries.
As I mentioned before I have options for multiple IPs so I change it from time to time when hits become troublesome. That means changing my VPN settings on both ends as well. But, that is less downtime then having the denial of service issues.

author avatarOrlee Gillis
Consultant

Have you always had this access to multiple IPs? Do you have recommendations for users that don't have that option?