Sophos UTM Review

It provides firewall, proxy, and VPN in one solution, but be prepared to follow the Zeroeth Rule during implementation.

Valuable Features:

  • HTML5 VPN portal
  • Application control
  • Reverse proxy
  • Web filtering

Improvements to My Organization:

We used several vendor products before UTM, and now it is all in one box - firewall, proxy, and VPN. Sophos is much easier to manage and configure.

Room for Improvement:

Every product has room for improvement.

Use of Solution:

I have used it for three years actively with several projects utilizing UTM.

Deployment Issues:

No issues encountered.

Stability Issues:

No issues encountered.

Scalability Issues:

No issues encountered.

Customer Service:

We don't have direct contact with Sophos support so I can’t rate the level of customer service and technical support properly.

Previous Solutions:

I did. Sophos UTM is far more easier to configure and it is very intuitive with configuration.

Initial Setup:

Setup is easy and straightforward. It is a browser based tool, so you can access it from every location, and with different operating systems.

Implementation Team:

We did it in-house.

Other Advice:

I have some technical advice, but generally, always prepare steps to implement Sophos UTM and test your implementation before using it in production environment.

The Zeroeth Rule:

Start with a hostname that is an FQDN resolvable in public DNS to your public IP. If you didn't do that, start over with a factory reset; it will save you hours of frustration.

  1. Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs
  2. In general, a packet arriving at an interface is handled only by one of the following, in order, DNATs first, then VPNs and proxies and, finally, manual routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
  3. Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface <>'
    Other solutions to routing problems include:
    • Devices in the LAN must have the IP of "Internal (Address)" as their default gateway
    • Never connect two NICs into the same, physical ethernet segment unless bridging or creating a LAG.
  4. When creating DNATs for traffic arriving from the internet, in "Going to:" always use the "(Address)" object created by WebAdmin when the interface or the Additional Address was defined. Using a regular Host object will cause the DNAT to fail as the packets won't qualify for the traffic selector.
  5. In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
  6. There are only four reasons to sync users from AD to the ASG/UTM:
    • The user should be able to log on to a Remote Access VPN that uses certificates to authenticate the user
    • Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing
    • You want to do Reporting by Department for Web Protection (and I consider it a bug to require this when doing AD-SSO)
    • You want to use the Authentication Agent to populate "username (User Network)" objects
    • There's no other reason to sync users to WebAdmin - certainly not with AD-SSO
Disclosure: I am a real user, and this review is based on my own experience and opinions.
2 visitors found this review helpful
Add a Comment
Sign Up with Email