Sophos UTM Review
It provides firewall, proxy, and VPN in one solution, but be prepared to follow the Zeroeth Rule during implementation.
What is most valuable?
- SSL VPN
- HTML5 VPN portal
- Application control
- Reverse proxy
- Web filtering
How has it helped my organization?
We used several vendor products before UTM, and now it is all in one box - firewall, proxy, and VPN. Sophos is much easier to manage and configure.
What needs improvement?
Every product has room for improvement.
For how long have I used the solution?
I have used it for three years actively with several projects utilizing UTM.
What was my experience with deployment of the solution?
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
How are customer service and technical support?
We don't have direct contact with Sophos support so I can’t rate the level of customer service and technical support properly.
Which solution did I use previously and why did I switch?
I did. Sophos UTM is far more easier to configure and it is very intuitive with configuration.
How was the initial setup?
Setup is easy and straightforward. It is a browser based tool, so you can access it from every location, and with different operating systems.
What about the implementation team?
What other advice do I have?
I have some technical advice, but generally, always prepare steps to implement Sophos UTM and test your implementation before using it in production environment.
The Zeroeth Rule:
Start with a hostname that is an FQDN resolvable in public DNS to your public IP. If you didn't do that, start over with a factory reset; it will save you hours of frustration.
- Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs
- In general, a packet arriving at an interface is handled only by one of the following, in order, DNATs first, then VPNs and proxies and, finally, manual routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
- Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface <>'
Other solutions to routing problems include:
- Devices in the LAN must have the IP of "Internal (Address)" as their default gateway
- Never connect two NICs into the same, physical ethernet segment unless bridging or creating a LAG.
- When creating DNATs for traffic arriving from the internet, in "Going to:" always use the "(Address)" object created by WebAdmin when the interface or the Additional Address was defined. Using a regular Host object will cause the DNAT to fail as the packets won't qualify for the traffic selector.
- In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
- There are only four reasons to sync users from AD to the ASG/UTM:
- The user should be able to log on to a Remote Access VPN that uses certificates to authenticate the user
- Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing
- You want to do Reporting by Department for Web Protection (and I consider it a bug to require this when doing AD-SSO)
- You want to use the Authentication Agent to populate "username (User Network)" objects
- There's no other reason to sync users to WebAdmin - certainly not with AD-SSO
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Aug 25 2015