Sophos XG Room for Improvement

SherifFouad
IT Manager-Africa/Technical Services Manager at a mining and metals company with 201-500 employees
The major problem that I am facing, and I know that others are facing as well, is with the HTTPS classic, in general, or any classic that works on Secure Socket Layers. Let's say I set up a rule to block users from accessing YouTube or Facebook. The rule will only block the HTTP traffic, which is non-secure traffic. But most websites right now, most of the reputable web services providers, for extra security for their own web servers and for the user's security, provide a connection over Secure Socket Layer. The problem comes when you are trying to block, or allow, similar traffic that uses HTTPS. You have to create a certificate and import it into the users' web browsers, whatever they are using. Now, this is not a problem when you're dealing with users stationed and fixed in a specific site or location. They are using desktops, they will never take the desktops and go home with them, nor will they ever take the desktops and travel to another country, or another site with it. The problem occurs when you're dealing with roaming users who use laptops and have to move between different sites that have different types of policies applied to them. You have to import all sorts of certificates from each site into their browser. Doing so will most probably conflict with something else that is totally irrelevant and cause a problem. A way around this is if you are using authentication with Active Directory. But most of the time, especially if you're operating in a remote site with a very slow internet connection, if it's available in the first place, authentication with Active Directory is impossible. So it needs an easier way to apply HTTPS filters, without importing certificates into users' browsers and without the need for using an Active Directory. There must be a way around it. There are workarounds. But with applied workarounds, it will work out once, it won't work out properly 10 other times. That is my only request. Also, since Sophos took over Cyberoam, the online technical library and support library have become super messy. To get a piece of information is becoming a nightmare. They need to reorganize the online technical support and technical library. The easiest way to overcome this is to look at how the Cyberoam online technical library was structured and to build the Sophos technical library the same way. It is messy, totally unorganized, time-wasting. Instead of getting what you want in five minutes it takes half an hour. View full review »
Sherif Fouad
Project Manager at a mining and metals company with 1,001-5,000 employees
There was a big issue with the Cyberoam and with the SG units as well, i.e. the previous Sophos UTM model. With Sophos XG, you get the chance to block what sites operate on SSL or that operate with HTTPS, without the need of extracting and distributing a certificate. On older Cyberoam and Sophos SG old versions, if you wanted to block something like YouTube or Facebook or any other websites that operate with HTTPS, you had to extract the certificate. Then you had to export that certificate. Then you had to re-import that certificate in all the user browsers. The only problem was if you needed to use an active directory where those certificates would be automatically thrown into the user browsers once they logged in to the domain. For a scenario like mine where you don't have a group policy, it is a disaster and ends up with you setting the rules to block certain websites with HTTPS on the firewall, even while they are not being blocked so that the user will still have access to them. This problem is now 100% sorted out with Sophos XG. Now you can actually block whatever you want, whether it's using HTTPS or HTTP keys from the firewall without the need for extracting certificates. That's a major improvement. That problem with the HTTPS settings was a huge issue. I know other people must be enjoying that it's sorted out now. It was a serious and major issue for Sophos. The only issue that Sophos XG now needs to improve is the product's reporting capabilities. View full review »
Kolanji Selvaraj
IT Consultant at Crotus
We are having a lot of issues with conflicts and user sessions, and Sophos has suggested that we change the device to the XG 400. Aside from these issues with scalability, the email security features are good, but there are not many options. We would like to know why an email is being blocked, and how we can allow delivery. It does not keep emails in the queue for delivery. It can only log whether it is delivered or not delivered. If I need more details then I have to log in using SSH to get that information. When an email comes in from the outside it is detected. When we check the log it only tells us that it is not delivered. We would like to create an exception, but there are not many options available for this. For example, a domain space is not allowed. Only the user name can be used to do that. We need a domain-based exception for email. Next, the XG 210 is easy to configure, but when we are looking for more details then we can only get this information through SSH. It is quite difficult. If we can get all of those details then it would help us to understand, so this needs to be improved. There are a lot of options and it gets confusing sometimes. If they can give limited options, with more information, then it would be good for the large sites. View full review »
Find out what your peers are saying about Sophos, Fortinet, pfSense and others in Firewalls. Updated: July 2019.
354,290 professionals have used our research since 2012.
Hesham Sakr
IT Infrastructure & Security Manager at a university with 1,001-5,000 employees
It is performing well. However, the only challenges that we are facing are the effectiveness with blocking the proxy and tuneling applications, aside from proxy and similar applications. So the application filter on the product is not really performing 100%. Every now and then there are some updates that are happening on such applications, and it takes time until it gets the appropriate updates and becomes capable of capturing such applications and blocking them. A new feature I would really like to see would be some sort of an enhanced application filter with greater efficiency when it comes to the applications that can bypass firewall policies. These applications are really a nightmare. Once they are on the network and not detected, or the appliance is not really successful in capturing them and unblocking them, the bandwidth gets wasted all the time. View full review »
SecMgr5390
Senior IT Infrastructure Solutions Engineer at a tech services company with 51-200 employees
I would like the update process to be easier, to update the firmware of the boxes. I think it's much better automatically than having to do it manually: Download the file, do network discovery. If they can make the update process much more automatic that would help. View full review »
Danyllo Cabral
IT Project Consultant at a tech services company
Sophos XG lacks link load balancing options like ratio and spill over, both useful in some scenarios. I also think they might consider improving the RAM of some of the appliances, since there are processes that are very memory intensive. Lastly, I would say packet monitor is another area for improvement as it lacks capabilities like exporting the capture from inside the GUI tool. View full review »
Sean Gambill
Lead NOC Engineer at a energy/utilities company with 51-200 employees
The VPN and central management need to be improved, but that's being nit-picky. The IPsec VPNs are a little on the buggy side and you sometimes have to jump through hoops to get it to work. When I looked at them last, they were still in development for the centralized management of the firewalls, so when I saw it, it was very much in its infancy. One more thing to add to what they can improve is the firewall policy presentation, they have their own special way of doing it which takes time for some to get used to, especially if you’re used to Cisco ASA. View full review »
Ivanildo Teixeira Galvão
Consultant Information Technology at a tech company with 51-200 employees
It could offer other important functions such as a DNS Filter for blocking botnet networks. View full review »
Find out what your peers are saying about Sophos, Fortinet, pfSense and others in Firewalls. Updated: July 2019.
354,290 professionals have used our research since 2012.
Sign Up with Email