Please share with the community what you think needs improvement with Kerio Control.
What are its weaknesses? What would you like to see changed in a future version?
1. More detailed reporting. 2. Sometimes you get a few challenges joining to a domain. 3. Improved and simplified User Interface.
I find it a bit costly to pay for the products that I am not using. They need to change their model in such a way that you don't have to pay for the products that you are not using. The GFI features that come with Kerio are stated below. When paying for the licenses we pay for license for everything yet we only use 5 products. GFI Products GFI Endpoint Security In use GFI Mail Essentials Not in use Kerio Connect In use GFI Archiver Not in use GFI Fax Maker Not In use Kerio Control In Use GFI Lan Guard In use GFI Web Monitor In use Kerio Operator Not in use GFI Events Manager Not in use We only use 5 products out of the 10 we’ve paid for. We should have the option for paying for what we use not a blanket cost for everything Internet aggregation and SDWAN Technology: The firewall should allow growth in terms of allowing connectivity to SDWAN technology available in other firewall appliances.Link aggregation and SD-WAN (Software-defined Wide Area Network) are great features for businesses who need multiple links to the internet. They’re also useful where you are using multiple links and would like to connect to other sites, such as branch offices or cloud services. Its local support and scalability is also not good. I am looking forward to a more scalable product that will be able to grow with time and technology. Cloud Support: The Firewall should have cloud support especially hybrid cloud support. It should allow device identification without just stating that the devices are unrecognized-"unrecognized devices" Sandboxing is one of those important firewall features that end users don’t even know is there. It takes a file or executable as you’re downloading it and opens it in a completely isolated and separate “test” environment.This is missing.
The content filtering in the product is pretty sensitive to configure as all content is being scanned. It can take quite some time to find out what content you want to scan. For example, if you use words for scanning content, there are some words that you really can't scan for because they are synonyms and can be used in all kinds of communications. Therefore you get false positives where it finds the word, but it's actually a case that you should ignore. That makes it a bit difficult to use it. The VPN features are the ones that we really like, but we are using a VPN client to be able to use them. We would like to have an SSL implementation for this same feature so we don't need to install anything on the client side. That's a feature I really miss and that should really be embedded in the product. We really would love to use it via a web browser. Another area for improvement is to be able to import users from a single text file. That functionality is really not developed enough and it is not easy to bulk-import users into a firewall. Finally, if you use a firewall product with a certificate, you can only use one VPN client on one domain name. So if I would serve multiple clients with one firewall, I cannot use different domain names. For example, if I put in the domain name test.com as a certificate name in the firewall, then all users, even if they are using it from different companies, have to use that certificate name as their client settings. That's really not appreciated. We would like to set up a firewall with unlimited users and use it for multiple smaller customers. Those companies use a service from us and we could use one firewall for that, but we can't, simply because we can only use one certificate. We can't use the name of the company with other companies. That's a lack of a feature and we miss it.
If I would suggest anything, it would be to expand on its multifactor authentication to be a little bit more user-friendly. They should do multifactor authentications for the client itself perhaps, rather than served on a webpage, in a page hijack, that might be more user-friendly, but I don't have a lot of complaints about it. It's doing its job. You have to have a certain amount of skills to configure these things anyway, the ones that we use on-site doing point-to-point, and we've been tricked up a few times with their interfaces. That's been more of an experience thing as well, you have to have some networking experience to understand what you're trying to do when you set up these things, whereas it could be a little bit more user-friendly, wizard-based.
The antivirus seemed to be a bit laggy on the connection so I disconnected that. It's definitely good. The only issue we've had with any sort of cyber attack seemed to be coming from a couple of distinct locations, people trying to get into known ports on remote desktops and stuff like that. The fact that we can block all that traffic is just great. It simplifies it. The last time we used the antivirus, it seemed to slow down some of the connections. I didn't dig too deep into it, we just turned it off and it seemed to rectify the problems. It's hard to say whether it was that directly but it seemed to be creating a bit of overhead on the connections. The reliability is its biggest downfall. I don't expect to be rebooting a product like this every couple of days. In fact, it's become a start of day thing just to reboot so it doesn't let me down in the middle of a team's call or something like that. It's quite slow as well. I could be on a team call and it would drop the connection. Then we'll get a warning that we've got poor call quality and as soon as you restart the device all the problems go away. There's clearly maybe some sort of memory leak problem or something in there that's affecting its reliability. We've just had our national broadband network connection today, which is a high throughput connection. We will be reconnecting the entire household through the device, to see how it copes and we'll see if it improves anything.
There are some pros and cons to its performance when dealing with malware and antivirus features. Maybe once a month, I have gone to a website and it's being blocked. This is because it's a known malware site. So, I feel confident that those filters are doing their job. On the down side, occasionally when iOS devices go to the App Store to do their application updates, it will pick that up as a possible virus in a file: a false positive. This only happens on the iOS updates and the antivirus signatures. One area that confused me a bit when I was building my current network. I use VLANs to have separate functionality on the network, and the appliance I got was the WiFi model, but I discovered that you can't assign WiFi channels to the VLAN. So, you can have WiFi, but its own subnet. You can't run that over the VLAN. Effectively, I can't use the WiFi facility in the appliance and had to purchase a separate web that supports VLANs. In the end, I had to go to GFI support. They confirmed this is just a limited functionality of that device, as it is a low-end device. I don't know if any of their high-end models have a better facility or not.
There were certain things I didn't know about it, but I've always been able to just contact our IT company. They've been able to walk me through certain things. It was quite a monumental task to set up a public site. Support really had to help me with setting up the VLANs and walk me through it. It was not possible for me to figure that out on my own, but that's what they're here for. That could have been a little bit easier laid out.
Sometimes it might not be detailed enough, or it might have more details but the customers just don't know where to look. The issue is usually when it comes to specific packets. Sometimes they find it slightly difficult to see exactly what's going on. For example, we had a customer who was using the content filter. They tried to block Facebook using the web filter categories, and in combination with that they wanted to always require that a user was authenticated before accessing web pages. What would happen was that even though they had the content filter enabled to block social networking — Facebook may even be a category — it still allowed them to get in through mobile apps. If they went to the website, it would prompt them for login and then it would deny it, but they would get into the app and they weren't even logged in. That might have been an HTTPS issue and the way that the app was talking, rather than an actual website or what page. We always managed to find a way around. They'll come to us with a question and then we'll figure it out and usually they're happy enough with that. There's also room for improvement in the Traffic Rules. We define networks to use a specific outgoing interface, say VSAT, shore, or marine WiFi, which is okay. But then all we have is a checkbox that says "Use other internet interfaces if this one is unavailable." What we would prefer would be to have a priority list. So if VSAT is unavailable, try to use 4G, etc. We haven't really found a reliable way of doing that in the current release. Finally, the customers sometimes want to use the VPN link for outbound traffic. But at the moment, it appears that there is an all-or-nothing solution, so either everything uses the VPN and breaks out at the remote site or nothing does. The simple example is for the email system we've put in. We can direct traffic in over the VPN, but we'd also like to send that same email traffic out of their server over the VPN to break out on a specific IP address in our data center. We would like to see a little bit of functionality in prioritizing of internet interfaces.
The only thing that I have a problem with is not so much the product itself, but back when Kerio had it, I could call up Kerio or send an email and do an upgrade online. I could renew my subscription online. But now, I have to go through a third-party, and it seems clumsy. I can no longer renew my subscription directly with GFI but we have to go through third-party resellers like CDW. The first time I did it with CDW. I went to CDW and it was almost like they didn't even know anything. They didn't know what package I was supposed to get. Then after I got it, it took almost five days to get everything working. I used to be able to go to Kerio's website and then add the stuff to my cart, use my credit card, and it would bill me. Everything would be working in a few minutes. But now, if your subscription is getting ready to expire, you better give it a week or two.
One of the problems we do have causes problems with the VPN. The software slows the throughput down too much. You could have a one-gigabit connection from the internet, and it slows it down to where the area of upload and download is extremely slow. There's too much content filtering at that point. Quality control is another problem that needs to be handled better, particularly in the NG100 series. We have had to replace a couple of those. Other than that, the throttling down of the speed is too much. It is too heavy. Other than that, I think they're good.
We haven't really had any major issues. But when we did our last update, we had some trouble with the initial syncing process to get our messaging to go through. But we were also moving a store and a lot was changing during that process. I don't think it was on Kerio's end. It just coincided with the update. Once we got our third-party IT guy involved it was resolved very quickly.
The comprehensiveness of the security features could be improved upon. However, for the most part, it is pretty good. They could add more logs. I would like to see more detailed reporting, custom reporting from the logs, and more of a streamlined interface for certain aspects. The malware features could be improved. In the large systems, it could use a better alert system, as far as things happening. I get a lot more information from Kerio Connect, as far as alerts, but not so many through the Control products. It's pretty easy to use. Although, the interface could be improved upon. Certain settings are thin to a certain degree, whereas they should be put more to the forefront and right in front of your face. I would give it a seven out of a 10 for its ease of use.
The support the solution offers needs a lot of improvement. GFI took over the product and since the takeover, the support, the backups, the after-sales support, etc., has basically dropped off quite a bit. When it comes to dealing with updates, there are often bugs on the solution. They should do a lot more testing before they release new versions.
The one thing that did put me off of the solution was that, after they were taken over by GFI, the licensing and a few other items have gotten very complicated. I am just a little bit wary as to the future of the Kerio Control. I do like open source. I think open source is the future. I don't think there is any place for proprietaries and if I can use something as open source, I would prefer to use open source. I never found I missed anything in terms of features. From a user point of view, because I install these things and put them on a yacht, then the people on board, they're the ones that have to manage it once the installation is done. That means I have to train them, and, as long as they understand what they need to do and how to use I'm they'll be fine. That said, it can be a bit complicated for a novice user. A simpler user interface is necessary.
The security part of the software, like virus scanning, website, traffic monitoring, things like that, can take a toll on performance. The actual security functionality of it needs a little bit more work, which I believe they are remedying or attempting to remedy at this time, but that's the downfall at this time; it is currently running on an end of life linux kernel.
I would like to be able to automatically send email from Kerio Control and have it tell me what my external IPs are, because on one of my lines I have a fixed IP address and on the other it is variable. If there were a permanent way for me to figure out, "Okay, my current external VPN and my firm IP is this," it would help. I need to know the IP address to connect with the VPN and, at the moment, one of the lines sometimes changes its IP address without me knowing it. It's a hassle to figure out what it is. It might also be interesting to have a GFI-approved, Docker-containerized version of the Kerio Control system.
The antivirus is either on or off, but we can't really see or measure how well it is doing. Sometimes we get the feeling that some files get past it and then they get caught on the antivirus of the client PC. We would like to have more control with the antivirus. Also, we have multiple employees working on firewalls and if one employee changes a rule and traffic that shouldn't be there suddenly comes through the firewall, it's hard to pinpoint which rule is affecting that traffic because there is some overlap. It's not clear if it's getting past it because it's not decrypted. It needs more logging or more in-depth diagnostics about which traffic is hitting which rule on the firewall. Sometimes we have 20 or 30 rules and it becomes a whole job to figure that out. When it comes to QOS, the quality of service, you have to set a fixed bandwidth. But sometimes, when we have multiple connections in front of it, it's a fallback line. For example, when we use Kerio aboard a ship, there is the satellite connection but there is also a 3G or 4G connection. We always have to set a fixed limit for the connection. If we set the fixed limit to 4G and it switches to navigation, one user can use up all the bandwidth for the entire ship. It would be better if there were something more dynamic, where it could sense the total and we could use percentages. For example, we could say a user has always 5 percent of the connection. But now we have 5 percent of a fixed connection number. The fixed limit on a line for QOS is a problem because we don't always know which connection is in front of it. Also, if you have to dive deeper into the firewall or any other features, then you really have to read up a bit about how to set it up properly. Some of my colleagues, in the beginning, jumped in and made a bunch of rules but then it got really messy. If Kerio had a template or guidelines for best practices, at the beginning, that would really help. With Kerio Control it's basically "find out for yourself." We've also had some problems with how to set the rules, but that's when more than one rule is overlapping and cancels out all the other rules. However, that's more our fault.
The overall speed needs improvement. Internet connectivity speed needs to be improved somehow. If I buy one of Kerio's hardware boxes and put it between me and the Internet, the speed is reduced dramatically using their hardware.
With Kerio Connect, they blew it. They were not able to pace up with the competition. I am working with a variety of customers: lawyer offices, travel agencies, big shopping mall accounts, and small accountancy offices. They have all kinds of needs. Kerio Connect did a new launch in the Netherlands for the ACG and GDPR, which are very strict for some companies, like lawyer offices. It is important within the mail server product that you're able to encrypt your attachments and have two-factor authentication. All these type of things are not within Kerio Connect. Therefore, this product is not interesting anymore for my customers since the Dutch law is that strict. For example, there was a judgment from a judge this year when a company was hacked. There was a guy who maintained this network gave some advice to the customer, but the customer would not pay for that solution. He was held responsible for about 60 percent loss of this business, because there was a ransomware within in the organization. These are the things we have to deal with in the Netherlands and in Europe. Within the Netherlands, this is a very important thing, so you can probably understand how important it is that the product is okay with the market demands. After the takeover by GFI, one of the things that Kerio built was MyKerio environment. This is a cloud solution to have an overview of the statuses of all the firewalls that you maintain. When a firewall or primary interface goes down, then you get messages. It also has an app for iPhone or Android. You can then have a quick view about the status of the firewalls for your customers. If there is a problem with the Internet connection, whether it is down or there is an update, then you get a message. So, I can proactively help my customers. However, after the takeover, this has not been very reliable because I get many messages that MyKerio is not functioning. For some reason, there are things that they changed and it is not very reliable at this moment, instead I have to connect to the firewall to see what is happening. MyKerio is a cloud thing where you can easily see all the firewalls that you maintain for your customers along with the statuses behind them, providing a way to securely connect to your firewall appliances. This is a very strong feature of MyKerio. However, nowadays, I'm not really impressed about things they do with it. That needs improvement in my opinion. Another thing is that you must be a specialist, like me, when you want to have more specific information, e.g., when there are incidents or things that are happening that need investigation, then you need to go to the shell prompts and logging, where you can perform anything. You can edit anything out of your log files. However, this is not possible within the Kerio Control admin interface. You can only search for one thing, but not for many things. Kerio Control has a very good future, but it needs good marketing and knowledge around it.
A little bit more info when we search on the client under active hosts. We would like to see a column to say what is going on: Is it encrypted? Is it HTTP or HTTPS? Is it connected to a gaming services? I would like the customer statistics to be more user-friendly. It should explain more what users have been doing throughout the day. Sometimes, it'll just say they downloaded a big file. Meanwhile, they were connected through a VPN.
I would like it if the interface section had multiple failovers. Although I do have three connections, just in case our physical cables get disconnected, I can only set up one failover as a backup. So, if for some reason our fiber and our AFM went down together, I would have to have it search for our 4G modem. I'd love to have extra backups running. Someone set a printer to have a static IP address and because they set it as static, it won't show on my LAN, on the DSCP server, because it's not questioning it. So just because the device does not request the rules from the DSCP, I don't see why it wouldn't show up in my LAN on the DSCP server. That's a bit odd. It's different from how a Windows DSCP server would react. Instead of only showing one is requesting DSCP, or on a reservation, it shows all, whether they're reserved or not. A Windows one would. For some reason, it isn't showing me ones that were statically assigned.
The one feature that seemed to be missing for a while that they finally just readded was the ability to filter by known IP lists, either specific countries, or lists of IPs know to be hackers. That was in the product awhile ago, but just wasn't maintained for a while, but they recently did start to maintain it again it. The MyKerio online portal could probably use a little touch up and tweaks, sometimes the backups just fail or you have to log off and back in with a new browser to connect to a device. The site is glitchy every now and then. The guest network that they had behind a splash screen is the one spot that we're not thrilled with. We believe the guest network could have a more reliable and better customization on the splash screen, and sometimes we have issues with users getting to the splash screen at all. Our solution is just buy unlimited licenses to get around that. Then instead of using the guest WiFi, we create a whole separate VLAN with no splash page or use a splash page through the access points if we need a splash page. Its also not customizable at all so you can't put logos or names on it, make them accept a usage agreement, etc.
Quality of service and bandwidth management need improvement. It just doesn't seem granular in that. The denial of service could also be improved. There recently was a big issue with denial of service attacks and it was a bit laborious.
What do you like most about Kerio Control?
Thanks for sharing your thoughts with the community!
Why or why not? If so, which are the best providers for this configuration?