Please share with the community what you think needs improvement with Sophos XG.
What are its weaknesses? What would you like to see changed in a future version?
The BGP engine is very limited.
There is no built-in option for let's encrypt certificate management for use with webadmin, user portal and WAF.
Their technical support needs improvement. I've been on hold with them for hours waiting for their support.
It would be great if the user can have a portal to check on activities related to their account.
Network security is in need of improvement.
There needs to be a way that we can distinguish between educational institutions on Youtube and other Youtube videos. You can do this on Fortinet. Basically, they can block all other Youtube videos besides those that are from educational institutions. With Sophos, you either allow for all Youtube videos or none at all. They need to allow for more specification on different websites. They only have one single location for training videos. They must offer them elsewhere as well. When the site goes down, everything stops, and you can't access the videos when you need them, so they need to diversify that. It's limiting.
They should expand their DDoS feature. It's basic. They need to enhance it. Technical support needs to be improved. The solution needs a mobile application for the administrator. Today, as an administrator, you cannot manage the solution from your tablet or from your mobile. You can only go through a web console. Other vendors have mobile apps. Some vendors also have the ability to manage and check the chart report and change some settings from a mobile application. This would be an excellent add-on for administrators who are traveling. It could help a lot.
Although I enjoy the reporting elements of the solution, it can still be improved. I still can't drill down. There is some information that I would really, really like to see, but I still can't access it. On reports, they sometimes give a summary, but it lists different users as unknown. There are times that I really want to know which user or which IP is causing a problem.
Sometimes we experience difficulties with our server and that is usually due to a bug. Somehow bugs seem to find their way through Sophos' security. The issue is usually resolved when we contact technical support. In the next version, I would like to see an improvement in this. The developers should test everything after any update to ensure that bugs don't come though with the update.
The UTM itself needs improvement. When you're navigating it seems like it takes forever to load anything. The hardware is okay. It's just the software that could be more responsive.
It's easy to use, but it's harder to configure when you want detailed settings. They need to make it easier to access advanced features.
The initial set up process can be a little tricky, especially when you are registering with Sophos and you have a poor internet connection. Setup is not necessarily complex, but it's not trouble-free. You do have connectivity issues at the initial setup with registering the device on the Sophos platform to access the advanced features. It doesn't always go through the first time around. That may be an issue with the quality of our connection. I'm not sure exactly what it is. The single sign-on client I get maybe a 60% success rate on. There are times when it will use single sign-on for verification of users to access Internet resources. It still doesn't always catch the user. The user gets sent to the web login. Even though the single sign-on is helping, it doesn't always work. I would like to see a better single sign-on performance. I'd like to see a more streamlined way of managing your licensing as well.
I would like to have remote access to clients using a static IP for a certain period of time. This would allow me to log in to any client, remotely, with a known and fixed IP address.
There was a big issue with the Cyberoam and with the SG units as well, i.e. the previous Sophos UTM model. With Sophos XG, you get the chance to block what sites operate on SSL or that operate with HTTPS, without the need of extracting and distributing a certificate. On older Cyberoam and Sophos SG old versions, if you wanted to block something like YouTube or Facebook or any other websites that operate with HTTPS, you had to extract the certificate. Then you had to export that certificate. Then you had to re-import that certificate in all the user browsers. The only problem was if you needed to use an active directory where those certificates would be automatically thrown into the user browsers once they logged in to the domain. For a scenario like mine where you don't have a group policy, it is a disaster and ends up with you setting the rules to block certain websites with HTTPS on the firewall, even while they are not being blocked so that the user will still have access to them. This problem is now 100% sorted out with Sophos XG. Now you can actually block whatever you want, whether it's using HTTPS or HTTP keys from the firewall without the need for extracting certificates. That's a major improvement. That problem with the HTTPS settings was a huge issue. I know other people must be enjoying that it's sorted out now. It was a serious and major issue for Sophos. The only issue that Sophos XG now needs to improve is the product's reporting capabilities.
We are having a lot of issues with conflicts and user sessions, and Sophos has suggested that we change the device to the XG 400. Aside from these issues with scalability, the email security features are good, but there are not many options. We would like to know why an email is being blocked, and how we can allow delivery. It does not keep emails in the queue for delivery. It can only log whether it is delivered or not delivered. If I need more details then I have to log in using SSH to get that information. When an email comes in from the outside it is detected. When we check the log it only tells us that it is not delivered. We would like to create an exception, but there are not many options available for this. For example, a domain space is not allowed. Only the user name can be used to do that. We need a domain-based exception for email. Next, the XG 210 is easy to configure, but when we are looking for more details then we can only get this information through SSH. It is quite difficult. If we can get all of those details then it would help us to understand, so this needs to be improved. There are a lot of options and it gets confusing sometimes. If they can give limited options, with more information, then it would be good for the large sites.
The major problem that I am facing, and I know that others are facing as well, is with the HTTPS classic, in general, or any classic that works on Secure Socket Layers. Let's say I set up a rule to block users from accessing YouTube or Facebook. The rule will only block the HTTP traffic, which is non-secure traffic. But most websites right now, most of the reputable web services providers, for extra security for their own web servers and for the user's security, provide a connection over Secure Socket Layer. The problem comes when you are trying to block, or allow, similar traffic that uses HTTPS. You have to create a certificate and import it into the users' web browsers, whatever they are using. Now, this is not a problem when you're dealing with users stationed and fixed in a specific site or location. They are using desktops, they will never take the desktops and go home with them, nor will they ever take the desktops and travel to another country, or another site with it. The problem occurs when you're dealing with roaming users who use laptops and have to move between different sites that have different types of policies applied to them. You have to import all sorts of certificates from each site into their browser. Doing so will most probably conflict with something else that is totally irrelevant and cause a problem. A way around this is if you are using authentication with Active Directory. But most of the time, especially if you're operating in a remote site with a very slow internet connection, if it's available in the first place, authentication with Active Directory is impossible. So it needs an easier way to apply HTTPS filters, without importing certificates into users' browsers and without the need for using an Active Directory. There must be a way around it. There are workarounds. But with applied workarounds, it will work out once, it won't work out properly 10 other times. That is my only request. Also, since Sophos took over Cyberoam, the online technical library and support library have become super messy. To get a piece of information is becoming a nightmare. They need to reorganize the online technical support and technical library. The easiest way to overcome this is to look at how the Cyberoam online technical library was structured and to build the Sophos technical library the same way. It is messy, totally unorganized, time-wasting. Instead of getting what you want in five minutes it takes half an hour.