WHY SOPHOS XG IS SUBPAR

12/04/20 - review,sophos

Before I begin, let me clarify this is a largely opiniated piece, and I acknowledge I may be biased. Be that as it may, I have 3 years experience with the setup and administration of Sophos XG firewalls, have setup new at least 20, and am a Sophos Certified Architect. I am far from the best engineer, but I do know what I am doing.

So, with that out of the way, where do I begin?

Hardware Performance

Let’s start with the most common issue: the hardware appliance. The hardware is subpar, at best. But how can I substantiate that? The most noticeable is via the WebGUI – sluggish is an understatement for how poorly it can perform on even a 310 series appliance. The appliances I’ve taken apart all have had SSD’s as the storage device, and the DDR3 is at a relatively decent clock speed, so what gives?

But that’s just the WebGUI, the device itself is fast.
Is it? If I remove a port as a member from a bridge, it will drop traffic on that bridge for at least 30 seconds on a 200-series appliance. If – as by default – your ports for your LAN are setup in a bridge, this can be a serious pain for LAN>WAN traffic. It’s unnecessary. However, if I use my own whitebox that specs under a 210, and install XG on it, it performs faster than a 400-series appliance. The WebGUI is snappy, IPSec VPN tunnels come up quickly, and I can remove/add a member to a bridge in under 5 seconds.

Let’s compare the hardware I have.

The XG 135 rev.3 sports an Intel Atom C3558 @ 2.20GHz, 6GB of DDR4 2133MHz RAM, and a 64GB M.2 SSD. According to cpubenchmark.net, the Atom C3558 has a rating of 1650 (https://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C3558+%40+2.20GHz&id=3129).

My whitebox Qotom has an Intel Pentium 3805U @ 1.90GHz, 6GB of DDR3 1600MHz RAM, and a 128GB mSATA SSD. According to cpubenchmark.net, the Pentium 3805U has a rating of 1069 (https://www.cpubenchmark.net/cpu.php?cpu=Intel+Pentium+3805U+%40+1.90GHz&id=2483).

The only other difference is that I was running XG Home on the Qotom – but that’s not an arguable point. We had an old XG 125 that we wiped the drive and installed XG Home on, and it ran just as poorly as the XG Appliance edition. In either argument, my whitebox was scores faster than all of the XG appliances I had the pleasure of dealing with during my tenure at the last company I worked for. The obvious conclusion is that there is some other cheap hardware used in the appliances that is affecting performance considerably. I haven’t had the time nor the patience to pin down exactly where the issue is – and, frankly, I don’t care enough to try.

Reliability

I have personally never seen so many RMA’s and outright issues with firewalls as I have with Sophos XG’s. Prior to this Sophos shop, I worked primarily with FortiGates and SonicWALLs, and have probably setup and deployed the same number FortiGates as I have Sophos XG appliances.

Within 2 years, I’ve had 9 RMA’s for Sophos XG appliance that just… stopped working. And by ‘stopped working’, I mean they wouldn’t even reach POST. Which, now that I think of it, makes me wonder if the motherboards are the cheap component which causes the performance issues on the hardware appliances. For one example, I had an Active-Passive HA pair where the master died and wouldn’t even POST. No big deal, I RMA’d the master, dealt with the fact that someone didn’t document the HA passphrase and had to recreate that link with the new unit. And almost to the month, a year later, the original peer died with the same exact issue. The serials weren’t even close, so I can’t imagine it was a QA issue with a specific lot of unit.

But I’ll admit these were all Rev.2 units – while not excusable, I can at least point to that revision as problematic. And honestly, this is sort of something I can get around – it’s a logical failure, and one that you should expect.

The failure I cannot tolerate, however, is how often the Initialization Wizard just won’t work. I’ll get a new firewall to setup, unbox it, set it up on the bench, log in, and follow the prompts through the Initialization Wizard – at the end, it will apply the configuration changes, and reboot. At this time, I would generally expect (and be able to) access the WebGUI at the designated IP I set during Initialization. However, roughly 2/5 times the firewall would either get stuck, or just reboot to factory defaults. I usually try 2-3 times during these events before giving up and just skipping the wizard for setup.

Again, I cannot be assed to find exactly where the failure is, but I have a very hard time accepting this as a fact of life for, what some are led to believe, a mainstream firewall appliance.

Support

I have to admit, their Support has usually been pretty good in my experience. Anytime I put in a ticket stating I need an RMA for a unit that won’t POST, there is little to no protest before they send me the RMA form to fill out, and ship it out shortly after. They don’t even want the old unit back, so I’ve gathered some half decent paper weights – at least the units are good for something.

Although, when I asked their support if by removing the HA relationship from the peer, the config will keep or reset, I was met with a shoulder shrug. For those curious: yes, it will keep the config.

Training

There are (as of current) two main certifications for Sophos XG firewalls, the Certified Engineer, and Certified Architect.

Personally, the Certified Engineer is primarily a Sales course, but it does cover some theory. The exam is open book, so anyone who can either takes notes or copy each slide of the training material into a searchable format will easily get the certificate.

I did, however, enjoy the Certified Architect exam, training material, and labs. While the exam was also open book, I sought to not do so, and still scored very well on it – that’s not to gloat, I test horribly. But I thought the test was thorough and went over the more complex aspects of firewall administration and engineering.

That being said, the FortiGate NSE 4 is proctored, and I didn’t fair so well on that early in my career. That was purely my fault.

Conclusion

Overall, the product isn’t bad. It is, however, below adequate for anything I’d feel comfortable installing in a client’s network. Admittedly, my experience is very biased with the events I’ve witnessed and have had to work through, and the upset clients that lost their Internet access for a few hours due to their firewall appliance becoming a pretty white brick with flashy lights.

I think the biggest gain from using these devices is the cost – they are very cheap, especially when compared to FortiGates, Cisco, and SonicWALLs. Granted, if you get the FullGuard/top of the line licensing, but fail to utilize it, you’re still wasting money. I’ve mainly seen Sophos firewalls appear from MSPs, due to what I’d perceive as a large markup margin when compared to other firewalls.

If you want to mess around with it, I’d highly suggest trying out the Sophos XG Home edition firewall install. If you like it, request a demo appliance from your reseller, and gauge the difference in performance, followed by questioning if this feels solid enough for you to employ in your network.