[AusNOG] New NGFW recommendations

Andrew Thrift andrew at networklabs.co.nz
Fri Aug 5 11:37:06 EST 2016


We just evaluated the Sophos XG's at $employer

Summary: A great first release of a new product, but it is missing a
lot of the basic functionality you get on a Fortigate or Palo Alto.

Sophos XG Pro's

- Price
- Excellent Workflow in the WebUI
- Highly responsive WebUI
- API
- Many VPN options

Sophos XG Con's

- CLI is very, very basic.
- Advanced diagnostics require you to drop to shell (linux)
- It is possible to drop to shell!
- There is no way in the WebUI to view the full current routing table
(default routes, connected routes, dynamic routes)
- All policies are displayed together on one pane in the WebUI, there
are filters but it feels a bit clunky
- No IPSEC VTI's mean you cannot add IPSEC tunnels to different zone's easily
- Takes 3+ minutes from startup until packet forwarding starts
- Single Sign On integration with AD is a bit clunky, it does not
appear to detect log off events and update it's internal tracking
- Logging is quite lightweight.   There are many logs, but they are
lacking the detail on WHY certain things have failed (e.g. IPSEC
Phase1/Phase2 errors)
- There is no obvious way to get a config backup via SSH or SCP, so
may not integrate well into existing config differential/backup
systems


Regards,



Andrew


On Fri, Aug 5, 2016 at 1:17 PM, Ricki Cook <ricki.cook at hillsong.com> wrote:
> +1 Palo Alto
>
> We looked at the Sophos XG series as we also use Sophos on our end points.
> Can't remember what exactly, but it lacked some real networking
> functionality that I was hoping for.
>
> I wanted something that wouldn't choke at 10G+
>
> We went with Palo Alto. We've swapped out ASA55xx series for Palo Alto
> PA5050's in an Active/Active cluster.
>
> I keep finding new features everyday that makes me glad we got them!
>
> - Ricki
> _____________________________
> From: Matt Smee <m.smee at unsw.edu.au>
> Sent: Friday, August 5, 2016 10:57
> Subject: Re: [AusNOG] New NGFW recommendations
> To: <ausnog at lists.ausnog.net>
>
>
>
> +1 for palo alto firewalls, incredible stuff.
>
>
>
>
>
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net]On Behalf Of James
> Hodgkinson
> Sent: Friday, 5 August 2016 10:52 AM
> To: Randall Bradford <Randall.Bradford at maxsolutions.com.au>
> Cc: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] New NGFW recommendations
>
>
>
> I've used ASA-X, Checkpoint and Palo in anger, give me a Palo anyday (and
> pay for Panorama if you have more than one cluster)
>
>
>
> James
>
>
>
>
>
> On Fri, 5 Aug 2016, at 10:46, Robert Hudson wrote:
>
> I'd be immediately concerned with using the same vendor at multiple levels
> in your security stack.  Defence in depth should apply here - a different
> vendor/product at each layer.
>
>
>
> My current employer is a Check Point customer, but I also find the Palo Alto
> story quite interesting, particularly in the NGFW space.
>
>
>
> On 5 August 2016 at 10:29, Randall Bradford
> <Randall.Bradford at maxsolutions.com.au> wrote:
>
> We are replacing our older ASA5520 Firewall.  We currently use Sophos for
> end point protection.  Has anyone have any pros/cons using Sophos XG?
>
>
>
>
>
> Randall
>
>
>
>
>
>
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
>
>
> IMPORTANT NOTICE: This email, including any attachments, may contain
> privileged, confidential, and/or proprietary information, or may be subject
> to copyright. This email is intended only to be seen and used by the named
> addressee(s). If you are not the intended recipient of this email, you must
> not disclose or use the information contained in this email. If you have
> received this email in error, please notify the sender immediately, and
> permanently delete the original and any copies. We do not guarantee that
> this email and any attachments are free from virus or other errors. We will
> not be responsible for loss or damage resulting (either directly or
> indirectly) from any such virus or error. The content of and opinions
> expressed in this email are not necessarily the opinions held by Hillsong
> Church. If you believe this message is classified as a commercial electronic
> message in accordance with the Spam Act, you may indicate that you do not
> wish to receive further commercial electronic messages from us by sending an
> email to privacy at hillsong.com . Please consider the environmental impact
> before printing this email.
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>


More information about the AusNOG mailing list