My new homelab Firewall is insane! // Sophos XGS 2100
HTML-код
- Опубликовано: 5 авг 2024
- I've put a new firewall appliance into my server rack, which is complete overkill! In this video, I'll show you the Sophos XGS 2100, and how I'm using it to protect my internal home network and my home lab servers (and also WiFi access points). #Sophos #Cybersecurity #HomeLab
Sophos XG Home Tutorial: • Protect your home netw...
Sophos XG Home: www.sophos.com/en-us/products...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
01:14 - Unboxing
03:55 - My network Setup
05:56 - Configure Firewall Rules
10:23 - Advanced Protection
13:36 - WiFi Setup
14:32 - Upcoming projects
________________
All links with "*" are affiliate links.
This is very helpful. I adopted Sophos XG as my main firewall now. Thanks for the amazing content!
Cool to hear! Thanks ;)
Realy great Christian and thanks a lot for your time and your expertise! I love the Sophos XG functions ips, web filtering and app control. I use a Sophos XG as my second firewall in my homelab (lan > opnsense > dmz > sophos xg > internet) - ok, this is what the bsi recommends in case you have systems in a dmz (cgnat-connection) and that´s not a typical homelab infrastructure, but I like to do things a little bit more secure and it works very good.
Thank you so much! It's great to do this in a homelab, and I think it's important for everyone who runs a server. Maybe a bit overkill, but as you correctly said - we like to do things a bit more secure :)
Love Sophos. I had an XG85w until recently upgraded to the XGS 87w. Very pleased with the ability to configure and secure my home network.
So cool to hear that :)
can you use the free home version on it ?
I would love to pick your mind on security, you're one of the only knowledgeable sophos channels. 🌟
thank you so much :)
That is a juicy piece of gear. Sophos with Zero trust (using the endpoint health/heartbeat) is nice functionality. Sophos also have network switches now.
Oh yeah, guess which switch will be added soon to my lab!
Nice demo and extreme powerful firewall for homelab!
Thanks mate!
Amazing video, very detailed.
Much appreciated!
Thanks :)
Whether or not you the viewer like Sophos or not, it sure is refreshing to see a "home lab" that isn't just a copy cat of someone else's Unifi crap. I have used Sophos off and on for several years and I have to agree with Christian on their current quality and feature set. Yes, the XG vs UTM debate will rage on for years, but they are making steady progress.
The feature set is unsurpassed by any other free firewall, but the UI of the web filter is worse than anything imaginable
@@canadianwildlifeservice8883 My home lab is setup with Fortigate + Fortiswitch + FortiAP and I can assure you it surpasses what Sophos offer by a mile. At a cost though.
I hate unifi so much 😅
@canadianwildlifeservice8883 *laughs in Fortigate*
Great video, thanks. I run Unifi UDM Pro with their AP's. Very happy.
I run pFsense before, and was very happy with the solution.
Sounds great as well!
What's been the experience going from pfsense to Unifi for routing?
pFsense is a much more efficient and more rounded firewall/router than UDM Pro. Unifi is not as accomplished at routing over pFsense.
But over the last year UniFi have made significant improvements to function and the interface.
You can’t beat UniFi for their equipment either. Their WiFi 6 kit and switches are superb and I work in I.T. Their SDN approach for their kit is spot on and I am very happy with it. Having a single cohesive platform is nice.
I have often thought of placing a pFsense in front of my UDM Pri but the would have double NAT issues.
I do love pFsense though and now they offer the advanced license for free for home users it is tempting to go back
this is the overkillest overkill of all homelab videos!
Yeah 😆
I think you are right, but it is still good to have such fw at home and not only in data centers
This video is so good.
Thanks!
Glad you liked it!
Great video, thank you it was really insightful!
Thank you! Glad you liked it :) Btw, I'm thinking about a future k3s video and use it as a load balancer, let's see how that works :D
@@christianlempa Oh yea, that would be an awesome video, can't wait ;)
Great Video. Thanks sir!
Thanks np :)
Im using the virtual appliance of sophos for many years now... Great stuff also with HA and so on
Cool! HA is nice
Hello! Can I ask if the XGS 2100 will be able to maximize a gigabit internet connection?
I see some people benchmark the next level down (the XGS 136) and that firewall barely maintains 600 Mbps when NGFW settings are turned on, even if there is only 1 firewall rule and 1 wired user.
Hey Christian, out of curiousity, can you tell me what the hardware specs are on the XGS2100 (e.g. open an advanced shell and run "cat /proc/cpuinfo" "cat /proc/meminfo". I only ask because the XG/SG series have pretty standard x86_64 Intel architecture (e.g. I have an XG210 w/a Celeron G3900 & 8GB RAM), and I am curious what has changed with the XGS series. Thanks!
love it! if I didn't get to use a Paloalto I'd be looking at both PFsense and Sophos
Thanks mate! Paloalto and PFSense are also great btw :)
Love Sophos!
I have a question:
I have a Portainer Setup online for beta features, but I would like to use an SSO especially for apps like the registry frontend from Konrad Klein. Is there a simple ready-for-prod solution to use for this? I use nginx as reverse proxy. ;)
hi,
perfect video.
i use sophos xg in the datacenter where my virtual systems running.
And a sophos xg on an intel nuc with 2 etherenet ports at home :)
Thanks again :)
Great video and showcase of the Sophos XG features!
In my experience u should avoid bridges in Sophos or other firewall devices that don't have dedicated switch chips.
For a homelab it's fine, but i wouldn't deploy bridges in prod since CPU switching has higher latency.
Keep up the great work :)
Thanks mate! Great feedback. Btw bridges will be removed once I upgrade to my new Switch, guess which one it will be 😀
@@christianlempa Budget options that come to mind are the CRS317 If u only need 16 sfp+ cages or the CRS328-24P-4S+RM for poe and sfp+ :D
Agreed and great advice.
I've done a test with 10Gbit, as I now finally have one in my PC. And you're absolutely right, it seems the bridge interface is taking down the performance from 9.5Gbit to 6.5Gbit, which is really heavy! Btw, I'll test the new Sophos Switch in the Setup, then I can get rid of all bridge ports, luckily :)
@@christianlempa didn't even know that they released a Switch ^^
We are only working with the FWs.
Looking forward to it
Hi! Is the XGS 2100 noisy? Our rack is not in a soundproof room, so it could be a problem if it's noisy.
I have seen one since it was Astaro (that company merged with Sophos). I have been an intern at a government agency here in the Philippines (They use Astaro Security Gateway, then it was replaced with a Sophos appliance). One of the good things is that it will download large files (such as ISO files), in itself, in order to save on bandwidth.
Cool that you still remember astaro 😉
Good demo. Thanks. I am waiting for 10g Lan video. I hope so, this will not going very costly.
You're welcome! Well we will see, 10gbit is never cheap
10gb switches (mikrotik) and NICs are affordable now
Hello sir I recently purchased a used Sophos XG300 series. I wanted to inquire about some of the reporting and identity features in zenarmor. Are there comparisons in sophos or are those licenses we would have to purchase.
Wow, that's a decent bit of kit. How do you find the performance vs your virtual machine? I've got a Sophos XG, on Proxmoxx (setup with your video), that has 4 10900K cores and 6GB RAM - it doesn't do very well with all the security features turned on.
I've not done any performance comparisons, but the XGS series has a specific processor that is used for the dpi computing, traffic offloading, etc. That has a huge performance improvement when using the security features, depends a lot on the use case, but it can be much faster than any other cpu. However, security features like IPS, SSL inspection can make a 10gbit/s to something like 2.5-3gbit/s, that is "normal" and expected.
Is it possible to use this firewall with a free home license in a homelab? if yes are there any performace drops?
Cool video. Just curious, why not go with the sophos switch at this point. It would make for an interesting video as well. I'm curious if that would be managed from the firewall like Fortinet does it.
Great video. Would love to see some more budget friendly hardware options as well.
Thanks :) you can just use the home version on a PC or VM for a budget option
Good luck with that Sophos is a CPU intense piece of software.
Nice, something other than Unifi and Pfsense gateways. Thanks for sharing
Np! Glad you liked it
Sehr schön.
Danke :)
Hey, Question for you. Are you using Sophos Home Edition Firewall or are you using a full enterprise license? I have a Sophos XG125 and am looking to switch to Sophos Firewall Home so I don't have to pay any license fees.
I’m using their enterprise license, but what you can do is flash the XG125 with the software version, make sure to erase all the partitions with gparted first. Then you can use the home license :)
@@christianlempa To install Sophos Home on an XG125, I need to wipe my appliance clean? I tried to install without wiping it and that did not work. Based on your last comment, clearing the partitions is essential?
@@darkjake80 yes
Hi, Really nice video. Just a quick question, i bought used sophos xg 210 firewall now i want to transfer the device registration under my account. Unfortunately i am not able to contact current device registerar. Is there any way i can register the device under my account and enable evaluation licence as i will use it for my home network only.
Thx
Asking myself about physical XGS 2100 or 136 for my homelab or home version (4c, 6GB) virtualized on proxmox on a beefy i5-14500. Any advice ?
A virtual firewall is less power hungry, but also less flexible and dependent on the hypervisor host. I prefer running a firewall outside of the hypervisor, but both are viable solutions
Can this firewall also work as an external load balancer for a kubernetes ingress controller? Similar to Kemp or haproxy?
I’m using a simple dnat rule which kinda does some load balancing between the nodes, if that’s what you’re asking.
Nice one christian! Who doesn't love a bit of an overkill on the home network :) How did or would you handle guest WiFi with the Sophos access points?
Thank you! Absolutely, we like to go crazy on home labs :D I'm not running a Gues WiFi at Home, but it's pretty easy to do that. The usual WiFi can be "bridged to AP LAN", which will just bridge all WiFi clients to the LAN zone. You can also create another wifi network as a separate zone, this will be a separate interface you can put in a different zone and control with firewall rules seperately. That's how you typically set up a Guest WiFi, you can also think about adding hotspots and vouchers to that.
Hope that helps ;)
I am planning my first homelab for Cybersecurity research so plan on new firewall and server builds.
Cool!
I am really considering an XGS or a PFSense. The issue is I love and already use the Unifi Dream Machine Pro. Is it easy to set up one of those firewalls on the front end then go to the Dream machine?
Lawrence systems has a video on setting pfsense and udm pro up together. I don't see the good side of having two routers in series like that.
Thanks for sharing, yeah Tom has great videos about that ;) In theory you can combine all of them together (however, it might not make sense), it's just a matter of how you're configuring it.
Pfsense will not disappoint
Nice setup, did you buy the firewall or did Sophos supply for the channel? Not the cheapest! Quite a bit of kit just sold this model to a client to install in a couple of weeks on a new site looking forward to seeing what difference the extra horse powder in the XGS line brings
Yeah the XGS has a lot of improvements to accelerate the traffic. Btw I got the devices for testing, as I'm working for this company.
@@christianlempa look forward to seeing more videos. Nice jacket too just noticed :) might have to hit up our account manager for some swag
I added Sophos xg free after one of your videos😁
So cool! 😁👍
Will there be any disadvantages when I'm running this xgs firewall with an home licence?
The hardware appliance does not run with a home license, that only works on vms or software installations on your own hardware
I just rewatched this as I was able to get a Sophos 210XG hardware appliance, I am really curious if you have some ideas or links to explore setting up rules and policies. Also, really interested in your current Sophos setup and rules.
I’ve done a video about XG on Proxmox, maybe that’s helping you
I have a question. How loud is the XGS 2100? I have my cabinet right next to my desk in my living room.
I heard you mention the firewall in another video that you can hear it from your small room next to your work room. Is it really that loud?
It would be interesting to know if you get more features on the hardware appliance then you get with the home version? I really like this appliance but I am not sure about license costs, what is included in the free part and what you have to pay on the side. I'd like to make use of IPS definitely and the WiFi ecosystem, but I don't want to have to pay an yearly license for it.
The features are actually the same, there is a small difference in IPS signatures based on the appliance sizing, but the home license covers everything. It's however not possible to run the home license on Hardware models and it's limited to 4cpus and 6gb mem.
@@christianlempa thanks! Does this mean that if I get the hardware appliance, IPS is also included (with more signatures)? I saw that it was part of the network protection licensing package and I was not sure about costs.
Im using Sophos XG210 more than 2 years at my home. Now running with XGS2300😆
Very nice! Do you put the home licence on that hardware?
Sehr geiles Projekt! Wie bekommt meine Sophos ohne Partner zu sein? Vermutlich selbst Partner geworden und das NFR Kit genommen? Auf jeden Fall cool, mehr davon!!
Vielen Dank! Das ist mein Testgerät, da ich dort arbeite ;)
I am using Fortigate 30E as my home firewall !
I'd love if you explained how to create security within local IPv6 networks rather than IPv4. I feel the IPv4 VLAN layer 2 is well explained, however I do not see how to achieve that security between separated subnets with IPv6 or even how to approach it correctly. As a result I end up with falling back to our old dated IPv4 approach - running seven IPv4 VLANs at home for Clients, Servers, Container, DMZ, IoT, Guest and VPN. How do I get that separation on IPv6? Sophos looks interesting but so IPv4 :)
Thank you so much! And great feedback :) I've not looked too deeply into IPv6, but that reminds me of doing that at some point!
Are you using a commercial license or home license? Do you have access to a partner to purchase the equipment?
I'm using the commercial license, the home isn't available for hardware appliances.
Still getting slow internet with Sophos XG even with no filtering , Pfsense ?
Dell R210 II w/pfsense is still greater than XGS2100 in 2022
Well, that's just like your opinion man
Do you need tobpay a fee for it to function?
Not for the basic functions, only for advanced features.
I‘m happy, when our Sophos Firewalls are replaced with Forti. 🙂
Ouch, I don't want to hear that 😉
I love this video and another sophos XG. I used in my lab and a little clients in a virtual appliance and wow... I LOVE SOPHOS, is soooo better to pfsense, or Meraki Cisco.
Thanks for sharing your knowledge and experience. Greetings from Caracas, Venezuela.
Thank you! Glad you liked the video 😀
Good Video. Thanks. I was using it since it was called Astaro - a German Company that was buyed by Sophos. For Home Lab purpose i (would) use the free Version on a good Hardware Appliance. Not everyone has a Budget of several thousand EUR/USD for the expensive yearly license subscriptions. Maybe you can make a Video of a DIY Appliance with the free Sophos Version?
Yeah, I worked in the old offices of Astaro after they go aquired, very cool team! Maybe I'll do another video about the Home Version at some point, but IDK yet
To be clear without TLS decryption, MITM yourself, Sophos is not doing anything more than what Suricata on PFsense is doing. Best case pattern matching on secure traffic. The flexibility to assign different L7 policies per interface is lacking on both pfsense and OPNsense which is really strange but there are additional apps like Sensei that can fill the gap.
Wish more people knew this. Many implementors of this technology don'tadequately articulate the fine point. Meanwhile SMBs are paying 10s and thousands in licensing fees.
I'd love to get my Hands on one of these...I'll even take one of the Desktop Models :D. Currently running a virtual v19 one infront of my "Homelab" Server (rented at Hetzner).
Wow cool! I still need to update mine to v19 😆
@@christianlempa Got the v19 briefing webinar at my old Job and used the EAP immediatly. Still need to get a hardware for the Home, redundant internet connections in the near Future.
The XG Hardware Appliances are great .. but i prefer the UTM Firewall.. theses zones makes me crazy .. if there is more than a bunch of Destination NAT-Rules. And where is the Reverse Proxy for real webservers on the same https port?
Also Running my UTM on an Dell R720 virtually. Like it! 😍
I think the Zone concept is great and makes things a lot easier, but yea it does need to time to get used to if you're coming from UTM ;)
Wow man. Your home Sophos is overkill. My company has used XG115s and XG125s for small to medium sized businesses 10-100 people 100+ devices for years with no issues. We are running XG210s in HA for COLO server/VOIP applications, and XGS3100 in HA for larger business 100+ people 1000+ devices.
I'm certified as a Sophos Architect and I just use a Sophos home license on an old Datto NUC type box. Never had an issues either. That license gets me all the features I actually use. No need for NFR renewals like I had to do when I had actual Sophos hardware.
Cool! Another Sophos fan :)
hi i need advice my hospital plans to buy sophos with an xtrean license and web server protection with 300-500 devices I wonder what series? is xgs 2300 enough or xgs3300?
@@Maxzier14 That is hard to answer without knowing your environment and your needs. Do you have an estimation of the throughput, and services that you will need to enable on the firewall? That is going to be your biggest issues with size. As you enable services like IPS, HTTP/HTTPS/FTP/Web Filtering, Advanced Threat (If licensed), Web Server Protection (etc...). It really starts to eat in to your throughput and will slow down all traffic. This can really be a problem if your WAN connection(s) are faster. This could be as little as a 200+ Mbit connection. You can start to lose a lot of your speed when you enable filtering services. Is is also possible see slower internal zone speeds even if those services aren't enabled for them. From a security and compliance standpoint. I recommend that you use as much of the filtering options as you have available.
We had this issue several times when newer connections became available. We could only get less than 200 Mbit speed out with some of the gen.1 and gen.2 XG's with the Web Filtering/HTTP/HTTPS/FTP services turned on.
Luckily the XGS offloads "trusted" with traffic due to the xstream routing and doesn't scan it. That does help with overall throughput. I would still size to your overall need without considering the offloading just to be safe.
If you have a Sophos login. They have an assisted sizing guide. It's called the Firewall Sizing Calculator. If not there is a PDF sizing guide available. You will have to do some of your own calculations based on estimated connection count and throughput numbers.
Sophos will always try to oversize you when recommending firewalls. You should be able to get a pretty good idea what you really need by adding up the estimated throughput needs compared to the charts though.
Also something else you need to consider since you are a hospital, and any downtime is probably not acceptable. You need to be in HA (High availability). That is two+ firewalls active at any time. You have different HA option that can affect your traffic too. You can have traffic flowing out of multiple firewalls, or just have one live and the rest backup. The HA is necessary to guarantee uptime. All firmware updates require a reboot. If you are in HA. The live one(s), or primary depending on your config will update its firmware, transfer traffic to one of the other firewalls. When the primary comes back up, each will update its own firmware by priority. You won't see any downtime.
Hope that was helpful. You can talk to your sales rep, and they should work with you, or get an engineer involved. Just remember they will try to oversell to you. It helps to have an idea of your actual needs.
Amazing that you can use Sophos on any PC, and add NIC cards to it to make it just like an XGS appliance. Be aware that the home license only supports up to 4 CPU cores and up to 6Gb of ram.
+1!
Nice video as always... unfortunately the Sophos XG isn't as good as the UTM from the past :/ it lacks a lot of features... just one stupid missing thing "NTP Server"... yep you read right, the XG isn't providing the NTP service for your lab. The XG got a RevProxy but can't do LetsEncrypt... realy strange the decisions Sophos made, especially with their support right now.
That is just my experience so far (using a XG right now virutalized in home lab for testing, and UTM SG210 at company)...
Nice to have the new next gen features but not at the cost of "standard stuff"
Can absolutely understand what you're saying. However XG has some nice features UTM doesn't have, so it always depends on the use case what's really needed.
Pfsense is the way to go 😉
Pfsense is great, but it's good to have some choices isn't it? :D
Haha, erstmal eine 2k Firewall für das Homelab :D Find ich gut das Sophos da auch "kleineren" RUclipsrn etwas sponsert. Deine Stromrechnung will ich allerdings nicht :D
Na klar, wenn schon, denn schon! 😀
Er ist doch "Technical Account Manager at Sophos"..
@@salat Ah okay das wusste ich nicht, danke.
Do you run Sophos Home XG on your 2100 ?
No, I'm using a hardware license.
@@christianlempa That sounds very pricy.
Can you do active / active with two WANS?
Yes
Is that short "includes paid promotion" enough? Since you work for Sophosin Germany, shouldn't there be a big "DAUERWERBESENDUNG" displayed in the corner? :)
Good question, probably more for a lawyer than me. I'm committed to mark it as a "promotion/advertisement" as long as I receive products without paying for them, or if I'm paid for making a video. But as far as I know, it is no clear regulation on how exactly that is needed in Germany, so therefore you might see many people who include a "DAUERWERBESENDUNG" banner, but it's just one way to handle this. And it was very common before youtube added the checkbox to mark a video as "paid promotion".
Can you buy just the appliance and then load the homeuser free license?
You can, but you need to erase the disks and reformat it with the software iso
@@christianlempa is the XGS supported by ESXi free edition....that you are aware of? Proxmox has all the features but many users are only familiar with VMware.
@@canadianwildlifeservice8883 I'm not sure that question makes any sense. XG Home software can probably run on anything that can emulate a standard x86_64 desktop architecture, but the XGS is a hardware platform.
@@user-qo6kf6om3q let me rephrase it. Does ESXi support installation on the XGS firewall appliance? Yes the firewall software ISO can be installed within ESXi, but does ESXi support the hardware of the XGS? Proxmox can run on anything, but VMware has more limited hardware support.
@@canadianwildlifeservice8883 Gotcha, that is a much more niche question. Seems to me, at this point, XGS hardware, being current, would be an overly expensive server base. My guess is that, with the x-stream offload chip that things are a bit more proprietary than the SG/XG hardware.
iam using one
Nice, how much is it ?
Cool! Honestly... I don't know :D
Hi can you make videos on elastic search cloud to monitoring networks. Please reply
Puh maybe, yeah in the far future
Nice video, do you know that the Sophos UTM (astaro) is a much more refined and stable product from Sophos,. That system is insanely simple, not confused an ugly like in XGS/Cyberoam, Everyone trying to use multiple vlan's with many rules know that XGS is just a toy and the UTM with the object based setting and rules is a lot better.
The gui is older looking yes, but that is actually good thing beacuse it is tested and loved. it i easy to understand.
The Cyberoram gui is prety but not usable for much more that wan+lan+dmz - You could make a video comparing the 2 systems
Hm, I don't know, I like the XG interface a lot more than UTM tbh.
@@christianlempa The interface is more modern and looks good, but a better network product it is not (in my mind)
i will encourage you to compare the features, and actully run them with configs with multiple vlan's multiple rules, countryblocking, waf/letsencrypt, regex
There is a lot of features that does not exist in the new one. is is not without reason that the UTM still exist if it got discontinued pepole would go for a Palo Alto or a Fortigate.
I'm running Sophos XG v19 on a hp dl380 g7 8gb ram raid 5 storage
How much did they pay you for this ad?
Nothing. I just genuinely like the products. I got the devices for free, regardless of making a video or not.
@@christianlempa My opinion: In videos like this you should disclose that you work for Sophos (for transparency sake)
He works at Sophos Germany.. :)
eine Sophos Firewall und dann ein tp-link Switch, genau mein Humor ;-)
A 300 users / 4k $ firewall seems excessive for a home lab! I'm considering 2 of them for a mid sized company, to replace 2 watchguard M370.
Oh yeah it's an absolute overkill 😁
Looks like an impressive product, but the price tag is completely off the charts 2.5k Euros is way too much for one device
Do you work for sophos?
Yeah that's right. I guess now over 5 years
@@christianlempa me too! Enjoying this company so far 😁
Have you tried the IPv6 capabilities of the Firewall? IPv6 is poorly implemented in most Firewalls.
Seemed ok in pfsense and opensense although it was sometimes annoying to get a wan configuration that gave IPv6 internet (poorly documented, secret handshakes etc)
There is a IPv6 Support Page in the OnlineHelp, where you can find out what's supported and what not on the XG regards IPv6:
docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IPv6FeaturesServices/index.html
Note, that might change in future versions of course!
2100 msrp not bad but fear it's gonna be a pay to operate license I'll watch and hold my breath
can you get a pop filter for your mic or do some basic eq to get rid of some of the plosive's as like "p's" & "b's". they seem a bit to strong in the audio.
Which part do you mean?
@@christianlempa i noticed it at about 6:20 but re watching other parts of the vid it didn't seem to bad might have just been that section. it was just a bit of putting really. might just be me:)
@@linuscane thanks! Might be when I'm a bit too close to the mic.
now you can upgrade it to make it better - install pfsenes on it.
Why would I do that? 🤣
Needs integration with a UPS system
great, a 2k firewall for homeuse
Anything below is a no go 🤣
He works for them
@@MichaelSmith-fg8xh Jacket included!
You have two time an outro? 😅
I have migrated now some Sophos UTM to XGS. I found so many bugs and UI problems. It's like a cultural shock you search the whole time some parts in the menue that is really not intuitive. The performance of the UI is very slow and sometimes you won't get a return and you stuck on that loading screen. So this is version 19.5 now and this is the product from years of development sorry but this is very sad.
The whole system looks to me that someone started building a green gras project and then oh wait we forgot IPv6 and we have so make a second area for it. Ok but then the customers has to make duplicate rules. OK thats no problem. In most cases the whole structure makes no sense. I had a call with the support. And they had the same problems and mentioned the same. And he told me that most customers have the same problems. So why is Sophos not hearing to the community and take 2 people to fix all the small problems?
The answer is money. Sophos changed the prices 3 times in one year and they don't lowering the prices. But the product won't get better.
But your video is great it's only my option to the XGS systems.
Everyone who has worked with other firewall vendors knows that the Sophos XG is one of the worst firewalls on the market.
That’s utter rubbish
There is probably better, but if you work with SMB and use Sophos AV they are great Capable and affordable
Agreed, their support has been abysmal.
@@TritonB7 what country? I’ve never had problems with support. Sales is another matter they relocated sales to Manchester I think and caused a lot of staffing issues
Agreed 100% its crap.
Seriously lacking in features network engineers look for which kills their creativity in network configuration.
Das Problem das ich mit der XGS habe ist, dass man um die Sophos XGS sinnvoll nutzen zu können jährliche Lizenzen benötigt die gerne Mal 11.816,38 € für 3 Jahre kosten.
Ohne diese Subscription kann die Sophos XGS nicht viel mehr als eine OPNSense.
Wenn ich das richtig verstanden habe, kann die XGS ohne diese Subscription kein:
- TLS Decryption
- IPS
- DPI
- Web Security & Application Control
- Zero Day Protection
- Funktionsupdates
Was die XGS wiederum irgendwie nutzlos macht.
Für den Home User würde ich so ein System auch nicht empfehlen. Die Software kann auch auf einem normalen PC installiert werden. Dort hast du alle Funktionen komplett kostenlos!
@@christianlempa
Das ist gut zu wissen.
Warum sollte man dann überhaupt noch zur Sophos XG als Hardware appliance greifen, wenn man die Software komplett kostenlos auf eigener Hardware nutzen kann?
@@Lacsap3366 ich bekomm die Testgeräte samt Lizenz umsonst, ansonsten hät ich das auch anders gemacht ;)
@@christianlempa
Ah alles klar. Danke für die Info !
Somewhat expensive, even with all the goodies a Platinum Partner with Sophos get's for demo equipment.
Yeah it's a bit overkill :D But the home license is also a nice option!
*laughs in Meraki*
I'm just a minute into this video wondering, "What group of Russian hackers did this guy piss off? "
What?
$2000.00 dollars for a HOME firewall? That probably doesn't include the subscription either? NO!
The firewall comes with a base license, but some features cost extra.
Licensing for 3years xstream protection along with hardware xgs 2100 would cost around 6 to 7k
I tried installing Sophos Free Home Firewall on a spare PC, but there is no documentation for this product on the Sophos website. I even asked around several times on their support forum and nobody knew what I was talking about, even a tech support person. Not impressed.
so now you pay thousend of dollars yearly for licencing? xD
I use the ubiquiti solution.
Seems like a great solution for home networks!
$2,000 -- No Thanks !
Nette Sache, das muss man sich erstmal leisten können als "Home Lab" Spielzeug. Wer mir welches schenken möchte darf sich gerne melden. Ich nehme High Tech Spenden gerne an :-)
Stimmt :D ich würde auch niemandem dieses Gerät fürs HomeLab zu kaufen. Besser wäre die Sophos Firewall Home Edition in einer VM oder auf einem kleinen PC zu installieren :)
@@christianlempa Habe mir mal eine XG 125(w) bestellt. Für schlappe 150€. Wenn die Home Lizenz funktioniert, werde ich das Abenteuer mal wagen. Allerdings tue ich mich gedanklich noch schwer damit sie in mein bestehendes Netzwerk zu integrieren. Habe eine FritzBox 7590 mit vier WLAN-APs als Mesh konfiguriert. Ich will sie unbedingt weiter als Modem, Router und Mesh-Controller nutzen. Da ist die FB einfach top. Was empfiehlst Du für die Sophos Firewall? Kann man sie sinnvoll hinter die Fritzbox nutzen? Oder irgendwie den Traffic als DNS-Server durchschleifen? Das 350€ teure DSL-SFP-Modul wäre ja auch ganz nett oder die 3G/4G(/5G) Erweiterungskarte für die Kiste. Doch wenn man mit VLANs später arbeiten will, bleibt einem wahrscheinlich nicht weiter übrig, als komplett neue APs zu kaufen, oder?
Und dann ist sie noch meine Telefonanlage. Wird echt schwierig sie als Firewall "zu ersetzen." Kann mir im Moment nur eine Routerkaskade vorstellen. Oder hast Du zufällig eine bessere Idee? Vor allem auch um den IOT / Kamera / Smart Home Krams zu isolieren?
Sophos is garbage. It's over priced hardware and software that has changed hands too many times. It cannot reliably maintain site to site VPN connections. Perhaps it's usable enough for a simple home network. Ended up getting a Fortinet Fortigate 100F and haven't looked back.
Pfsense > sophos
Of course Sophos is good. It’s a sponsored segment. Did they ask you to wear their branding too? I do like your content but this video is a little Disappointing! Also overkill for home labs. I’m happy with PFSense.
No, they didn't ask me to do anything, (I'm working for this company btw). Also, I didn't ask you to shut off your PFsense did I? PFSense is a great firewall, too.
@@christianlempa All good. Understood. Apologies if my comment offended you in anyway. That wasn’t my intention. Didn’t know you worked for Sophos. :-)
@@VideoGigs no worries mate, it's all good! 😀
buying a firewall to pay a monthly fee, pass