Sophos UTM Reviews

Reverse proxy, SSL VPN, web & email protection

For me, those features were most valuable from a security point of view;

• Reverse proxy is very important for shielding application frameworks.

• For VPN, we all knew that PPTP was broken and is not secure anymore. For Ipsec, you need to have opened ports, and if you are in a hotel who only has ports 80 and 443 opened, you can’t do anything.

SSLVPN is one of the solutions. Yes, you can use DirectAccess, but there are some limitations, too.

For DirectAccess, you need to have all those computers joined in one domain.

• Web & email protection is a nice feature because you have all of those controls in one dashboard. This is of course for small and maybe some mid-size companies. For larger and enterprise, it’s another story.

Less and faster administration, full control of traffic, and a lot of futures included in the base price.

The goal for small companies is to have one administration dashboard -- from where you can manage antivirus for computers, firewalls, IDS, IPS, mobile phones, tablets, etc.

Sophos UTM is on the right path to getting there.

Sophos UTM 135 = two years.
Sophos UTM 115 = one year.

No problems with stability.

No problems with scalability.

The technical support is really good and the representatives are very responsive.

Cisco (didn’t achieve expectations), Microsoft TMG (end of life).

The setup is straightforward, but I suggest hiring an expert for integration. This is your first line of defense, and there is no room for mistakes.

Sophos UTM’s are not the cheapest but they are not the most expensive. Create a checklist of what you need, and go through it with a sales representative. They will advise the right license for your company and I’m sure you can get some discount.

Cisco, CheckPoint UTM-1

Create a checklist with your requirements, test the solution, and if it passes everything, implement it.

We use this solution ourselves and we also deploy to our clients. It is a capable, general-purpose firewall with VPN tunneling built in, and a lot of web features if you're hosting a website. We are resellers of Sophos and I'm a partner in our company. 

We haven't changed our procedures as a result of using this product but maybe the flip side is the case. We haven't had to change our procedure because we have this great tool that keeps the bad guys away.

I would say the email for sure and the basic firewall functions are great features. It also has advanced firewall scanning. If you receive a file, you can have it scanned through Sophos. It's a really complete product.

Sophos has a very small crew of people who continue to work on enhancing the UTM. At some point, they had actually stopped enhancing it and the word on the street was that they weren't going to enhance it any more because everybody was going to go over to XG, but they found that 50% of their users were still on the UTM and that was five years after they'd come out with the XG line. They decided they were going to rebuild some core parts of XG, and that would take a while. It's been six years and they're still not there. The updates come out agonizingly slowly. They just trickle out and when there's a problem with an update it takes a while to sort out. It's still a viable product but the more they improve XG, the less you have a need to stick with SG.

I've been using this solution for 15 years. 

There are some legacy things that were probably fine back in the day when it was invented in Germany, things like the IPS, the Intrusion Protection engine. It's terrific and it works really well, but it can be a little bit slow. Because of the way that some pieces are built, for example the core for the IPS runs on only core, even if you have a multi-core CPU. 15 years ago that wasn't a big deal because your weak link was going to be your computer. But nowadays, you could have a fast enough computer if they could just let it work with multi-cores. They clearly aren't interested in rewriting large portions of the code because they're going to the XG so all they do is fix it or maybe add a feature that's in the marketplace. Over time, they've been adding more ways to do a VPN tunnel but some things they need haven't been added because it would require a big rewrite and they don't want to go there.

The scalability has worked great for us. Everyone in our company uses it even though some may not know that they're using it. One of our larger clients, with a super computing center and some of the fastest computers in the world, use Sophos, so I would say that it does the job.  

Technical support have been very good. They are very knowledgeable but it can take too long to make contact. They're great once you do get hold of them. They've solved every problem we've had. 

We've tried numerous other solutions. Cisco, and some of the other major ones that were out there, but once we started using this, it was so much better in so many ways, we just dumped all the others.

The initial setup is pretty straightforward. They have a template which takes you through and asks what you want protected. There's still a lot to do after that because there are variations which require more work. For example, if I have clients who need to block certain email addresses, I have to go through and set those up. If I need to allow conversations which require specific ports open in order to get to a particular business or credit card processing, that has to be set up. There is a lot of HIPAA detail in it and it also has credit card compliance things which require a manual set up. The setup requires a knowledge base. 

The solution is 100% free. You can just download the software for up to 50 IP addresses. It is a hundred percent free. Throw it on your own machine. Right, it's a native Linux product, a hardened Linux product and it's free for that sort of user.

The solution has email firewall built in with all sorts of functionality, it is an absolutely excellent firewall, the logging is really good, you get great information about what's going on. It does things like GeoIP tracking and you can make decisions based on where people are coming from. It's just really a complete firewall. I would say if you're just starting right now, get the XG. Not that the UPM isn't outstanding, but it's disappearing. You might as well learn the XG. The product still works really well, although it's getting a bit long in the tooth. The sooner that they come out with the XG that can do everything that the UTM does, the faster the rest of the world will make the jump.

I would rate this solution an eight out of 10. 

• SSL VPN
• HTML5 VPN portal
• Application control
• Reverse proxy
• Web filtering

We used several vendor products before UTM, and now it is all in one box - firewall, proxy, and VPN. Sophos is much easier to manage and configure.

Every product has room for improvement.

I have used it for three years actively with several projects utilizing UTM.

No issues encountered.

No issues encountered.

No issues encountered.

We don't have direct contact with Sophos support so I can’t rate the level of customer service and technical support properly.

I did. Sophos UTM is far more easier to configure and it is very intuitive with configuration.

Setup is easy and straightforward. It is a browser based tool, so you can access it from every location, and with different operating systems.

We did it in-house.

I have some technical advice, but generally, always prepare steps to implement Sophos UTM and test your implementation before using it in production environment.

The Zeroeth Rule:

Start with a hostname that is an FQDN resolvable in public DNS to your public IP. If you didn't do that, start over with a factory reset; it will save you hours of frustration.

1. Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs
2. In general, a packet arriving at an interface is handled only by one of the following, in order, DNATs first, then VPNs and proxies and, finally, manual routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
3. Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface
4. When creating DNATs for traffic arriving from the internet, in "Going to:" always use the "(Address)" object created by WebAdmin when the interface or the Additional Address was defined. Using a regular Host object will cause the DNAT to fail as the packets won't qualify for the traffic selector.
5. In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
6. There are only four reasons to sync users from AD to the ASG/UTM:
   • The user should be able to log on to a Remote Access VPN that uses certificates to authenticate the user
   • Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing
   • You want to do Reporting by Department for Web Protection (and I consider it a bug to require this when doing AD-SSO)
   • You want to use the Authentication Agent to populate "username (User Network)" objects
   • There's no other reason to sync users to WebAdmin - certainly not with AD-SSO

• Reliability
• Usability
• Number of features that fully cover goals
• Perfect support
• Possibility to get “under the hood”

The Sophos solution provides a branch to head office distributed network for a construction company across New Zealand, and the reliability of the equipment makes it possible to provide stable connections and is easy to implement and support.

Would be great if it would be possible to improve IPSEC site-to-site VPN connectivity over slow/unstable internet connections.

This particular configuration has been in use for about two and a half years.

No issues encountered.

Very rare cases of appliance lost admin password or web-service hangs.

No issues encountered.

Since I’m an engineer, I probably cannot evaluate this aspect, however as far as I know equipment order and upgrade was always fine

4.99 out of 5 – support is very helpful, only once there were misunderstanding about licensing and number of supported Sophos WAPs and that was resolved promptly and fully.

For this project, the Sophos infrastructure has been planned and deployed from the start and there has been no need to change it

It's logically straightforward and the transparent interface made possible a quick deployment. However, a little time was needed to get familiarized with the interface.

It was implemented in house.

Nothing is perfect, but with Sophos those are really small – sometimes it is incorrect firmware upgrade paths, or rare log in problems (device forgetting admin password). All those though can be fixed, there is plenty information in the Internet and support is usually awesome. Also, you need to plan the solution and costs involved, while having in mind potential growth of users/connections; e.g. creating virtual appliances and allocating resources (RAM, CPU, NICs) minding potential workload.

The web application firewall and web filtering. We are using the UTM to be the gateway for the private cloud solutions we offer.

Easy management of the firewall, with one URL to control the firewall/web filters for our entire cloud.

HA needs to be improved for the software appliance because if Sophos is deployed in ESXI/Hyper-V then the HA is unstable. Also, the web application firewall only allows the use of ports 80 and 443, and if we could use others ports than that would be a welcome addition.

For two years now in our datacenter, and also several deployments at some of our customers.

Setting up the link aggregation group (NIC teaming) gave us some problems with the ethernet VLAN option for WAN, but after a firmware update, the issue was resolved.

If you enable the intrusion prevention option in the firewall any Wordpress deployments on a Plesk server behind the firewall slows down to a crawl, and there is no fix yet. The current workaround is disabling the intrusion prevention option at the moment.

No issues yet.

7/10. Getting a new license for the SG220 sometimes takes a long time, but they will give you a 30 day demo license to compensate for it.

9/10. Any question or issue is solved within minutes after calling technical support.

SonicWALL was our previous product, and we switched to Sophos because of its ease of use.

When you start the initial setup you`re helped with wizards, but if you use the software appliance and make a mistake by selection wrong interfaces in the wizard it can result in the firewall becoming unreachable.nThe hardware appliance is (almost) plug & play.

We implemented it in-house.

It's around six to nine months.

We looked at several open-source firewall options whose names I will not mention, and the reason we did not use them was because of the ease of use, and what our support desk could do.

If you want an easy to manage, and powerful firewall then take look at Sophos UTM.

This is a next-generation firewall. I use it for mail security for clients. 

The mail security is very good. 

It's quite stable.

The solution can scale. 

The sanctions make it difficult for us in Iran to take full advantage of this product, like many others. 

It needs a better user interface. The one they have is not so good. 

I've used the solution for a while. 

The solution is stable and reliable. There are no bugs or glitches, and it doesn't crash or freeze. 

It is very scalable. The solution is very easy to expand as needed. That's not a problem.

We have 500 or 600 clients on the solution. 

I do not use technical support. Having never dealt with them, I cannot speak to the level of service they provide. 

For sharing and mail security, the solution is very good. I'd recommend it to other users. 

I'd rate the solution seven out of ten. If they offered a better user interface, I would rate them higher. 

• Network border protection for clients and internal company
• It is used for small to medium-sized businesses and networks.

Sophos SG has provided us with the tools to protect our networks, detect malicious activity, and customize security to our clients' needs.

• Sophos UTM Manager (SUM): It allows us to manage over 50 Sophos UTM devices from a central management console. 
• Creating rules, exceptions, and managing most features from SUM, and pushing to all or a section of devices as needed.

• SUM cannot manage app control
• Improve app control system as a whole
• Extend support for SG until XG has improved significantly.

The primary use case for using this product is as a firewall.

It has ease-of-use and it fits the purpose of our firewall protection needs.

The most valuable feature is that it is easy to administer. 

The price is an issue to consider for improvement.

The stability of the product is good.

We are not a very big organization, so we do not see any issues going into the future. We feel that it will continue to scale appropriately for our organization's needs.

We have experience with Sophus, as well.

The price is something that one will need to consider.