Sophos UTM Reviews

All the features are similar; we are real, hardcore users of the Sophos UTMs.

This product is for beginners and for hardcore professionals; beginners can get their feet wet and professionals can easily look into the product.

Certificate Management should be improved.

I have used this solution since 2014, i.e. for around three years.

We have over 30 Sophos UTMs running. There are some that are not stable, because of the bridges used or ISP used (Cisco vPCs/Dell MLAGs etc.).

The Sophos UTM Internal DB sometimes has problems which affect its scalability.

Technical support is very good, but only to the distributor. Support is poor if the distributor escalates to the vendor or we complain directly to the vendor.

It was not a change; in general, we have used many firewall vendors, but no one is as good as Sophos UTM.

The initial setup is easy.

Unfortunately, the pricing is very expensive, but for licensing, there are some "cheap" options for some scenarios.

If you'd like to look into a system which is very robust and hardcore, then select Sophos UTM.

Great security and logging. Easy GUI.

It really needs to update IPSec to enable IKEv2.

Two years.

No.

No.

No.

Customer service is great and responds really fast.

Technical support might be a bit better and there are not enough easily accessible guides.

Previously used the OpenSource pfSense which works great, but Sophos adds the little extra that is needed in security.

Straightforward.

In-house.

I evaluated pfSense, and still go with pfSense where IPSec to AzurePack services are needed because Sophos does not support IKEv2.

At first I did not like Sophos UTM but after second setup and config I liked it a lot and now recommend it to all my customers. It has great security features, and together with Sophos Endpoint Protection it works perfectly.

• Firewall
• Intrusion Prevention
• Web Filtering
• SMTP Proxy
• Red (VPN Appliance Box for remote sites)

The product has provided us with unified threat management as well as comprehensive list of reports.

Their new product range which is the new SG Series UTMs, especially the wireless versions, should at least include two radios for 2.4 Ghz and 5 Ghz bands. Currently we can only run one or the other, but not both.

I've used it for around 18 months.

No at this stage.

Only thing we have noticed as of late was that their firmware updates break something else that was working in a previous version. Only noticing this on some customers though not all customers.

They're great.

I’ve used other products like NetboxBlue, SonicWALL in my previous roles. We chose the Sophos UTM because of pricing, rich feature set and the fact that it can be either a Virtual App or Hardware Appliance.

The initial setup was very straightforward. It was done through a wizard and there not much needed doing while setting up the UTM.

We are a reseller so we use the same product that we sell to our customers. That’s how much we love the product.

• SSL VPN
• HTML5 VPN portal
• Application control
• Reverse proxy
• Web filtering

We used several vendor products before UTM, and now it is all in one box - firewall, proxy, and VPN. Sophos is much easier to manage and configure.

Every product has room for improvement.

I have used it for three years actively with several projects utilizing UTM.

No issues encountered.

No issues encountered.

No issues encountered.

We don't have direct contact with Sophos support so I can’t rate the level of customer service and technical support properly.

I did. Sophos UTM is far more easier to configure and it is very intuitive with configuration.

Setup is easy and straightforward. It is a browser based tool, so you can access it from every location, and with different operating systems.

We did it in-house.

I have some technical advice, but generally, always prepare steps to implement Sophos UTM and test your implementation before using it in production environment.

The Zeroeth Rule:

Start with a hostname that is an FQDN resolvable in public DNS to your public IP. If you didn't do that, start over with a factory reset; it will save you hours of frustration.

1. Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs
2. In general, a packet arriving at an interface is handled only by one of the following, in order, DNATs first, then VPNs and proxies and, finally, manual routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
3. Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface
4. When creating DNATs for traffic arriving from the internet, in "Going to:" always use the "(Address)" object created by WebAdmin when the interface or the Additional Address was defined. Using a regular Host object will cause the DNAT to fail as the packets won't qualify for the traffic selector.
5. In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
6. There are only four reasons to sync users from AD to the ASG/UTM:
   • The user should be able to log on to a Remote Access VPN that uses certificates to authenticate the user
   • Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing
   • You want to do Reporting by Department for Web Protection (and I consider it a bug to require this when doing AD-SSO)
   • You want to use the Authentication Agent to populate "username (User Network)" objects
   • There's no other reason to sync users to WebAdmin - certainly not with AD-SSO

• Reliability
• Usability
• Number of features that fully cover goals
• Perfect support
• Possibility to get “under the hood”

The Sophos solution provides a branch to head office distributed network for a construction company across New Zealand, and the reliability of the equipment makes it possible to provide stable connections and is easy to implement and support.

Would be great if it would be possible to improve IPSEC site-to-site VPN connectivity over slow/unstable internet connections.

This particular configuration has been in use for about two and a half years.

No issues encountered.

Very rare cases of appliance lost admin password or web-service hangs.

No issues encountered.

Since I’m an engineer, I probably cannot evaluate this aspect, however as far as I know equipment order and upgrade was always fine

4.99 out of 5 – support is very helpful, only once there were misunderstanding about licensing and number of supported Sophos WAPs and that was resolved promptly and fully.

For this project, the Sophos infrastructure has been planned and deployed from the start and there has been no need to change it

It's logically straightforward and the transparent interface made possible a quick deployment. However, a little time was needed to get familiarized with the interface.

It was implemented in house.

Nothing is perfect, but with Sophos those are really small – sometimes it is incorrect firmware upgrade paths, or rare log in problems (device forgetting admin password). All those though can be fixed, there is plenty information in the Internet and support is usually awesome. Also, you need to plan the solution and costs involved, while having in mind potential growth of users/connections; e.g. creating virtual appliances and allocating resources (RAM, CPU, NICs) minding potential workload.

They are all valuable, but the most valuable is the uplink balancing. This is very useful when dealing with more than one ISP, and the wireless capability for our guests.

It's scalable and easy to manage.

The web filtering engine needs to be improved as, sometimes, the service hangs for a while and restarts randomly. Alas, there was an issue with authorizing Lync traffic but it's all good now.

I've used it for eight years.

No issues encountered.

Rarely.

No issues encountered.

It's good.

It's acceptable because sometimes there are delays with answering our requests. We are using the regular support, so we don't have the ability to contact Sophos directly.

We did, and we switched due to the costs and the functionalities.

It was very easy.

We used a vendor team to implement it.

It's a nice product that is full of interesting options.