Monday, November 22, 2021

Sophos might be a good AV but not a good firewall/router appliance.

Three months before a previous network admin left he signed us into a 5 year agreement with Sophos and our org. It has not gone well. This is a post to advise others to not buy into the sophos appliance hellscape I have found myself in.

We had bought 2 XG 750 (Top model in the XG lineup) 2 XG 450 and 20 XG 210. The only difference between the devices is the throughput of internal hardware, the 750 and 450 are modular devices.

Reasons why to buy a 150$ netgear router from wallmart. 1. 1st 750 failed to perform proper L3 functions and had to RMA the entire unit and modules. (Confirmed by ISP and Sophos Support). 2. RMA unit received for the 750 had dust around the exhaust fans and the vents it goes through showing I had received a used device to my new. 3. all 210's I have received with firmware must be manually updated to latest firmware before use as it will factory default the device and you cannot use backups from that device to restore it. you must reconfigure from scratch. 4. Quality difference between Sophos pro support and general support. If you are having a problem with your firewall and you need assistance good luck with the general support line as the person you get may or may not be the first time he has seen the appliance. Compared to pro support to where they do know what they are doing as they are certified network engineers themselves but support with them MUST be a scheduled event and cannot be contacted in the event of an emergency. 5. Site-to-Site VPN are not interfaces... WHY? 6. Router on a stick does not work as there is no way to set up dot1q properly. (you cannot specify a native/untagged vlan) 7. End device VPN is not close to other providers. (I have to have users preauth before the log into the windows OS as not all users are not at an site with a router and due to that I have to keep my Cisco 5525-x appliance for another 5 years for Cisco Anyconnect.) 8. Ports https://imgur.com/a/qJbD4no Some of these are SFP and some are copper, no they are not in order of the module, and no you cannot change the hardware identifier. The only why to know what port is what is to go through every port on the device, apply a subnet to it and plug a device into it and see what IP you get to correspond to that interface it is and label it properly. and even then there are some elements in the GUI that only looks at the hardware name of "PortB3" making your interface names useless so if you not have an external doc on hand with the mappings or have them all memorized good luck. 9. Sophos RED. (priority protocol for Site-to-Site VPN.) IF you want to use any dynamic routing protocol you cannot use Sophos RED, sorry you must use static routes for your subnets. 10. No DHCP options, if you want DHCP options you must relay them to another DHCP server.

It has been just nonstop with these devices to where a cisco 1941 would outperform them.

Just listen to every other network admin here and get a Fortinet as they actually make routers/firewalls as their backbone product.



No comments:

Post a Comment