So cool to hear that :)

can you use the free home version on it ?

Yeah 😆

I think you are right, but it is still good to have such fw at home and not only in data centers

Oh yeah, guess which switch will be added soon to my lab!

Cool to hear! Thanks ;)

The feature set is unsurpassed by any other free firewall, but the UI of the web filter is worse than anything imaginable

@@canadianwildlifeservice8883 My home lab is setup with Fortigate + Fortiswitch + FortiAP and I can assure you it surpasses what Sophos offer by a mile. At a cost though.

I hate unifi so much 😅

​@canadianwildlifeservice8883 *laughs in Fortigate*

Sounds great as well!

What's been the experience going from pfsense to Unifi for routing?

pFsense is a much more efficient and more rounded firewall/router than UDM Pro. Unifi is not as accomplished at routing over pFsense. But over the last year UniFi have made significant improvements to function and the interface. You can’t beat UniFi for their equipment either. Their WiFi 6 kit and switches are superb and I work in I.T. Their SDN approach for their kit is spot on and I am very happy with it. Having a single cohesive platform is nice. I have often thought of placing a pFsense in front of my UDM Pri but the would have double NAT issues. I do love pFsense though and now they offer the advanced license for free for home users it is tempting to go back

thank you so much :)

Thank you so much! It's great to do this in a homelab, and I think it's important for everyone who runs a server. Maybe a bit overkill, but as you correctly said - we like to do things a bit more secure :)

Cool! HA is nice

Thanks mate!

Thanks :)

Cool!

Glad you liked it!

Thanks mate! Paloalto and PFSense are also great btw :)

I’ve done a video about XG on Proxmox, maybe that’s helping you

The base license is included, only if you need full protection or additional features you have to pay. That's why I would recommend running the SFOS software on an intel-based computer or in a VM, it's cheaper and you got all the features from the home version for free ;)

You can, but you need to erase the disks and reformat it with the software iso

​​@@christianlempa is the XGS supported by ESXi free edition....that you are aware of? Proxmox has all the features but many users are only familiar with VMware.

@@canadianwildlifeservice8883 I'm not sure that question makes any sense. XG Home software can probably run on anything that can emulate a standard x86_64 desktop architecture, but the XGS is a hardware platform.

@@Bob-i4x5x let me rephrase it. Does ESXi support installation on the XGS firewall appliance? Yes the firewall software ISO can be installed within ESXi, but does ESXi support the hardware of the XGS? Proxmox can run on anything, but VMware has more limited hardware support.

@@canadianwildlifeservice8883 Gotcha, that is a much more niche question. Seems to me, at this point, XGS hardware, being current, would be an overly expensive server base. My guess is that, with the x-stream offload chip that things are a bit more proprietary than the SG/XG hardware.

The features are actually the same, there is a small difference in IPS signatures based on the appliance sizing, but the home license covers everything. It's however not possible to run the home license on Hardware models and it's limited to 4cpus and 6gb mem.

@@christianlempa thanks! Does this mean that if I get the hardware appliance, IPS is also included (with more signatures)? I saw that it was part of the network protection licensing package and I was not sure about costs.

Puh maybe, yeah in the far future

Thanks mate! Great feedback. Btw bridges will be removed once I upgrade to my new Switch, guess which one it will be 😀

@@christianlempa Budget options that come to mind are the CRS317 If u only need 16 sfp+ cages or the CRS328-24P-4S+RM for poe and sfp+ :D

Agreed and great advice.

I've done a test with 10Gbit, as I now finally have one in my PC. And you're absolutely right, it seems the bridge interface is taking down the performance from 9.5Gbit to 6.5Gbit, which is really heavy! Btw, I'll test the new Sophos Switch in the Setup, then I can get rid of all bridge ports, luckily :)

@@christianlempa didn't even know that they released a Switch ^^ We are only working with the FWs. Looking forward to it

Good question, probably more for a lawyer than me. I'm committed to mark it as a "promotion/advertisement" as long as I receive products without paying for them, or if I'm paid for making a video. But as far as I know, it is no clear regulation on how exactly that is needed in Germany, so therefore you might see many people who include a "DAUERWERBESENDUNG" banner, but it's just one way to handle this. And it was very common before youtube added the checkbox to mark a video as "paid promotion".

Thanks np :)

Thank you! Glad you liked it :) Btw, I'm thinking about a future k3s video and use it as a load balancer, let's see how that works :D

@@christianlempa Oh yea, that would be an awesome video, can't wait ;)

Thank you so much! And great feedback :) I've not looked too deeply into IPv6, but that reminds me of doing that at some point!

I'm using the commercial license, the home isn't available for hardware appliances.

I’m using a simple dnat rule which kinda does some load balancing between the nodes, if that’s what you’re asking.

A virtual firewall is less power hungry, but also less flexible and dependent on the hypervisor host. I prefer running a firewall outside of the hypervisor, but both are viable solutions

I’m using their enterprise license, but what you can do is flash the XG125 with the software version, make sure to erase all the partitions with gparted first. Then you can use the home license :)

@@christianlempa To install Sophos Home on an XG125, I need to wipe my appliance clean? I tried to install without wiping it and that did not work. Based on your last comment, clearing the partitions is essential?

@@darkjake80 yes

Wish more people knew this. Many implementors of this technology don'tadequately articulate the fine point. Meanwhile SMBs are paying 10s and thousands in licensing fees.

I heard you mention the firewall in another video that you can hear it from your small room next to your work room. Is it really that loud?

Yeah the XGS has a lot of improvements to accelerate the traffic. Btw I got the devices for testing, as I'm working for this company.

@@christianlempa look forward to seeing more videos. Nice jacket too just noticed :) might have to hit up our account manager for some swag

Yes

I've not done any performance comparisons, but the XGS series has a specific processor that is used for the dpi computing, traffic offloading, etc. That has a huge performance improvement when using the security features, depends a lot on the use case, but it can be much faster than any other cpu. However, security features like IPS, SSL inspection can make a 10gbit/s to something like 2.5-3gbit/s, that is "normal" and expected.

+1!

Not for the basic functions, only for advanced features.

You're welcome! Well we will see, 10gbit is never cheap

10gb switches (mikrotik) and NICs are affordable now

The hardware appliance does not run with a home license, that only works on vms or software installations on your own hardware

Lawrence systems has a video on setting pfsense and udm pro up together. I don't see the good side of having two routers in series like that.

Thanks for sharing, yeah Tom has great videos about that ;) In theory you can combine all of them together (however, it might not make sense), it's just a matter of how you're configuring it.

Pfsense will not disappoint

Cool that you still remember astaro 😉

Nothing. I just genuinely like the products. I got the devices for free, regardless of making a video or not.

@@christianlempa My opinion: In videos like this you should disclose that you work for Sophos (for transparency sake)

He works at Sophos Germany.. :)

Thanks again :)

Np! Glad you liked it

I think the Zone concept is great and makes things a lot easier, but yea it does need to time to get used to if you're coming from UTM ;)

No, I'm using a hardware license.

@@christianlempa That sounds very pricy.

Yeah, I worked in the old offices of Astaro after they go aquired, very cool team! Maybe I'll do another video about the Home Version at some point, but IDK yet

Cool! Honestly... I don't know :D

Pfsense is great, but it's good to have some choices isn't it? :D

Thanks :) you can just use the home version on a PC or VM for a budget option

Good luck with that Sophos is a CPU intense piece of software.

Cool! Another Sophos fan :)

hi i need advice my hospital plans to buy sophos with an xtrean license and web server protection with 300-500 devices I wonder what series? is xgs 2300 enough or xgs3300?

@@Maxzier14 That is hard to answer without knowing your environment and your needs. Do you have an estimation of the throughput, and services that you will need to enable on the firewall? That is going to be your biggest issues with size. As you enable services like IPS, HTTP/HTTPS/FTP/Web Filtering, Advanced Threat (If licensed), Web Server Protection (etc...). It really starts to eat in to your throughput and will slow down all traffic. This can really be a problem if your WAN connection(s) are faster. This could be as little as a 200+ Mbit connection. You can start to lose a lot of your speed when you enable filtering services. Is is also possible see slower internal zone speeds even if those services aren't enabled for them. From a security and compliance standpoint. I recommend that you use as much of the filtering options as you have available. We had this issue several times when newer connections became available. We could only get less than 200 Mbit speed out with some of the gen.1 and gen.2 XG's with the Web Filtering/HTTP/HTTPS/FTP services turned on. Luckily the XGS offloads "trusted" with traffic due to the xstream routing and doesn't scan it. That does help with overall throughput. I would still size to your overall need without considering the offloading just to be safe. If you have a Sophos login. They have an assisted sizing guide. It's called the Firewall Sizing Calculator. If not there is a PDF sizing guide available. You will have to do some of your own calculations based on estimated connection count and throughput numbers. Sophos will always try to oversize you when recommending firewalls. You should be able to get a pretty good idea what you really need by adding up the estimated throughput needs compared to the charts though. Also something else you need to consider since you are a hospital, and any downtime is probably not acceptable. You need to be in HA (High availability). That is two+ firewalls active at any time. You have different HA option that can affect your traffic too. You can have traffic flowing out of multiple firewalls, or just have one live and the rest backup. The HA is necessary to guarantee uptime. All firmware updates require a reboot. If you are in HA. The live one(s), or primary depending on your config will update its firmware, transfer traffic to one of the other firewalls. When the primary comes back up, each will update its own firmware by priority. You won't see any downtime. Hope that was helpful. You can talk to your sales rep, and they should work with you, or get an engineer involved. Just remember they will try to oversell to you. It helps to have an idea of your actual needs.

Very nice! Do you put the home licence on that hardware?

Wow cool! I still need to update mine to v19 😆

@@christianlempa Got the v19 briefing webinar at my old Job and used the EAP immediatly. Still need to get a hardware for the Home, redundant internet connections in the near Future.

Ouch, I don't want to hear that 😉

Thank you! Absolutely, we like to go crazy on home labs :D I'm not running a Gues WiFi at Home, but it's pretty easy to do that. The usual WiFi can be "bridged to AP LAN", which will just bridge all WiFi clients to the LAN zone. You can also create another wifi network as a separate zone, this will be a separate interface you can put in a different zone and control with firewall rules seperately. That's how you typically set up a Guest WiFi, you can also think about adding hotspots and vouchers to that. Hope that helps ;)

Danke :)

Can absolutely understand what you're saying. However XG has some nice features UTM doesn't have, so it always depends on the use case what's really needed.

Na klar, wenn schon, denn schon! 😀

Er ist doch "Technical Account Manager at Sophos"..

@@salat Ah okay das wusste ich nicht, danke.

So cool! 😁👍

Vielen Dank! Das ist mein Testgerät, da ich dort arbeite ;)

Oh yeah it's an absolute overkill 😁

Thank you! Glad you liked the video 😀

Yeah that's right. I guess now over 5 years

@@christianlempa me too! Enjoying this company so far 😁

Hm, I don't know, I like the XG interface a lot more than UTM tbh.

​@@christianlempa The interface is more modern and looks good, but a better network product it is not (in my mind) i will encourage you to compare the features, and actully run them with configs with multiple vlan's multiple rules, countryblocking, waf/letsencrypt, regex There is a lot of features that does not exist in the new one. is is not without reason that the UTM still exist if it got discontinued pepole would go for a Palo Alto or a Fortigate.

Well, that's just like your opinion man

Seemed ok in pfsense and opensense although it was sometimes annoying to get a wan configuration that gave IPv6 internet (poorly documented, secret handshakes etc)

There is a IPv6 Support Page in the OnlineHelp, where you can find out what's supported and what not on the XG regards IPv6: docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IPv6FeaturesServices/index.html Note, that might change in future versions of course!

That’s utter rubbish There is probably better, but if you work with SMB and use Sophos AV they are great Capable and affordable

Agreed, their support has been abysmal.

@@TritonB7 what country? I’ve never had problems with support. Sales is another matter they relocated sales to Manchester I think and caused a lot of staffing issues

Agreed 100% its crap.

Seriously lacking in features network engineers look for which kills their creativity in network configuration.

Which part do you mean?

@@christianlempa i noticed it at about 6:20 but re watching other parts of the vid it didn't seem to bad might have just been that section. it was just a bit of putting really. might just be me:)

@@linuscane thanks! Might be when I'm a bit too close to the mic.

Für den Home User würde ich so ein System auch nicht empfehlen. Die Software kann auch auf einem normalen PC installiert werden. Dort hast du alle Funktionen komplett kostenlos!

@@christianlempa Das ist gut zu wissen. Warum sollte man dann überhaupt noch zur Sophos XG als Hardware appliance greifen, wenn man die Software komplett kostenlos auf eigener Hardware nutzen kann?

@@Lacsap3366 ich bekomm die Testgeräte samt Lizenz umsonst, ansonsten hät ich das auch anders gemacht ;)

@@christianlempa Ah alles klar. Danke für die Info !

Why would I do that? 🤣

Anything below is a no go 🤣

He works for them

@@MichaelSmith-fg8xh Jacket included!

Yeah it's a bit overkill :D But the home license is also a nice option!

*laughs in Meraki*

What?

Well, that's... your opinion man

@@christianlempa if you've got the tools, try to measure the performance of the firewall and compare it to the datasheet :)

@@christianlempa PS.: cheap Marvell chips, slow performance in the UI, outdated software packages ... i've to work with sophos, but every other vendor i get my hands on is better in every way. It's not only me, check gartner aswell.

The firewall comes with a base license, but some features cost extra.

Licensing for 3years xstream protection along with hardware xgs 2100 would cost around 6 to 7k

Seems like a great solution for home networks!

Stimmt :D ich würde auch niemandem dieses Gerät fürs HomeLab zu kaufen. Besser wäre die Sophos Firewall Home Edition in einer VM oder auf einem kleinen PC zu installieren :)

@@christianlempa Habe mir mal eine XG 125(w) bestellt. Für schlappe 150€. Wenn die Home Lizenz funktioniert, werde ich das Abenteuer mal wagen. Allerdings tue ich mich gedanklich noch schwer damit sie in mein bestehendes Netzwerk zu integrieren. Habe eine FritzBox 7590 mit vier WLAN-APs als Mesh konfiguriert. Ich will sie unbedingt weiter als Modem, Router und Mesh-Controller nutzen. Da ist die FB einfach top. Was empfiehlst Du für die Sophos Firewall? Kann man sie sinnvoll hinter die Fritzbox nutzen? Oder irgendwie den Traffic als DNS-Server durchschleifen? Das 350€ teure DSL-SFP-Modul wäre ja auch ganz nett oder die 3G/4G(/5G) Erweiterungskarte für die Kiste. Doch wenn man mit VLANs später arbeiten will, bleibt einem wahrscheinlich nicht weiter übrig, als komplett neue APs zu kaufen, oder?

Und dann ist sie noch meine Telefonanlage. Wird echt schwierig sie als Firewall "zu ersetzen." Kann mir im Moment nur eine Routerkaskade vorstellen. Oder hast Du zufällig eine bessere Idee? Vor allem auch um den IOT / Kamera / Smart Home Krams zu isolieren?

No, they didn't ask me to do anything, (I'm working for this company btw). Also, I didn't ask you to shut off your PFsense did I? PFSense is a great firewall, too.

@@christianlempa All good. Understood. Apologies if my comment offended you in anyway. That wasn’t my intention. Didn’t know you worked for Sophos. :-)

@@VideoGigs no worries mate, it's all good! 😀