Sophos UTM Reviews

SMB firewall.

Protected it against malware and allowed us to serve our servers safely.

Application layer filtering.

Setup: Getting an exchange server to work behind Sophos is incredibly difficult with rules invoked that are simple numbers (e.g. 9054).

We are partners with Palo Alto and several IT certificate vendors, like Sophos. We deploy Sophos UTM for customers.

Internally we use Sophos, but we deploy solutions including both Sophos and Palo Alto Networks to our customers. We are an IT integration company. Our services include the deployment of security appliances.

Our environment includes Sophos UTM for internal use, which means it is protecting the network. It is protecting our environment.

We publish our services like the help desk, mail server, and other servers. Sophos UTM offers us protection for publishing and the VPN.

When we started with Sophos UTM, we were using Microsoft Threat Management Gateway (TMG) which formed part of the firewall. It's not anymore there, it has been discontinued. 

Sophos UTM is an SSD appliance. It has a solid state hard drive and can boot in less than sixty seconds. It is an appliance that has more stability than software solutions. It all depends on which hardware you have installed.

Sophos UTM has improved the porting section. It has improved security by seeing the gaps. For example, when you discover that an entry has been using a certain application, with Sophos UTM acting as a Layer 7 firewall, you can block the application, not the port.

In the application firewall, you can block the next update for Bitcoin or for Facebook. It has settings to block a port or wifi or just block the application and firewall. Sophos UTM will be able to detect the application type and filter network users.

Sophos UTM did help us a lot on the throughput of the internet because at that time we were using ADSL. Now it is fiber, which means we are able to manage the throughput of the firewall by also putting the quality of service first. 

For example, we are able to configure 2MB for YouTube or 5MB are guaranteed for the service which is published. In the past, with TMG you had to buy third-party tools that also did not have the same functionality.

Currently, Sophos UTM and XG are helping our customers. The features available in the UTM and XG are a combination of all the firewalls in the market which means all the features.

The IT Admin or IT Security in any organization would like to have Sophos UTM because it is full of all the features you think about for enterprise. 

Sophos UTM normally will deploy a batch or an upgrade and add more features, every six to eight months based on the RMD.

To be quite honest, from my personal experience all the features of Sophos UTM are useful, which includes publishing templates and the ease of publishing any servicing needs. 

From the VPN side, all the VPN protocols are available so you can choose from SSVPN to PPTP to other versions of VPN, and it's easy to deploy within minutes.

The firewall includes very good logging where you can see what's hacking your network. The IDS and IPS settings are based on your reliance and also alerts you if there is an attack. 

We're happy with Sophos and we also have an XG version being used for other services, because we are a company that provides services. We have two versions, we have the XG and the latest one. 

The Sophos UTM which is the previous version but still being in production is our main firewall for the company.

We happy with all the features, we have no negative comments on any of the features except that the XG has more ability to block based on countries.

On the previous model, the blocking of countries we had a problem with, i.e. if you use the NAT feature, you can't block countries. You have to enter the IP network. 

With the XG version, you can just select when you publish via NAT not via WAF. You can select the countries. 

That is the only difference between XG and the UTM which we did not really like, but other than that its all cool.

There is definitely room for improvement with Sophos UTM. For the SG version of Sophos UTM, they can add blocking of countries in the NAT section, not only in the firewall section. 

When you are mapping, they should also add the ability to block countries in that section. That's not available right now. It's only available in the firewall if you want to block incoming traffic.

With Sophos UTM, there is a general rule in the firewall when the country blocking can block some countries from accessing your data. In the current version, you still need to add it by putting in the IP range. 

This feature would be helpful for administrators and it gives them the advantage to block stuff in less time. 

The web filter needs additional enhancement but that's the point of the XG upgrade. If they're going to continue with the production of the XG, then they will not add the same features to the basic version of Sophos UTM.

With the ability of the hardware, we haven't experienced any problems with Sophos UTM so far. Neither have our customers. 

At the beginning of the XG version, three years back, they had hardware issues. After that Sophos deployed division two, three, and four as hardware appliances.

Sophos fixed the hardware issue for the lower models, i.e. the 525, the XG 125, and the XG 85. All of the larger Sophos UTM models were fine.

Now, all are stable, all are fine. We haven't seen any crash. One of our customers had a DDoS attack. Since he had the proper rules, we did not record any incident. 

Sophos UTM blocked the DDoS. Although it is not a dedicated anti-DDoS solution, Sophos UTM has the features. 

Sophos UTM is stable. I haven't seen any claims or issue tickets from our customers regarding stability.

Sophos UTM has different aspects. If you have an HA distribution, high availability, you can scale up.

When you go and purchase Sophos UTM, you have to plan and say what the environment is. This planning has to be done before buying. If you buy a small appliance and after two years, you are 50 or 70 employees there are upgrade options. 

It should be between you and Sophos. They can give you a free appliance if you subscribe for three years on subscription, for example.

If you have an existing subscription and you want to have HA, this means another device has to be set as redundant. The only downside is that it has to be the same version and the same model. 

In my company, we have around 35 loyal customers. These customers have purchased and are redeeming Sophos UTM with us. Altogether, we are 55 employees. Most of them are at the office. Concurrently around 35 others are on site at other clients. We have around 35 servers. 

We have the published Sophos UTM on the main server, help desk, share point, etc. We've got around nine published services, plus 10 VPNs running concurrently for our support engineers to connect and work on our internal infrastructure for the allotment servers. 

We have 50 Sophos UTM installations at least that are actively browsing, downloading, and being protected by the web filter and other features there.

It depends on the organization, but for us we only require one person to manage this solution, even working remotely at home.

We don't have much need to speak with the vendor because we are educated and experienced with Sophos UTM. We are an integrator company.

For our customers, in the beginning, we give them training. After a week we do expect to have some calls because they are not yet educated or they're not yet used to it. 

After that, that's it. They already told us if they are ready or not. Sophos' support is better than others because Sophos also can sell endpoint solutions.

If one of our customers has an issue and Sophos did support and send their team for the investigation it could be conflicting.

For example, one of our customers had an endpoint which is an antivirus and they had an issue. We have teams that were actively taking care of the customer based on our relationship with the client and their Sophos UTM device license.

We have no comment on the Sophos UTM support which we have seen at our customer sites because it was only with a government customer. 

The customer told us that the Sophos UTM representative mentioned that they wanted to have the vendor take care of this issue.

Other than that, I have had no negative experiences with Sophos' technical support.

The initial setup of Sophos UTM is straightforward for both versions, the XG & UTM. In addition, they both provide a proper manual.

In the beginning, seven years back, Sophos UTM wasn't straightforward for beginners. You had to be already excellent in security. Now, it is very easy because you install the IP address, you log in, and you do the initial setup by routine. 

These days its much easier than in the past but not everyone that has a firewall is secured. If you do it properly by choosing the right network, the right topology, and the right firewall rules, Sophos UTM will work.

There are orders for most of the rules. For example, if you put a deny rule below an allow rule, you are not going to have the proper result. 

Sophos UTM requires knowledge. It's easy to deploy but also there is a responsibility on the person who is deploying to understand. 

You must have the knowledge of security and networking, to make sure that the solution is working properly. Sophos UTM is very easy compared to other vendors somehow.

In our environment, we have defined previously the VLAN rules on our sheets because we had another firewall. In the beginning, we just copied the current rules and then enhanced them slowly so deployment took place quickly.

After fixing the appliance physically on the rack, it took one hour to be up and running and ready based on the rules. If you are a small environment that would take you less than 20 minutes. 

It all depends on how many rules you have, how many demands, how many users, and public services. For example: if you have five websites, the main server, and a starter business, you might need more time because you would need to define the rules properly. 

It all depends on how complex your environment is. Sophos UTM is easy and straightforward for me and for somebody who is certified on security levels.

We haven't opened a ticket with Sophos for 60 days, but we still have support. All our customers use us as the first level of support, even if they have to chase it. 

Sophos UTM comes with a license. We are very aware and updated on Sophos solutions. We have good experience with it.

Although we sell other solutions, we are looking forward to building, selling, and integrating Sophos XG/UTM versus other vendors because of the ease of use.

We are more focused now. Our entire team is certified in Sophos Enterprise, while other vendors would likely still have just one or two members who are certified.

We feel more comfortable using Sophos equipment and solutions.

I can't mention anything on ROI because I'm more focused on the technical part. I'm not needed in the financial part. In our company, we have saved bandwidth and lots of network hardware waste. 

The Sophos UTM solution did help us because we were depending on a software base from Microsoft. Microsoft is a great company but they are not great for our security. Now they have improved. When you go out and buy something, buy it from the specialists.

For example, if you go for virtualization, VMware is a company that only does virtualization. Go for specialized people. Don't go for people who are doing everything at once. 

It's like when you go to a physician or a doctor and you have a problem with certain things. i.e you have a problem with the bones. Go to the doctor that is specialized in the bones, not a general doctor. 

The Sophos UTM license is annual or you have a choice for a two or three-year term.

The Sophos UTM licensing is based on if you have an appliance. There are several layers of subscription you can take:

• Sophos UTM Full Guard includes everything but a few features.
• Sophos UTM Full Guard Plus includes all the most used features, i.e Wifi, ITF, ITS, web publishing WAF, etc. 

There is a huge price list. The prices in the MENA area (the Middle East and North Africa) is completely different than North America.

The products are completely different in the MENA area from the United States. Each region has its own scheme of pricing based on the VAT and the tax refund. 

The price might be different for the people who are in the United States and the UK.

After you select the level of subscription, you pay once.

We tried and tested Fortigate from Fortinet. We tested several appliances about six years back. Not Palo Alto at that time, only Fortinet. 

We evaluated other open-source Linux software but not appliances. We decided to go with Sophos UTM based on several factors related to the tests we did at that time.

Evaluation is very important so that you can see what are you buying and what you are going to face in the future.

My recommendation is that businesses should go for the XG version, not the SG because the XG version of Sophos offers next-generation firewall support and has more improvements.

Sophos XG is the next generation firewall that is not available on the UTM version. The difference is in the features between the two and how you deploy them. 

Sophos XG version covers what is in the SG version plus additional bonuses: the dashboard, the heartbeat between the firewall and the input, etc. 

I advise first evaluate, know your network, know your needs, and plan for the upcoming two or three years before you purchase. 

Get in touch with the vendors because these days every vendor wants to sell. They are willing to help the customers and willing to show them what they will get. 

Make sure you evaluate properly many platforms. Don't just go with one vendor. Go with two or three vendors. Evaluate and then short-list and choose the best for you.

The rating has to have criteria: 

• On performance, I would give Sophos UTM a 10 out of 10 rating. 
• On price, it is a long discussion because you can get a discounted price if you are an integrator. 
• As a user and a customer, I would give Sophos UTM a 9 out of 10 rating.

• Network border protection for clients and internal company
• It is used for small to medium-sized businesses and networks.

Sophos SG has provided us with the tools to protect our networks, detect malicious activity, and customize security to our clients' needs.

• Sophos UTM Manager (SUM): It allows us to manage over 50 Sophos UTM devices from a central management console. 
• Creating rules, exceptions, and managing most features from SUM, and pushing to all or a section of devices as needed.

• SUM cannot manage app control
• Improve app control system as a whole
• Extend support for SG until XG has improved significantly.

Our primary use case of this solution is IDS and IPS. We also use it for application availability. 

The most valuable feature is the IPS. It also protects us from malware. 

The solution could be improved by adding cloud soundboxing.

The stability is OK. 

The scalability is not something I have experience with because our organization is pretty lean.

I have not used technical support. 

It was easy to set up and quite straightforward.

When considering a new solution, I always make sure that there is good technical support. Also, the pricing is an important aspect.

A client wanted to trial Sophos UTM 9 before deploying it into a production environment because, historically, Sophos has not had the best of reputations in AWS. The client had used Sophos in other environments, hence they wanted to stick to what they know.

The solution allows the client to use cross-region AWS VPCs to connect remote dev offices.

Classic defence in depth, with layered features. 

• SPI (stateful packet inspection)
• IPS
• WAF 
• VPN capability with built-in load balancer

Nothing out of the ordinary these days, but the fact Sophos has such a big name and good support was a big plus for the client who already had a relationship with Sophos support. Also, auto-scaling of UTM workers using EC2 is a nice and handy feature.

UTM 9 brings along IPSec as well as iPhone and iPad support. This seems small but it’s useful. 
Finally, Cold Standby CloudFormation script to one node, with persistent info in S3, is a convenient feature.

We procured this solution via the AWS Marketplace because of BYOL (bring your own licence). That was the driving force behind the choice. In addition, they had test and production environments in AWS already so it was easy to get a sign-off.

We didn’t find any issues but I know there have been some in the last few years. I can’t comment about Sophos on AWS previously but they seem fine now. There were no problems for our client so all I can comment on is the experience they had. I think it’s taken a little while for Sophos to get experience in solving problems with their product in the AWS environment, but they do seem to go the extra mile.

This solution rates an eight out of ten, based on our experience. Support was good. You will always find problems with installations so it does hinge on support.

Threat management for servers is our primary use case. We're not using it on all workstations, just a few. We're primarily using it on servers.

The version we're using is fully in the cloud, not on-prem.

We don't have to worry about viruses anymore. Before Sophos, we didn't have anti-virus at all because we're a newer company and we're just now starting to get into business-level stuff. When we installed it on a few of the users' machines, we saw that they did have very minor infections - they downloaded something they shouldn't have, something that could have hurt the computer. We were able say, "Well, we're glad they didn't click on that."

The isolation of infected machines is a big feature. Also, the ability to detect external sources that change files on a file server is really big.

The third key feature is something called EDR. It's a type of advanced file analysis. If you aren't sure what a file is you can click on it and it will upload a sample to Sophos and it will respond saying, "That's malicious," or "Not malicious." You can see every individual file and registry key that that file has ever interacted with, and what they did. It will show you every single thing it's done to the machine so you can clean up everything or check everything that it has ever touched. You don't have to worry about, "Oh, did I clean everything up?"

It does have built-in policies which enable you to disable USB devices, etc. It would be nice if they had more policies because there are not that many of them.

In terms of stability, it's definitely top-notch, a market leader. The ability to do things and the availability of it being online aren't an issue.

It seems very scalable. All you do is install the client, and it pulls it in. You don't have to actually have more Sophos servers running. It all goes back to their central, cloud-based platform, which is nice.

I haven't had to use Sophos' technical support.

The initial integration and configuration of Sophos in our AWS environment was incredibly easy. They give you a license key and a file. You download that file on the operating system type that you're trying to install it on. Install it and it's done. There's nothing else at all to do. It gets auto-configured for you.

We haven't seen ROI because we just got it two or three months ago. Over time we will.

The biggest issue with Sophos is the pricing. It's definitely more expensive. We looked at Webroot, which is a big alternative, and Sophos was almost three times the price of Webroot. That's a pretty big difference.

We actually went with both Webroot and Sophos. We went with Webroot for most of the client machines. We're only using Sophos for the servers and the really important client machines, like the ones the managers use. That way, we can split our cost up a little bit.

We looked at Webroot, primarily. That was pretty much the only one we evaluated that was even close to being a competitor. We did look at a few others, but we didn't even do the trials because \Webroot and Sophos offered so much more.

Webroot seemed really nice for Windows, but we have a lot of Macs. Our servers are Windows, and we definitely went with Sophos for the servers because it has a little bit more capability with Webroot.

An example would be that if you have a file server, it will actually detect if a source is changing stuff on the file server. Suppose that a client was connected to them. That client wouldn't even need protection. Sophos is smart enough to understand, "Hey, a client just uploaded this virus." Webroot wouldn't do that. Sophos also lets us do full isolations of the servers or workstations. So if something gets infected, we can isolate that machine with the click of a button, clean it up, and then release it back into the network. That's not something Webroot was capable of handling either. Those were two big things to us because both of those features stop viruses from spreading.

Everyone's going to get infected at some point. We just want to stop the spread as soon as possible.

If you're running a full Windows-based shop you're going to have a lot more options, so make sure you shop around. If you're running a Mac-based shop like we are, Sophos is definitely the way to go. Just make sure you can afford it.

Regarding how well Sophos integrates with other products, so far we haven't integrated it with anything. We have it on the servers and we have it scanning our Amazon accounts, but that's it. The integration with Amazon is cool. Maybe they could work on that because it seems like a newer feature. You can see what's available but not really do anything yet.

For the features, how well it works, and how easy it is to use, I would give Sophos a ten out of ten. Overall, I would give it a nine because it is very costly compared to all competitors.

Our datacenter cloud services such as email, and web services for internal and external use, had to be protected with different systems and the web services where left really unprotected, since we used an standard IPS/IDS to protect ourselves from web attacks (from the outside) which nowadays are really sophisticated. Also, we had to employ many work hours to have a protected, standardized network. With Sophos EndPoint and Sophos UTM, we simplified and also protected our network at the same time, with less work force.

The web filter and the ATP (Advanced Threat Protection) are great and easy to manage, and the integrated WAF (Web Application Firewall) allows the administrator to seamlessly protect HTTP/S services without having to pay thousands of dollars. The just introduced Sandstorm system for protection, is awesome as well.

Sophos UTM has many improvements that I would suggest, but the main one is for the Application Control to be managed with users as well, and with timeframes (schedules) for the administrator to allow certain apps outside an specific timeframe, or vice versa.

No issues encountered.

The scalability is awesome as when you need the network protection systems to grow immediately, you just activate and license the exact same box, and configure it in cluster mode for Active-Active mode in Cluster/High Availability.

This is where Sophos vendor outclasses every other vendor. They have grown so much throughout the last four to five years, but they have grown as well in their capability to attend support cases. We've had some really advanced cases, and we have never been forgotten or left behind.

We used a commercial product, Untangle, with our own brand called Rhino Box. Untangle did not invest in the development of features as we expected, such as the adoption of IPSec VPNs (they had it but very limited), and IPv6. This was what made us do research for our SMB/Enterprise market offering. We tried out Sophos UTM (recently purchased as Astaro UTM) and it was really easy to deploy and came with Sophos Support, which is awesome.

The initial setup is straightforward. Sophos brand is well known in the market for being a unique and powerful tool that is simple to deploy and manage. This is what makes it different from any other vendors. The Sophos UTM, comes with a deployment "Wizard for Dummies" since it show the wizard at the initial setup, and in less than three minutes, you can have your box up and running. Also for Policies deployment, you are clicks away to customize your security settings.

We always deploy by ourselves, so that way we can test how the customer will see the initial implementation. Our main advice, is to read the manual, and follow the wizards that comes with each tool. Also, it is strongly recommended to have a professional firm contracted for the initial setup, and support, as we are, to can design, and help with any kind of implementation issues.

The ROI is in 12-16 months, since with this kind of tool, we deliver the best of breed protection, and increment the focus of the end user, in being productive.

I recommend you get the three year licenses, since Sophos offers three years for the price of two. I would also recommend that you acquire any Sophos Licensing with Professional Services added, that way, you'll have the best experience possible.

They have supported our business venture since 2010, and will do for many years. We have studied closely the different product portfolio, and each one of them, are carefully developed.

As we are a solution provider and not product oriented, we give the best solution for our customers, with a good price. We are the number one company in the region, BTC, and operate in Egypt, Iraq, Jordan, Lebanon, and Saudi Arabia.

As both a firewall and UTM it's perfect.

No issues encountered.

For me, the customer satisfaction, and awareness, is the most important thing. I usually train all my clients on their chosen system.

10/10.

As we are a service provider, we offer various other products to our customer:

• Astaro ASG
• Avaya/Netscreen
• Fortinet
• HP Switches & WiFi
• Juniper SSG
• Juniper SRX 210 & 240
• Juniper WXC
• Sophos next generation SG, including RED, SG, and WiFi
• Telindus Crocus E1Q

For me, the installation and setup is simple. I work hard to do the simulation for the customer, and discuss all the requirements before implementation with the client.

In one project I implemented Sophos for was a bank. I had to involve the Sophos team as the client was asking for WAF in transparent mode with HTTPS inspection. They were 10/10.

Prior to Sophos, it was mainly Juniper and Fortinet.

Give us 10 minutes of your time, and we will show you the differences. When I do presentations, I give potential clients demo access to the solution(s) I am presenting.

We were looking for a solution which provided a single view for both a wired and wireless network. We were previously using the Cyberoam 200ia firewall appliance and wanted an appliance which could support 1500 to 3000 corporate users. The solution also required a wireless access controller scalable to at least a 125 second wave 802.11 ac wireless access point. We purchased a Sophos XG 450 appliance with Sophos wireless access points.

It improved bandwidth utilization and provided link load balancing features for internet and intranet lease lines. It also provided good security for internal users.

• A good package overall
• A nice UTM appliance with a good GUI and reports.
• Configuring web access controls in the appliance is a bit typical and requires debarring and listing separately. Once configured, the solution works beautifully.

Initially, there were problems of wireless access points not getting detected and lease lines were getting disconnected after one hour. Sophos replaced the appliance, but the issue was not resolved . The matter got escalated to their international support and the issue was identified as a bug where long distance fiber connections are used over single mode fiber. The patch was shipped by Sophos with a promise to fix the issue in the next release.

Now, the appliance is working fine. The issue of wireless access points was due to some compatibility issues with the D-Link switch. I provided the Cisco 2900 series switches to connect to the wireless access points by creating a separate wireless LAN port on the firewall.

Initially, there were issues with the wireless network as wireless access points were disappearing from the dashboard after some time. Later issues were resolved by connecting the wireless access points through Cisco switches.

No scalability issues.

Support is very good.

We used to use Cyberoam 200ia. It required to an upgrade due to end of life and the changed requirement of its organisation.

The initial setup was complex as different VLANs had to be created for the business network, wireless network for corporate users, wireless network for guest users, and a separate VLAN for the communications network and the VC. QoS had to be enabled for different type of services. In addition, link load balancing was also configured and tested for internet lease lines and intranet MPLS lease lines.

We implemented through a vendor team, and their expertise level was good.

ROI has yet to be calculated.

We purchased the appliance with five years onsite support and licenses.

FortiGate 1000D.

In India Cyberoam, which has been taken over by Sophos, has a vast support network and loyal user base. Migration to Sophos was the logical path. Further, pricing for the upgrade was very competitive as Sophos wanted to retain existing customers.

We replace customers' old and expensive devices such as firewalls, anti-spam, etc. with Sophos, as it has all these features. You don't need four boxes if you can have all these features in one box.

The most valuable features are

• Web Protection - Protects you against problems originating from the internet.
• Advanced protection (Sophos Sandstorm) - Protects against crypto viruses in real-time.
• Email Protection - Really strong anti-spam.
• REDs (Remote Ethernet Device)  - Connects you from a remote workplace to your source network.

There is still room for improvement in wireless protection. I don't mean their WiFi device is bad, but there are still things to improve on, such as WiFi roaming.

No issues with stability.

No, everything works perfectly.

They have consultants who can help you quickly.

 You can use the wizard which will guide you through all the initial settings.

Sometimes more is less, meaning if you want more than three features, take the FullGuard licence.

We do not use this on AWS.

Before implementing the SG appliance, completely prepare the rules for your network; know what and where you want to implement.