Sophos UTM vs Untangle

UTM or Unified Threat Management devices are becoming more and more popular as businesses and corporations have realized in the past couple of years that a simple tradition firewall of allows and denies is not adequate any longer.  Hackers and attacks have become more sophisticated and the attack vector has broadened with the ever increasing “connected” state of most individuals these days with mobile and other devices.

I have long been a fan of Untangle as a UTM and now as its branding as NGFW or Next generation firewall which in most senses is just a different way to brand UTM.  However with more companies offering really good free firewalls and UTM’s I have been on a hunt and compare between Untangle and others out there.  Recently I was turned onto the Sophos UTM appliance that is a free download from Sophos for home use.  The home use license includes almost all of the full blown functionality with the limit of 50 IP addresses as well as Sophos Endpoint Protection for up to 10 computers.

I have to say I wasn’t expecting a whole lot as far as being close to Untangle’s free offering, but I was really blown away at the functionality of the Sophos UTM appliance and have since swapped out my Untangle box in favor of the Sophos UTM appliance in my home network.  Let me detail a few of the comparisons and my thoughts between the two firewalls/UTMs.


Both Untangle and Sophos have pretty rock solid installers, both being 64-bit capable and both can run well inside of a VM environment.  The install time for both appliances on my older VMware environment seemed to be on par with one another.  Untangle much like the GUI interface looks more polished in the install environment while the Sophos installer looks like the “blue background” linux installers that we are used to seeing for the most part.

The ISOs for the latest versions of both UTMs are very similar in size with the Sophos ISO for 9.304 being around 100MB larger than the Untangle 11 ISO.


For starters the management differences and similarities between the two – Untangle can be managed from the actual console of your physical appliance or your virtual appliance, while Sophos requires that you have another machine that can connect to the WebUI management interface in order to manage.  This isn’t really that big of a difference since I imagine most admins are managing their UTM devices remotely from a management workstation any way, but it is a difference that is worth mentioning as sometimes it is handy to be able to just open the KVM console and connect to your machine to perform a task if need be.

Overview comparing the systems

Both Untangle and Sophos are what I would call polished interfaces.  However, Untangle definitely stands above on the look of the interface with the rack system design and clearly defined buttons on the rack modules which can activate and deactivate functionality.  The Sophos interface feels more like a webpage that is driven from a menu system.

I would say that both systems have functionality which is buried under non intuitive locations.  However, one of the strengths of the Sophos interface is the Search feature that is located on the top left of the interface.  If you don’t know where a menu that you are looking for is located, you can type in the keyword in the search box and it will pull up the menu for you!  That is a brilliant design IMO.  However, one flaw of this is that it doesn’t find everything.  It won’t find words or other smaller menus that are a sub tab from a menu for instance.  It will only search and filter for the major keywords on the left hand menu from my testing.  I will keep playing with this however and see if there is a way to broaden this feature possibly?


Also, just my initial feel between the two systems, the Sophos UTM just feels like a more secure enterprise system out of the box compared to Untangle.  Untangle really doesn’t block much of anything out of the box, whereas the Sophos UTM basically blocks everything out of the box with the few exceptions that you allow on the initial install wizard.

With that being said, getting things working after an initial install of Sophos is much harder than Untangle.  For the most part, you can just stand up an Untangle box and network traffic continues to flow as long as network values are set correctly.  However, with Sophos, due to the nature of how it blocks everything out of the box, you may find yourself spending quite a bit of time poking holes in the firewall rules or adding other exceptions to allow certain traffic through.

Also in my opinion of comparing the two and how they work, changes made in network settings or other rules in Sophos are much quicker to apply than Untangle.  I have had issues in general since version 10 with making changes to any network settings and applying those changes.  It can take several seconds for changes to commit and then I have had traffic interrupted in the process.

With Sophos, I have not had these issues.  Also in their free versions, you get more with the Sophos UTM than Untangle.  Most of the really good stuff with Untangle is in the pay modules.  That is not the case with Sophos as basically there are no limitations in the key functionality besides the IP address limitation and some branding limitations.

The threat protection you get with the free Sophos UTM is much better than Untangle.  Not only will the Sophos system do dual scan virus scans with either the Sophos or Avira antivirus platforms, but included with the free home license, you get full Sophos Endpoint protection for up to 10 computers.  So essentially you are getting enterprise class virus scan software for your Windows computers for free with this UTM.

Also, I see further features in Sophos that you don’t get with Untangle, such as a web application firewall built in if you are running a webserver(s).  This WAF filters threats such as protocol violations, protocol anomalies, request limits, http policy, bad robots, generic attacks, sql injection attacks, xss attacks, tight security, trojans, and outbound threats.  Sophos WAF acts as a proxy in front of your real webserver to proxy traffic.

In the remote access field, there are hands down way more avenues for remote connectivity with the Sophos UTM than Untangle.  With free Untangle you get OpenVPN and that is it.  The IPSec VPN unfortunately is a pay for feature.  With Sophos you get Remote Access – SSL, PPTP, L2TP over IPsec, IPSec, HTML5 VPN Portal, and Cisco VPN client.  Also, you can download a full featured VPN client from Sophos to load on your Windows client to connect to the UTM.

From my testing, the logging and reporting that is found in the box with Sophos is better than Untangle.  I really like that most of the filters in Sophos, you have a “Live” view log that you can open and watch traffic live as opposed to a refresh interval with Untangle.  Also, the logs aren’t as intuitive as they are in Sophos.  Also, with Sophos a killer feature is the built in notifications where you can have your Sophos UTM email you when you have a failed web login, SSH login, system reboot, service restart, IPS alert, advanced threat management alert, firewall block, etc, and the list goes on.  That is killer.  I love notifications and the more information that can be gathered and proactively generated from the system the better.

Sophos has also made country blocking an easy thing to do.  With Untangle there is no feature that fills this need.  I have looked on Untangle forums and the answer I see given many times, is that it is a bad idea to block certain countries.  However, the bad thing for that type of response is that some companies and their compliance mandates that certain policies are employed which may include blocking certain countries, so it is a nice feature to have in the box when you need to have it.  Sophos has made this extremely easy with a very intuitive interface for blocking certain countries or whole geographic regions.

Final Pros and Cons


UPDATE 2/29/2016 – Untangle now offers a home use license for $5/mo or $50/yr which gives you the Untangle NG Firewall complete package with all the modules available with no limitations.  This may be a game change for some as Sophos currently has no affordable home solution that removes the 50 IP Address limitation.  I will follow with a post on Untangle 12 in the near future.


  • Easy, to install, easy to use, nice streamlined interface
  • VM friendly
  • Can be controlled from the console
  • 64 bit capable
  • Offers free tools and capabilities
  • Just works out of the box without much tweaking


  • Doesn’t block much out of the box
  • Watered down features in the pay version
  • No notifications built in, reporting is so so
  • Remote connectivity is limited in free version
  • No built in Web Application Firewall or country blocking



  • Easy to install, easy to use, interface is menu and web driven
  • GUI has a search feature which is very nice
  • 64 bit capable
  • VM friendly
  • The free tools and capabilities are very powerful and are actually most of everything you get in the pay version
  • Free endpoint protection with virus scan for 10 computers
  • Awesome remote access tools
  • Very powerful firewall


  • Steeper learning curve
  • Things on your network won’t just work after you plug in the Sophos UTM
  • 50 IP limit in the free version
  • No console management

The winner is?

The verdict for the winner of a home UTM device for features, power, and capabilities from my recent review of both products is Sophos by a slight margin.  As always it depends on your use case and features/functionality you need for a particular environment.

Back to top button