Hi,
Since a couple of months we working with you UTM product... and I love it.
I have one missing point in the UTM.
We are a dutch company with a lot of employees who have difficulty reading English reports or can not read them at all.
It should help this users if the blockpage was displayed in there own lanquege.

This can be achieved by providing blockpages multilingual (seems to me to be impossible for you), making them editable (everyone can store their own messages) or creating the option to make a link to a custom page for each block page

Coming from another vendor one of the features I like/had was that I could block categories within YouTube. We are a School District that needs to access YouTube (YouTube for Education has limited content). It would be nice to setup a policy or rule to be able to block these YouTube Categories.

Currently available categories are:
• Film
• Autos
• Music
• Animals
• Sports
• Shortmov
• Travel
• Games
• Videoblog
• People
• Comedy
• Entertainment
• News
• Howto
• Education
• Tech
• Nonprofit
• Movies
• Moviesanimeanimation
• Moviesactionadventure
• Moviesclassics
• Moviescomedy
• Moviesdocumentary
• Moviesdrama
• Moviesfamily
• Moviesforeign
• Movieshorror
• Moviesscififantasy
• Moviesthriller
• Moviesshorts
• Shows
• Trailers

There could be another rule that if its not categorised then it blocks it or select an option to warn or allow.

Also perhaps the ability to change a video category like you can with domains?

https://developers.google.com/youtube/2.0/reference#YouTubeCategoryList

Reason: Google forces more and more websites to HTTPS by punishing HTTP-only sites with a bad search ranking. In such a case proxy SG only sends the auto generated certificate to the user, which results in an unclear and ugly certificate error message by the browser to the user. This can be prevented by creating a signing certificate in the internal PKI, where the proxy SG must send this signing certificate to the user. Creation of the signing certificate is out of your scope, but it will be an internal certificate, valid to the internal organization only. Sending this signing certificate to the user/browser is in your scope. Therefor this request to send the full CA chain to user/browser in case the proxy generates a certificate for a non-existing or forbidden HTTPS-site.

Remark: this request is similar to https://ideas.sophos.com/forums/17359-sg-utm/suggestions/3044210-https-scanning-have-proxy-provide-certificate-cha, but differs in 2 main aspects:
1) in our request we only request for the full CA chain when sending error messages that would otherwise invoke an invalid certificate response by the browser.
2) in our request the signing certificate is generated by an internal PKI, dedicated to the internal users only.

When using - Skip transparent mode destination hosts/nets
with Allow HTTP/S traffic for listed hosts/nets checked, not only hosts which are in Allowed Networks can reach this destination hosts. So if you have a public WLAN which is not in the Allowed Networks Web Filtering, everyone in this Network can reach the destination hosts.

The automatic Rule Allow HTTP/S traffic for listed hosts/nets should only allow the
Hosts in Allowed Networks to solve this security problem.

If you dont want to change this behavior please remove the Allow HTTP/S traffic for listed hosts/nets_ Feature for security reasons.

General firewall design:

You should include the Proxy in the network rules.

The existing design of the sophos firewall is really bad and unflexible and leads to unsecure configurations. I am sure it is much easier to use finished open source software and only create a GUI but this will be the reason why we will change to another firewall manufacturer in the future.

first i have send this to the sophos premium support.
after 18 days i got an answer i should create a feature request.

A report per user or source for the accessed URLs (Full URL) not just the accessed sites.
And Example showing Reason behind this:
Users can abuse the system advising they are using youtube for work related research while they actually streaming music videos or watching comedy stand ups.
And since they have access to youtube, when we pull a report. it will show that the user has access the website but no details about the full URL, that point to the specific video he was watching.
If we go from the web protection report, the information are already there which can be copied and dumped in an excel spreadsheet and pin point it.
However this practice is painful and time consuming.

Which there's a report where you can select the user and export all the Full URL they have accessed.

Best Regards