Easily identify what traffic and IP is going out via each Interface port. I have spent a month with support trying to resolve this and the answer was to enter in into here, which I find crazy that it doesn't exist.
Example in simple terms - identify all traffic that is going out via Interface 5 in one place, not guesses or purchasing another product!!

Logging and Reporting - Web Security

Would love the ability to run reports based off of AD/eDir backend groups. Either by adding this functionality separately or by allowing the addition of backend groups to the ASG's built-in "Departments".

Complete Report for Network Usage and Remote Access
in active passive mode
without holes due to appliance in ***** state

Improve reporting features. I need to have a report that shows machines that have out of date virus definitions. That seems like a standard report that should already be included. Especially since this is the type of information that auditors request.

The UTM weekly executive report breaks down VPN usage by user. After confirming with Sophos support, it appears there is no way to shed light on what those VPN users are doing.

I need a report that tells me what services VPN users are using while connected to the VPN.

Generate an email alert for high CPU and RAM usage

It would be nice to be alerted via email (or other methods) when the CPU usage or CPU usage of the Sophos appliance gets above a certain threshold. We have had issues where our customers suffer from slow internet speeds that are caused by high device utilization. It would be nice to be alerted to this.

Policy Violators’ report does not show all reason for blocked traffic.
For some it leaves blank. For example "connection reset by peer" or connection refused. If this occurs you then have to check the http log. So it would be good to have these included in the report

It would be good to break down the web usage by time bands. This would allow us to see which users where doing what on the web at specific times.
Thanks

As the Interfaces, but more specifically the WAN interface, is monitored for it's availability on the UTM, it would be good if this could be expressed as a CQM style graph indicating any drops in connectivity.

Ideally this would be true CQM that would indicate packet loss on WAN connection etc, but initially just connection state would be good! (Seems a waste of data otherwise)

Very interesting tool for tracking latency over time.

Filter out the internet analytics and services so that web usage reporting in only showing the 'real' websites visited instead of muddying the waters with all the analytics and services information. If if this could be hidden on the export of the report to managers etc...

In the email that is sent notifying of a Portscan include the Ports that were scanned and the Destination IP address that was scanned?

Example of Current E-Mail that is sent.

A portscan was detected. Details about the event:

Time.............: 2015-01-05 20:48:46

Source IP address: 222.208.119.169 169.119.208.222.broad.lz.sc.dynamic.163data.com.cn

--
System Uptime : 0 days 9 hours 58 minutes
System Load : 0.10
System Version : Sophos UTM 9.305-4

Please refer to the manual for detailed instructions.

Index any machine data regardless of format or location--logs, clickstream data, configurations, sensor data, traps and alerts, change events, the output of diagnostic commands, data from APIs and message queues, and even multi-line logs from custom applications. With no predefined schema, data can be indexed from virtually any source, format or location. Then it's available for troubleshooting, security incident investigations, network monitoring, compliance reporting, business analytics and other valuables uses. I'm sure a deal could be worked out with them, you get 500mb/day of indexing for free

The executive report could show the attacks detected and blocked by the WAF.

I would like a report that shows which users have download what file types (e.g. executables, videos etc.). Showing from where they were downloaded would be good to have as well.

Since version 9.2 it easy to have the statistic in the Web filtering log to make some interesting stats on cache.

Cached= to know if the web object was take form disk cache
dnstime=0 the dns resolution was made from cache
cattime=0 the categorization is made form SXL cache
With the name of the UTM -1 or -2 in the log you can know how much the charge is balance between the cluster.

I think this could be a interesting widget stat in the main dasboard.

Thanks you

Could be nice if the SUM is reinvented so that SYSLOG traffic is sent to SUM and the SUM can be connected to iView OR SUM can configure UTM's SYSLOGGING service to point all to Sophos iView appliance.

Currently, Sophos show the total time that a user spent on sites, but will be interesting that shows the hour when user was on sites.