For example, when viewing the traffic report through the web interface, it displays in GB. Any of the export options (CSV, PDF, Email etc) display the units in bytes. That's aweful

It would be nice for administrators to be able to view logs on who released certain emails from the quarantine. You can view who released the email if it is an administrator; but only by contacting support. Incorporating this into the admin UI would be very helpful and save time.

My idea would be to exclude content feeds as counting towards the Total browse time for a user and possibly an option to exclude them from the reporting altogether. They give a false report on how long a user has been on the website and what they are looking at. Also if a user has minimised the browser window and is actually working, the reporting is still counting as if the user is using the website and secondly if we disconnect from the terminal services session the reporting still counts towards the total browse time as well which is misleading.

Users are added in their departments so that we can easily monitor them. However, when we want to access the report through web interface by pointing to their departments, they disappear. On the other hand if I request for all departments, they appear. What might be the problem?

Easily identify what traffic and IP is going out via each Interface port. I have spent a month with support trying to resolve this and the answer was to enter in into here, which I find crazy that it doesn't exist.
Example in simple terms - identify all traffic that is going out via Interface 5 in one place, not guesses or purchasing another product!!

Logging and Reporting - Web Security

Would love the ability to run reports based off of AD/eDir backend groups. Either by adding this functionality separately or by allowing the addition of backend groups to the ASG's built-in "Departments".

Complete Report for Network Usage and Remote Access
in active passive mode
without holes due to appliance in ***** state

Improve reporting features. I need to have a report that shows machines that have out of date virus definitions. That seems like a standard report that should already be included. Especially since this is the type of information that auditors request.

The UTM weekly executive report breaks down VPN usage by user. After confirming with Sophos support, it appears there is no way to shed light on what those VPN users are doing.

I need a report that tells me what services VPN users are using while connected to the VPN.

Generate an email alert for high CPU and RAM usage

It would be nice to be alerted via email (or other methods) when the CPU usage or CPU usage of the Sophos appliance gets above a certain threshold. We have had issues where our customers suffer from slow internet speeds that are caused by high device utilization. It would be nice to be alerted to this.

Policy Violators’ report does not show all reason for blocked traffic.
For some it leaves blank. For example "connection reset by peer" or connection refused. If this occurs you then have to check the http log. So it would be good to have these included in the report

It would be good to break down the web usage by time bands. This would allow us to see which users where doing what on the web at specific times.
Thanks

As the Interfaces, but more specifically the WAN interface, is monitored for it's availability on the UTM, it would be good if this could be expressed as a CQM style graph indicating any drops in connectivity.

Ideally this would be true CQM that would indicate packet loss on WAN connection etc, but initially just connection state would be good! (Seems a waste of data otherwise)

Very interesting tool for tracking latency over time.

Filter out the internet analytics and services so that web usage reporting in only showing the 'real' websites visited instead of muddying the waters with all the analytics and services information. If if this could be hidden on the export of the report to managers etc...

In the email that is sent notifying of a Portscan include the Ports that were scanned and the Destination IP address that was scanned?

Example of Current E-Mail that is sent.

A portscan was detected. Details about the event:

Time.............: 2015-01-05 20:48:46

Source IP address: 222.208.119.169 169.119.208.222.broad.lz.sc.dynamic.163data.com.cn

--
System Uptime : 0 days 9 hours 58 minutes
System Load : 0.10
System Version : Sophos UTM 9.305-4

Please refer to the manual for detailed instructions.

Index any machine data regardless of format or location--logs, clickstream data, configurations, sensor data, traps and alerts, change events, the output of diagnostic commands, data from APIs and message queues, and even multi-line logs from custom applications. With no predefined schema, data can be indexed from virtually any source, format or location. Then it's available for troubleshooting, security incident investigations, network monitoring, compliance reporting, business analytics and other valuables uses. I'm sure a deal could be worked out with them, you get 500mb/day of indexing for free

The executive report could show the attacks detected and blocked by the WAF.