Actually there is only a client isolation between Clients which are not connected to same Sophos AP.
There should be a solution where all clients are isolated, even when they are connected to same AP.
Meanwhile the restriction should be mentioned in the online help of wireless protection.

I hope that Sophos will update their current AP products to WPA3 and not only ship new hardware with a WPA3 certification and firmware. The release of WPA3 is planned for late 2018 and would be a great addition to existing hardware installations.

Reply by Sophos support, currently client isolation will only working between client connecting to the same radio (e.g. they must be all connected to 2.4 Ghz/5 Ghz only).
It would be the best if client isolation also work between client connecting to different radio.(e.g. client can be connected to both 2.4 Ghz or 5Ghz)

I would like to delegate the voucher administration task to someone in 1st-level IT support. This is not possible with the current firmware. The user portal settings are global. It can not be set different "rights" for individual users, so that a particular user sees only the voucher page and may not administer the UTM.

UTM needs to be able to mange the new APX access points (maybe at a reduce functionality) - all the literature says the XG can be nothing able the UTM being able to- this allows a UTM user to upgrade to XG at a later

Please add a posiblity to change the channel width in the Wireless Protection. AP55c uses 80 MHz wide channels by default which is unwanted in an office deployment.

Need to be able to schedule firmware updates of WAPs.
Currently they happen randomly (at least out of any control) and therefore can happen during normal operating hours.

The UTM's wireless logs should show when a client authenticates with the password of the day and not just with the wireless network itself.

It would be nice for the password of the day to be scanned upon generation for inappropriate words/profanities as this can come across/give bad impression for a business. Although this is unlikely to happen it has happened and my Director was not very impressed?

The customer want to use the API to generate voucher password for guest user logon, they want to design the web portal for guest user to apply and get logon password, but we can't found out the syntax on the RESTful API can support this applied.

After spending a great deal of time trying to get this working in my current VLAN environment.

I eventually found an obscure line in the online help file that says: "Synchronize password with PSK of wireless networks (only with Hotspot type Password of the day): Select this option to synchronize the new generated/saved password with wireless PSK for separate zone networks."

This should be supported by the VLAN network in a corporate environment by default.

It should be made possible to use a path in Site Path Routing with more than 63 Characters. Especially for more complex CMS Servers, this limit is reached far too soon.

Log mac addresses that connect using the hotspot feature. Regulations in UK require us to be able to provide evidence whether a certain MAC address has connected to our guest wifi facility in the last 6 months

We have a “Password of the day” Hotspot, where we send the password of the day by email to our teachers. If there would be a possibility to add the password as QR Code, the teachers could project the mail at the beamer and the students could copy the password from there instead of typing it into their Smartphones.

Many customers have non-Sophos APs but would like to use some Wireless Protection feature. Therefore it would be nice if a small choice of Wireless Protection features were available for non-Sophos APs.

What about the implementation of band-steering in Wifi ? That would be very helpful and the other manufacturers (AVM, LANCOM...) still have it.
band-steering:
Band steering is a technology that detects whether or not the wireless client is dual-band capable, and if it is, it will push the client to connect to the less congested 5GHz network. It does this by actively blocking the client’s attempts to associate with the 2.4GHz network. Since both 802.11n and the latest 802.11ac standards support 5GHz band, band steering can ensure that they achieve their maximum performance without being bottlenecked by legacy 802.11b/g clients.

"Terms of use" could not be translated on login-page.
The variables on voucher (limits) could not be translated ("day" "none") in other languages.

You really need a way to restart individual Wireless Access Points without having to reboot the whole gateway. Thanks.