As long as you open a https page via browser you may see that there is an ssl verification error and xg did block traffic.

as tls verification is also implemented in FTPS (Scan FTP for Malware) you wont get any message on fails, you just can imagine that traffic won't pass because of an tls error.

same if https is use by applications e.g. internal software updates

When setting up XG 17.5 for the first time, all unconfigured interfaces are bridged with LAN :-(

VERY annoying, because when you want to disable the bridge, you need to unbind one interface, assign a new ip on the unbinded interface and assign LAN zone to that interface. The you can switch port to the new interface and login to remove the bridge. NOT GOOD.

When bridge is needed, we can easily configure it, when doing it from port 1 ourselves ;)

Please give us the option to automatically send an email alert to the admins, when a user visits a website that has a virus detection. I think this is the best way to get quickly imformed about an security incident. Not maybe a week later via reports.

Ability to edit a service, like changing port numbers on a service, that is in use in multiple business rules. Currently you can't change udp from port 9000 to 9001 and it update in the business rules it applies to. You have to remove the business rules first to edit the service or create a new service. This is a much bigger process. As an Admin I want to click the service, edit change, done. We are not end users, were are admins.

You should enable the option to add a schedule to a rule DNAT

In Cyberoam you had a separate section to create/edit NAT Policies. It looks like the only place is when you are creating the FW Rule itself.
You can not
* rename the NAT Policy
* delete a NAT Policy
It would be good if this was available in a section/tab (rather then hidden with a FW Rule)

Time base restriction on business application rules on XG firewall for external to internal traffic

for Web Protection it would be good to have the option to download / exclude certificates for certificate Validation (Block invalid certificates in General Settings).
the setting like we have in SWA is missing in XG: http://wsa.sophos.com/docs/wsa/webhelp/swa/tasks/ConfigGlobalPolCertValidAddFromWeb.html

When a user clicks on the "Enable Filter" link on the Firewall page, the user should have an option to filter rules by IP address or Host object or Group object. It shouldn't be this difficult to find the rule I'm looking for in the UI.

Nat on a different TAB, like SG version,
It will be great to use and categorize rules by selecting NAT SNAT,DNAT,1:1 NAT.

Encryption of File, needed especially when emailing backups

Currently unable to add an IPv6 address to a VLAN interface when the physical interface doesn't have an IPv6 address.

add the option Surfing Quota in actions in the policies of the web protection as already exists in the UTM

If you enter a description in a firewall rule it can't be deleted. Once you remove the description, save it and reload the page the description re-appears. This is a bug which is still present in 17.1 MR1.

I want to configure the SNMP V3 Services in FW but no option is there..

Very simple, have an option to zero the traffic counter on a firewall rule.

Pls add a possibility to upload custom SPX templates as html files (like in UTM)

Not possible to delete or disable several rules at once.

Any chance of Sophos fixing the Windows Update bug sometime this century? Almost a year old now.

https://community.sophos.com/kb/en-us/127554