for Web Protection it would be good to have the option to download / exclude certificates for certificate Validation (Block invalid certificates in General Settings).
the setting like we have in SWA is missing in XG: http://wsa.sophos.com/docs/wsa/webhelp/swa/tasks/ConfigGlobalPolCertValidAddFromWeb.html

Firewall packet filtering based on wildcard subdomains and reverse DNS resolution.

We would like to allow/deny connections based on a wildcard subdomain (think *.example.com). Only way to do that is to reverse DNS the destination IP and allow/deny based on the wildcard rule?
Although there is the common possibility that the reverse DNS is not the same as the A or CNAME record requested, so I'm not sure how useful that would be.

But, we would really appreciate the ability to filter based on wildcard subdomains.. like *.update.microsoft.com. See:
https://technet.microsoft.com/en-us/library/bb693717.aspx

All Website if use Websoket that time Sophos XG 16.01.2 not working site

Allow me to copy long URLs from the logs. They are truncated and cut off with a bunch of dots. Let me copy them!

Currently with Non-Http based business policy no option to define service/application that a particular port is allowed to communicate to hosted server.For instance if we have 1 to 1 nat defined to host a mail server from wan &I want only SMTP &PING inbound-Xg firewall don't have option.Feature requested is for application parameter definition over present port mapping in a non-http based business rule similar to what we seen in competitions like fortigate which offers flexibilty to define port in virtual ip as well option to specify application in firewall rule

Earlier on SG, we used to have options to check if gateway is available on any interface but on XG it is compulsory to keep gateway on WAN which is quite annoying while having L2 links connecting its numbers of offices where I need IPsec VPN.

It is hard to develop several filter policies with little differences for several groups of users. It would be nice to have ability to inherit, for example, web categories from other web filter policies and for application filters as well.
Or there could be the ability to duplicate policies as it has been mentioned before.
Thank you.

when creating a new policy rule and choosing an IP host or a host group, it would be nice if you could hover of the name of the group and pop up the address(es) of that host or group.

I can't be the only one who sometimes names things poorly and would like to verify the correct address before creating the rule

Give us objects like in the UTM, Why do i have to set a static ip in the dhcp, add a dns record in the dns server and create a ip host object for firewall rules, when i could do it all with one object in the UTM.. This was for me a really really perfect feature and it makes it all a lot easier to administrate since you don't have to do the same over and over again for different parts of the configuration.

In the log viewer, you have to choose the log View what you want to view for System, Web Filter, .. etc.
Because of you can add filter options like an IP address, would be better if you can see all logs related with that filter at the same time.

Under: Policies
Security Policies

Adding a Business application non-HTTP rule you should have the option to use "Objects > Hosts and Services > Services" objects as the Port Forwarding target.

This reduces the rules required and keeps it more unified..

At the moment you need to add multiple rules I.E. A hosted service uses a mixture of single ports, port ranges and both tcp/udp will require multiple rules to achieve something very simple.

It should be allowed to change the name of Physical Interface objects from default PORTx name to custom one.
Also, comment attribute/field should be added for additional description (like it was available in UTM9).

At the moment, automatic firewall rule is not available in any option as it was with UTM9. For example when you setup a new site-to-site or vpn. This is very useful and time saving. Also add inside Policy Section "Automatic Firewall Rules view".
Last, add the chance to create Groups so we are able to group rules together.

IKEv2 and dynamic routing

As Enterprise product, XG should be able to manage multiple ehlo to protect multiple email domain behind it. On UTM9 we have profile mode but multiple ehlo was missing too. Add some sort of profile (including ehlo) for multiple domai for one/multiple public IP, such as WAF does with virtual domain.

Currently we have to create a separated rule to each protocoal TCP/UDP.

Best regards,

Carlos

Add support SNMP via VPN without add static routes. This could be as SSH via VPN, only choose a checkbox allowing or deny the service.
Today it is needed add static route pointing to tunnel name.

Best regards,

Carlos

At the moment understand what's going on is very HARD. Live logs are missing and notepad on every section is missing.
Add live log and allow admins to configure itself coloured live logs (globally or on single windows?). In this way logs have different level of importance and Admins can better understand if they need to worry about or not. For example allows Admins to set red for high-risk/denied traffic/system error, yellow for warning/natted/or whatever and so on.
I really love the live log on Firewall section of UTM9 where reading what's happen is very very easy.