Client certificate based authentication for SSL VPN remote access
Clients should be authenticated based on the client certificate instead of username/password for SSL VPN remote access. The Sophos XG should validate the certificate via a CRL or via OCSP.
This functionality is supported by most other vendors and solutions (e.g. Cisco Anyconnect or OpenVPN).