Forward Error Correction (FEC) is a mechanism to recover lost packets on a link by sending extra “parity” packets for every group (N) of packets.

Forward Error Correction (FEC) is a technology that is well known for its ability to correct bit errors at the
physical layer. However, this technology can also be adapted to operate on packets at the network layer to improve
application performance across WANs that have high-loss characteristics. With packet-level FEC, network equipment
can reconstitute lost packets at the far end of a WAN link, avoiding delays that come with multiple round-trips
retransmissions. This enables WANs to easily recover from packet loss due to a variety of network layer conditions,
such as queue overflows and constrained bandwidth links. With packet-level FEC, enterprises commonly see significant
improvements in application performance — up to a 10-fold performance increase in some WAN environments.

Synchronized Security is great to ensure healthy endpoints are allowed to communicate with network resources but we need this to be available on WAN - LAN rules as well. With the movement around the globe to more companies becoming remote and hosting their services at a central point behind a Firewall we need to ensure the same set of rules or security features apply to known users that are apart of the same Sophos Central instance. Services protected by the XG Firewall need to be able to be restricted to inbound WAN users with an unhealthy endpoint status or no security heartbeat at all - This is a great security enhancement for deploying the XG Firewall in a private or public cloud or hosting a server onsite behind an XG Firewall with multiple remote users making use of it. Please vote for it if you agree!

On the XG device the Host Group for South-Africa is incomplete. I have had occasions where i have to manually add IP ranges from ISP networks to the firewall manually as they are not in this group. I have spoken to Sophos Support and was informed that the device queries the Max-mind database for the IP geo location. Yet every time i go and check Max-mind the IP displays the correct Geo Location but when i enter the command in Sophos "Show country-host......" it says the IP does not belong to any country.

I would like to suggest a feature that Users can submit missing IP ranges from Host Groups into the sophos that can then be evaluated by the Sophos support or GES team if need be and then added to the IP host group in the next firmware update.

As you can imagine it is an absolute pain having to add an IP address to over 25 Sophos devices because it is missing from the Host group. Im sure this problem exists for multiple Sophos users.

We need to be able to create custom WAN groups used for WAN link balancing with the ability to choose what interfaces are members of those groups. We do not want all the WAN links to fall within the same group called "WAN link load balance" by default. If I want to load balance traffic between two sites using site to site VPNs or MPLS networks created on external routers I cannot currently do this as all the gateways belong to the same WAN group and traffic will pass to Internet gateways as well as MPLS gateways setup within the WAN zone when the rule uses the WAN link load balance group as it's gateway. None of the routing protocols such as SW WAN policy based routing allow me to balance the traffic but instead forward it to a specific gateway and only has the ability to use a backup gateway if the primary gateway is down. You can choose WAN link load balance on the policy based routing but this defeats the purpose if there are internet links as members of the same WAN group.

Migration Assistant VM to support UTM 9.7+ configurations. Tested this recently at a customer's site, and the MA only accepts up to 9.605. This set me back by a few months of firewall changes.

Also, I'm sure it's been suggested, but why is the MA not a web-based tool in the partner portal? A local running VM is a bit of overkill just to convert a file. Could even just boot your existing VM in Azure or AWS and have it refresh it's image every 60 minutes or so and give web login access to partners. Partner's log in, upload their configuration, run the migration, download their new config. etc. When they log out, everything gets deleted. This would also make it easier to ensure that partners are always using the latest version of the tool and make it far more accessible from a technology standpoint. We all want to upgrade those SGs, but man, what a chore it is!!!!