Mirror VPN traffic terminated into Sophos XG running 17.5.12 MR-12

SPAN or Port mirroring is not included in XG. From a perspective of networking, this is more likely a Switch topic. Most Port mirroring solutions only mirror everything, not protocol or even application based. 

XG can "see and report" a port mirror. So you can attach a tap port to XG. But you cannot mirror everything. 

BTW: The use case of the customer seems odd to me. Does he want to decrypt this by his own (with wireshark or other solutions?). 

It is a security solution that takes full packet captures and analyzes the data to report on the device details (make/model/category/type), os, activity, threat, risk and every ip connection made.

Always ask such solution how they interact with TLS encrypted traffic. Because most likely they cannot see anything in such mirror traffic anymore.

Always ask such solution how they interact with TLS encrypted traffic. Because most likely they cannot see anything in such mirror traffic anymore.

You can glean from which address the client is using, what mac-address, what is the public address, which service in Azure they are going to, how much traffic is exchanged in each direction, which ciphers are used, which hash.  You get to look at the certificates for their information and validity.  There is a lot of metadata there...you don't need to see the payload.  Now that that information with the other logs you have from the EDR, the servers and any other solutions and you have a clear, auditable view of what is going on in your environment.