My thoughts after using the XG for some months.

Most of those parts are actively worked on. 

But some of those points seems to be not true in a extend to the market. While some features were not integrated, other got added to interact with the market. Not everything was moved over from UTM to SFOS. 

Most of your points are regarding the Web Interface and are correct (Resolution etc.).

But the firewall based system is actually pretty good, if you are into zone based firewalls in general. I can work with a zone based firewall without the need of remembering the IP networks at all. Most of the customers in bigger setups can degree the need of rules and the complexity of rules by a big portion simply by using zones for filter criteria. That needs to use a segmentation concept of course. If you use LAN for everything and no VLANs, then the zone concept is actually redundant. But to actually have user friendly rules, easy to understand, is a big win. Example VLAN for printers. You can say, My internal segment has access to the printer VLAN in one go, select the services, you want. Done. In case of UTM, you would have to maintain your objects of the networks and work with network/interface groups etc. Which blows up bigger setups. 

Linked NAT is generally speaking a migration helper. Simply use the default NAT (aka MASQ from UTM) and NAT for DNAT etc. 

The object handling will get better in the next major release, as far as i know. 

If you find the documentation bad or not understandable, you could create a short Thread in the community and the docs team will pick up the request to change that. Personally i find most of the information i need in the docs quite fast. 

Which features or things do you miss about the SFOS platform and you felt are "being removed" or not updated to the standards? 

One big thing missing in UTM is still IKEv2. It was promised, and on the roadmap, but was silently removed, and the whole uncertainty about whats going to happen with the platform.

I mean what is missing in SFOS. 

I mean what is missing in SFOS. 

What I ment is that it seems Sophos is keeping UTM users in the dark.

Gon't get me wrong, Sophos and XG have a huge potential and a great featureset but it all seems so clumpsy implemented, and that really havn't changed since Sophos brought the first version of XG out.

One thing I really miss is the VPN user / group flexibility from the UTM.

There any user could be a member of any number of groups, and you could add rules to users and groups.

On XG, a user can be member of one group, most likely because the access profile is added to the group, and not the other way round.

This is actually implemented. There are two things to consider: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationActiveDirectoryGroupBehavior.html?hl=backend

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125654/backend-group-membership-in-xg-firewall

IPsec does not support backend groups.

But Firewalling, SSLVPN etc. supports backend groups. Only the groups are not shown. But the backend groups are not shown on UTM as well. 

I've seen that one, but it appears to behave very different when suing LDAP instead of AD. Have an support case open about getting LDAP to work, but still no usable answer, except a link to a generic KB about creating local users and groups.

Plenty of services require a AD instead of a LDAP. I do not interact with LDAP´s anymore, as most customers can offer a AD. 

You can dig into this, if you are interested. Check the access_server.log while logging in. Check if all groups are sent and mapped to the user or not. 

Unless there is a way of raising the loglevel there is nothing in the log when authenticating a user (guess logging in to the user portal should be enough).

I can see failed logins, but ones that succeed doesn't log anything. Not even a log single log line with succeeded login for user xxxx or something.

service access_server:debug -ds 

Same command to disable the debug mode. If there is no indication of login, this is odd? 

Finally, got some info form running it in debug mode.

No, LDAP doesn't provide mulit-group support in SFOS, only a single group, which could be fine if it worked.

This states that it should work:

https://support.sophos.com/support/s/article/KB-000035738?language=en_US

but apparently it never tries to resolve the group, only tries to match that attribute value to the SFOF group directly.

So if I have a attribute, as in the KB:

gidNumber: 2000

I would have to have a group named "2000"

I am not familiar enough with LDAP at this point to help you further. Maybe you could create a new thread with the specifics and somebody with LDAP knowledge can jump in. 

Not really related to LDAP, but the internals on the auth mechanism on SFOS