Best practice or most acceptable practice for firewall rules lan-to-wan

Question

I am migrating from Sophos Web Appliance to Sophos Firewall XG. Naturally the first thing to do for me to mimic the functionality of the Sophos Web Appliance was to create rules that covered all the scenarios for the services HTTP and HTTPS. Later I realize that with the XG I could actually have rules to cover all the services and just slap a web content policy on that rule. 
 How is everyone doing this? Do you have separate https/http policy and other traffic policy for your user groups or do you just have one rule for each one of your groups that covers everthing related to that group. Of course I am only referring to policies from LAN to WAN zones. 
 It seems that the Sophos Firewall XG is very well documented as to its features and use, but there is not much in the way of best practices and Sophos Recommendations. 
 Thanks for contributing.

lferrara · Accepted Answer

Delio, 
 as a best practice, ever, you should limit as possible the number of Firewall Rules so Firewall has reduced number of rules to check. 
 Anyway on each rule you can apply one Filter (web, app, IPS) to users/groups/network objects. 
 On XG you have more flexibilty, you can decide to require Captive Portal on the same rule or globally. 
 Sophos Web Appliance cannot manage local users if you join the appliance to AD while XG can manage multiple types of users. 
 I would suggest you to test the XG in a small environment, take confidence and proceed with massive deployment. 
 Regards