Thanks for the suggestion.  I have no plans to replace my edge NAT device (a Ubiquiti USG).  All i wanted to do was reverse publish some internal websites.  The ability to do that with WAF and add XGs intrusion protection to the system was very attractive   My journey started here.

I only put the NGIX up (its running on my windows desktop for now) to see if i could make that reverse publish the sophos interface and the other websites.  It does so perfectly. With the one addition of supporting websockets - which i actually need for one of the apps.

That leaves me without the IPS/IDS protection of the XG which i thought i would compare to the cujo - my assumption being the XG must be way better.

So i will stick with nginx but see if i can continue to use the XG as a transparent bridge.

...2 hours later...

What's really weird is that with the nginx running on .88 address when i put the XG bridge between my USG router and the rest of my network it is now doing some VERY strange things. For example when i connect to https://servernameX.mydomain.com (note the X changes) the XG seems to do one of three things:

• bind to the wrong port - e.g. 443 on the device even though my NAT port map on my USG says to take all incoming 443 and send to ngix and ngix is supposed to remap. this would indicate it is intercepting the traffic and sending it directly to the requested host ignoring the NAT rule!?  Weird.
• One site i requested (remeber this is all external to my network) went to a different host and port (these were in the business rules but they are turned off
• presenting the self signed XG server certificate on one of my internal sites for no reason i can summarize as i have turned of all HTTP inspection and have no HTTPS inspection AND i have configured a real cert on the XG...

This weird behaviour is concerning, i don't discount user error, but this is a basic system.... as soon as i take the XG out of being inline it all works flawlessly.. hmm let me try one more thing, i will delete the disabled business rules and the hosts and web servers i defined for user with them. I wonder if 'off' isn't 'off'...

..2 hours later still..

Hmm even with a factory reset, with all protection turned off save for one ALL firewall rule the GX seems to be dicking with the inbound HTTP/HTTPS traffic from NAT router.  I give up.

I am sure this works brilliantly as a primary / traditional router-firewall but as a transparent-bridging firewall it isn't ready for prime time.

as i am sucker for staying up way past my bedtime i had one more poke and hope and found the issue wrt nginx / sophos

I hit this bug https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere/320751#320751 

Needed to run this command

• system application_classification microapp-discovery off