IP Reputation Checking?

Question

Does Sophos XG do IP source address reputation scanning for all inbound traffic irrespective of port/proto?

I ask because my net is like this inet NAT router<>sophos XG in bridgemode <>cujo in bridge mode<>rest of network

And the cujo is blocking MANY inbound attempts as probing my NAT'd ports based on IP reputation, I would expect the cujo to see nothing and XG to block these (given the price differential).

I see in docs that XD does IP reputation scanning for SMTP/S - not sure if it is for anything else.

This is my inbound rule, incase someone can advise if i forgot to turn something on.

Rule

Accept any service going to "LAN" zone, when in "WAN" zone, and coming from any network, scan for malware then check with Sandstorm and log connections, then apply IPS policies

Source & Schedule

WAN

Source Networks and Devices : Any
During Scheduled Time : All the Time

Destination & Services

LAN

Destination Networks : Any
Services : Any

Advanced

Synchronized Security

Source : Minimum Heartbeat is No Restriction, Clients with no heartbeat allowed
Destination : Minimum Heartbeat is No Restriction, Request to destination with no heartbeat allowed

Masquerading is OFF

This thread was automatically locked due to age.

rfcat_vk · Accepted Answer

The only difference between a home licence (same software) and commercial licence is how much you can personalise it and IP licence count. 
 The only difference between a home licence for XG is the amount of memory and cpu cores you can assign to it and no sandstorm which also applies to the UTM.

Aditya Patel · Answer

Hi Alex, 
 As you are comparing with the enterprise-grade solution with personal home protection. 
 The bad IP reputation would cause numerous false positives and this would not mean that your system will be infected. The XG would protect you from real-time threats, this would include malware attack from the website if infected and also mail communication. 
 Our AV will scan the page for any malicious code and if detected it would be blocked. Now if there is a treat detected it will be blocked by our IPS policy. As your traffic would traverse through LAN to WAN. You may need only LAN to WAN rule only, as for WAN to LAN is only needed if you wish to communicate from outside zone to internal network which is not recommended unless you have an MPLS line configured as a WAN port. 
 The IP reputation is restricted to SMTP and the websites were not affected by bad reputation on XG.e.g. If a Web server is infected that IP may be blacklisted but that Public address may have a Web server which will be blocked by IP reputation even though it's not infected. This is considered a False positive. Another example would arise if the actual threat is detected but the IP address is not blacklisted, this would result with the False negative. 
 The RBL would decide if the host address is blacklisted or not if you would check the mxtoolbox website you would also need to check the reason the host address is blacklisted. 
 In XG, you would change the IPS policy and even create your own based on the Signature you wish to allow/deny. Even have a customized web filter and application control. 
 If you wish to enable such option to enable IP reputation then you may vote for a feature request. We would be happy if you would participate to improve our product as per your requirement. 
 http://ideas.sophos.com/forums/17359-sophos-utm/suggestions/7114816-make-rbl-list-update-possible-via-pattern-update-o