To some extent, what Angelo said is true - it is there. But it is not highlighted or made obvious in the UI.
If you have Sophos Endpoint installed onto computers and have them managed by the UTM, then there is only a single lookup. If they are not managed by the UTM then there are multiple lookups. This is controlled in Endpoint Protection, Web Control, Advanced, "Scan traffic on both gateway and endpoint".
Aside from what I've written in the 9.1 and 9.2 beta forums, I don't think there is much publicly documented about SXL. I'm happy to answer any questions you have here. In short - SXL has been around for years in the Endpoint, and we made a bunch of caching improvements and implemented it in the SWA and UTM products.
One thing you may want to note (for lookups and other things) is that 9.2 includes several additional timing data on every request in http.log. You can look at cattime= to see exactly how long in microseconds the categorization takes, then switch between categorization modes. You can see how long avscantime= is and how it is affected by single scan or dual scan. You can see if dnstime= is showing you have problems there. Note: several of these things take place simultaneously, so you cannot add them together.
To some extent, what Angelo said is true - it is there. But it is not highlighted or made obvious in the UI.
If you have Sophos Endpoint installed onto computers and have them managed by the UTM, then there is only a single lookup. If they are not managed by the UTM then there are multiple lookups. This is controlled in Endpoint Protection, Web Control, Advanced, "Scan traffic on both gateway and endpoint".
Aside from what I've written in the 9.1 and 9.2 beta forums, I don't think there is much publicly documented about SXL. I'm happy to answer any questions you have here. In short - SXL has been around for years in the Endpoint, and we made a bunch of caching improvements and implemented it in the SWA and UTM products.
One thing you may want to note (for lookups and other things) is that 9.2 includes several additional timing data on every request in http.log. You can look at cattime= to see exactly how long in microseconds the categorization takes, then switch between categorization modes. You can see how long avscantime= is and how it is affected by single scan or dual scan. You can see if dnstime= is showing you have problems there. Note: several of these things take place simultaneously, so you cannot add them together.
