Hi!
Heng here.

Actually, onto my workspace we use Sophos XG Firewall for cloud control and massive monitoring, but he has some sorts of cons. that make it "not the best for what we require".
They block traffix system is too much detalist, for example:
I want to block any sort of youtube/facebook connection, if i do, it block the HTTP connection, and HTTPS still useful, and, to block HTTPS, i need to issue a certificate and import it into the users' web browsers, whatever they are using... The problem occurs when you're dealing with roaming users who use laptops and have to move between different sites that have different types of policies applied to them. You have to import all sorts of certificates from each site into their browser. Doing so will most probably conflict with something else that is totally irrelevant and cause a problem.

For you guys, what is the best choice, and why?