I think a helpful KB article would be one that explains how Local Service ACLs work since there’s not much in the documentation and the web UI doesn’t give you any info on what’s actually occurring. For example, User Portal is checked by default on the WAN zone which exposes port 443 to the internet. I only recognized this by doing a port scan from outside my network. This is something that could use explanation beyond just what it’s doing but also how it’s doing it. Is it blocking based on destination ports? How is it blocking when the Sophos XG service is within the same zone/subnet? Etc.
I’ve started a thread on the Sophos XG forum with this same question: 
[locked by: SupportFlo at 12:56 PM (GMT -7) on 2 Oct 2018]
