UTM inside of another VPN Firewall - How do we make this work?

Question

I wish to deploy our UTM inside of our existing ASA. I have many sites connected IPSEC (IKEv2) to our ASA, and all traffic is tunneled from all remote sites to the ASA. I wish for the UTM to perform its security functions (except Site to Site VPN) on all traffic, including the tunneled remote VPN sites and local LAN. Diagrams below. Sophos support tells us that they do not provide deployment assistance, but can help with configuring commands if we know what we want to do. So, I ask you all: how can I scan and protect all traffic from all sites on this spoke and hub setup. 
 Current State: 
 
 Future State:

sachingurung · Accepted Answer

Hi Mark, 
 Deploy Sophos UTM in full transparent mode is all what is required here. Refer the KBA here , for the deployment, it is a piece of cake. 
 Support never helps in a deployment scenario this is done by the sales team or the Sophos partner who sold you the appliance. They can help you in the initial deployment. 
 Thanks