No, I only have Unmanaged switches. I have to allow the ISP router to give DHCP to some internal devices that I cannot set static IP (but I have limited the pool). I only have 2 NIC's as one of the on board NICs is Atheros AR8161 that is not supported. I have connected my WAP to my internal switch. I have setup double NAT (as I cannot change ISP router to Bridge) and it is working okay so far. Only weird thing I have found is that on my PC behind the UTM, I have to disable the Windows Firewall or else I cannot access web. Thanks for your advice.
Double NAT can cause anomalies, but often can work on a home network. The real issues crop up when you try to WAN face something, such as a DVR, Security System/Cameras, Servers, Media Devices, etc. Double NAT will ruin your day. In your case it's probably not a bit deal, but your endpoint firewalls may complain (as you've discovered). As a general rule, try to avoid more than one NAT. Also you can sometimes force Sophos UTM to recognize a non-supported NIC by manually assigning it, which is what I ended up doing.
Thanks - I will give that a go as I would like to have 3 NIC's to put my AP on the 3rd one. Does the wireless protection work for non-Sophos AP's?
I noticed this Sophos thread posted down in the Linux forum: https://www.wilderssecurity.com/threads/sophos-releases-free-av-client-for-linux.375131/ I haven't looked at it yet but the price is right; FREE. LOL!!