RED: Fail open if device fails
Currently all in-line RED deployment options (Standard/Unifed, Standard/Split, Transparent/Split) will fail "closed" when the UTM is unreachable. Ah option to permit the RED to fail "open" when the UTM is unreachable and allow traffic to the internet (as it does during normal operation with split-tunnel traffic) would greatly reduce dependence upon the central location for businesses that heavily use internet hosted applications. We can live without the AV & URL filtering for short periods of time.
Jean-Francois Anctil commented
I totally agree with "-gf-" on that suggestion. I'm working on a little project that could be achieved with a RED deployment but the RED staying in "fail-closed mode" when its losing connection with the ASG is a non-sense to me. I don't understand why nobody raised the flag before. Everybody understand why somebody would force the internet traffic to go through the tunnel but not having an option to use the Internet when the tunnel is down (Internet connection problems or ASG updates) is a big mistake....
I think RED has potential. Keep your good work on that.
Unfortunately the 'split' deployments require a second gateway, driving up costs for deployment at scale. It seems that the simplicity of the RED makes it ideal for large scale, simple, cookie cutter deployments. The scale of such deployments makes loss of internet access to the central UTM very expensive. There's a contradiction between stated purpose and implementation of the REDs.
This may not suit your needs exactly, but please check the Manual/Split deployment setup described here: http://www.sophos.com/en-us/support/knowledgebase/116573.aspx
It will allow a remote network to continue to access the internet if the RED tunnel goes down.