I’m gonna be short do not expect too many answers as this is not directly up to Mikrotik but more to Sophos but might be we have people who use Mikrotik with Sophos as well.
So scenario: Mikrotik router is an edge router / firewall + Sophos XG Firewall between Mikrotik and LAN in a transparent bridge mode.
The specific problem I have is that if I apply an APP filter on Sophos main firewall rule Mikrotik Winbox gets blocked even if I open port 8291.
If I search policy entries I can’t see anything similar to what would be mentioned to block Winbox. So I’m not sure what way Winbox works.
If someone has any experience with this kind of crap let me know. And sorry for disturbing your time. 
Winbox is an app, so it makes sense that it would be blocked by whatever list the Sophos has for apps.
Where are several levels of policy with different app categories in it. The one I’m applying is level 5 considered the most dangerous apps on the net and winbox should not be in it.
I was able to trace it further and the inbox was considered as a P2P category app and is blocked.
Found it.
Winbox app was concidered as:
Application Detail
Name Torrent Clients P2P
Category P2P
Risk Very High
Characteristics Excessive Bandwidth, Loss of productivity, Vulnerabilities, Transfer files, Transfer files
Technology P2P
Dependency None
Applicable on 16.01.0 Build 101 and above
Description Block P2P Torrent Clients (Bittorrent,uTorrent,Deluge,QBittorrent,Thunder7): A Torrent client is any program that implements the Torrent protocol. Ea ch client is capable of preparing, requesting, and transmitting any type of computer file over a network, using the protocol.To share a file or group of files, a peer first creates a small file called a “torrent” (e.g. MyFile.torrent). This file contains metadata about the files to be shared and abo ut the tracker, the computer that coordinates the file distribution. Peers that want to download the file must first obtain a torrent file for it and connect to the specified tracker, which tells them from which other peers to download the pieces of the file.
Need to contact Sophos to see what they can do not to block Winbox, and hope this info might be useful for other guys working with Mikrotik and Sophos.
Any Solution?
I have the same problem.
In Sophos XG 210, Winbock is bloqued in category Torrent Clients P2P
Since it’s a Sophos problem, ask Sophos about it.