Device Configuration : System : Administration : Device Access
Device Access
Device Configuration > System > Administration > Device Access
Device access allows limiting the Administrative access of the following device services from various default zones, LAN, WAN, DMZ, VPN and custom zones :
Admin Services – HTTP, HTTPS, Telnet, SSH
Authentication Services – Client Authentication, NTLM, Captive Portal, Radius SSO
Network Services – DNS, Ping/Ping6
Other Services – Wireless Protection, SSL VPN, Web Proxy, User Portal, Dynamic Routing
Default ACL
When device is connected and powered on for the first time, it will have a default Access configuration.
Admin Services – HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in LAN and WiFi zone. HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in WAN zone. HTTP (TCP port 80) services will be enabled for administrative functions in DMZ zone.
Authentication Services – Client Authentication (UDP port 6060), Captive portal Authentication (TCP port 8090) and Radius SSO will be enabled for User Authentication Services in LAN and WiFi zone. User Authentication Services are not required for any of the Administrative functions but required to apply user based internet surfing, bandwidth, and data transfer restrictions.
Network Services – Ping/Ping6 and DNS services will be enabled for LAN, WAN and WiFi zone.
Other Services – Web Proxy service will be enabled for LAN and WiFi zone. SSL VPN (TCP port 8443) service will be enabled for LAN, WAN, DMZ and WiFi zone. User Portal and Dynamic Routing service will be enabled for LAN and WAN zone.
Local Service ACL
Use access control to limit the access to the device for administrative purposes from the specific authenticated/trusted networks only.
Admin Services – Enable/disable access to the device using following service from the specified zone: HTTP, HTTPS, Telnet and SSH.
Authentication Services – Enable/disable following service from the specified zone: Client Authentication, Captive Portal, NTLM, Radius SSO.
Network Services – Enable/disable following service from the specified zone: DNS, Ping/Ping6.
Other Services – Enable/disable following service from specified zone: Wireless Protection, SSL VPN, Web Proxy, User Portal and Dynamic Routing.
Local Service ACL Rule
Use Local Service ACL Rule to allow access to the device Admin Services from specified network/host. The section displays list of all the configured IPv4 and IPv6 Local Service ACL rules. The page provides option to add, update and delete the rules.
Default Admin Password Settings
The device is shipped with one global super admin with the credentials – username & password as “admin”. Both the consoles – Admin Console and CLI, can be accessed with the same credentials. This administrator is always authenticated locally i.e. by device itself.
* We recommend you to change the password for this user name immediately after deployment.
You can change the default password from this section. The screen elements and their description are mentioned below:
Username
The default admin username is –“admin”.
Current Password
Enter the current admin password.
New Password
Password - Specify new admin password.
Confirm Password - Confirm the specified new admin password.
Reset to Default
Click to reset the password to factory default password.
Public Key Authentication
Use this to configure Public Key Authentication on multiple Sophos XG Firewall devices.
Username
The default admin username is –“admin”.
Public key authentication for admin
Select this to enable public key authentication for admin.
Authorized keys for admin
Add or remove authorized SSH keys from here.
Devices on which configuration was pushed in the last session
This displays list of devices on which configuration was pushed in the last session.
Select devices that have same admin password.
Select this to enable selecting devices with same admin password. If this is not selected then passwords for all the devices have to be specified separately.
Device
Select device(s) on which public key authentication is to be applied.
Password
Specify password for the device(s).