Device access

Device access allows you to limit administrator and user access to certain services from custom and default zones (LAN, WAN, DMZ, VPN, Wi-Fi).

Local service ACL

The device carries a default ACL (access control list) when connected and powered on for the first time. Details of the default services and ports are given below. Click to enable or disable access to the services from the specified zones.

Admin services:

LAN and Wi-Fi zones: HTTPS (TCP port 4444), Telnet (TCP port 23) and SSH (TCP port 22)

WAN zone: HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22)

Authentication services:

LAN and Wi-Fi zones: Client authentication (UDP port 6060), captive portal authentication (TCP port 8090) and RADIUS SSO.

Network services:

LAN, WAN, and Wi-Fi zones: Ping/Ping6 and DNS

Other services:

LAN and Wi-Fi zones: Wireless protection, web proxy and SMTP relay

LAN, WAN, DMZ and Wi-Fi zones: SSL VPN (TCP port 8443)

LAN and WAN zones: User portal and dynamic routing

LAN, DMZ, VPN and Wi-Fi zones: SNMP

Note User authentication services are required in order to apply user-based internet surfing, bandwidth, and data transfer restrictions. These are not required for administrative functions.

Best practices

Administrative services and user portal: We do not recommend allowing access to the web admin console (HTTPS), CLI (SSH), and the user portal from the WAN zone or over the SSL VPN port. If you must give access, we recommend using the best practices listed in the table in this section.

SSL VPN port: By default, all management services use unique ports. SSL VPN is set to TCP port 8443.

Warning If you manually change the default ports, we strongly recommend that you use a unique port for each service. Using a unique port ensures that services are not exposed to the WAN zone even after you turn off access. Example: If you use port 443 for both the user portal and SSL VPN, the user portal will be accessible from the WAN zone even if you turn off WAN access from this page.
Table 1. Best practices for access from WAN

Consoles

Secure access from WAN

Web admin console

  • Use Sophos Central. For more details, go to Central synchronization.

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
  • Use IPsec VPNs.
  • Use remote access clients.

CLI console
  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
  • For additional security, use public-key authentication on Administration > Device access.
  • Use IPsec VPNs.
  • Use remote access clients.

User portal

For secure access from external networks, use VPNs and follow these best practices:

  • Provide only temporary access to download VPN clients or configuration to users who don't have VPN configured.
  • Use IPsec VPNs.
  • Use remote access clients.
  • Sophos Connect remote access client: Enable the user portal to allow automated provisioning of connection policies and re-provisioning after connection updates.
  • Make sure the user portal does not use the SSL VPN port.

Secure access based on user accounts:

  • User accounts stored on XG Firewall: Use multi-factor authentication (MFA) with one-time passwords (Authentication > One-time password).
  • External directory services: Use the MFA options provided by these services.

Local service ACL exception rule

You can allow access to the device’s admin services from specified networks/hosts. A list of all the configured rules is displayed.

Note Once you upgrade SFOS v15 to v16:
  • If HTTP was enabled in SFOS v15, all HTTP requests are redirected to HTTPS.
  • HTTP rules in which the action is set to Drop are deleted.

Default admin password settings

The firewall is shipped with a default super administrator with the username and password set to admin. You can access the web admin console and CLI with these credentials. This administrator is authenticated locally by the device.

  • Change the default password as soon as you deploy the device.
  • Click Reset to default to restore the factory default password.

From 17.5 MR15, XG Firewall offers stronger password protection for the default super administrator. To benefit from the protection, you must change the password. This is a one-time change.

Note Store the current password in a secure location. If you move to an earlier firmware version that uses the current password, you'll need it to sign in.

Public key authentication

Turn on Public key authentication for admin to allow access to the command line interface (CLI) using the SSH key.

Note Only admin and support users can add an SSH sign-in key without authentication. All other users are required to provide a password for authentication before adding an SSH key.

Add the list of Authorized keys for admin. Generate these SSH keys using SSH client tools (example: PuTTY).