Admin settings
Admin settings allows you to modify the admin port settings and sign-in parameters. Customize the sign-in parameters to restrict local and remote user access based on time duration.
Hostname
- Hostname
-
Enter a name in the form of a fully qualified domain name (FQDN).
Acceptable range: 0 to 256 characters
Example: security.sophos.comNote When the device is deployed for the first time, the serial ID of the device is saved as the hostname. - Description
- Enter a description.
Admin console and end-user interaction
- Admin console HTTPS port
-
Displays the HTTPS port configured in SFOS.
Default: 4444
- User portal HTTPS port
-
Displays the port number where users can access the user portal.
Default: 443
You can use the same port (for example, 443) for secure connections to the user portal and SSL VPN connections that use TCP.
- Certificate
- Select the certificate to be used by user portal, captive portal, SPX registration portal and SPX reply portal.
- When redirecting users to the captive portal or other interactive pages
-
Select an option to use when redirecting users to the captive portal or other interactive pages.
You can use the firewall’s configured hostname, the IP address of the first internal interface, or specify a different hostname. Click Check settings to test your configuration.
Login security
Set sign-in security for administrators.
- Lock admin session after
-
Select to automatically lock the session after the configured time of inactivity (in minutes). This setting applies to the web admin and CLI console, the IPsec connection wizard, the network wizard, and the group import wizard.
Default: 3 minutes
- Log out admin session after
-
Select to automatically sign out the administrator from the web admin console after the configured time of inactivity (in minutes).
Default: 10 minutes
Note The Log out admin session after value must be greater than the Lock admin session after value. - Block login
- Select to block sign-in to the web admin console and CLI. Enter the maximum number of failed sign-in attempts and the duration (in seconds) within which the attempts can be made from a single IP address. When the failed attempts exceed the number, the administrator is locked for the configured minutes. Specify the number of minutes for which the administrator will not be allowed to sign-in.
CAPTCHA: Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on XG Firewall and not on an external authentication server, such as an AD server.
The CAPTCHA doesn't show on XG 85, XG 85w devices, and on Cyberoam devices upgraded to XG Firewall.
You can manually turn off the CAPTCHA for VPN zones from the command-line interface. Use the following commands:
console> system captcha_authentication_VPN [disable] [enable] [show] for [webadminconsole] [userportal]
You can manually turn off the CAPTCHA for endpoint devices accessing the web admin or the user portal from the WAN zone. Use the following commands:
console> system captcha_authentication_global [disable] [enable] [show] for [webadminconsole] [userportal]
Using the global command overrides the VPN-specific commands. We recommend leaving the CAPTCHA enabled for the WAN zone, and only changing the setting for VPN users if required.
Administrator password complexity settings
Select to turn on password complexity settings for administrators and enforce the required constraints.
Login disclaimer settings
Select Enable login disclaimer to set messages for authentication, SMTP, administration, and SMS customization, which administrators must agree to before they can sign in to the web admin console and CLI. You can customize and preview messages too.
Sophos Adaptive Learning
Select to send the following application usage and threat data to Sophos: Unclassified applications (to improve network visibility and enlarge the application control library), data for IPS alerts, detected virus (including URLs), spam, ATP threats, such as threat name, threat URL/IP, source IP, and applications used.
The device sends periodic information to Sophos over HTTPS to improve stability, prioritize feature refinements, and to improve protection effectiveness. No user-specific information or personalized information is collected. The device sends configuration and usage data by default. This includes device information (example: model, hardware version, vendor), firmware version and license information (does not include owner information), features that are in use (status, on/off, count, HA status, central management status), configured objects (example: count of hosts, policies), product errors, and CPU, memory, and disk usage (in percentage).