Device access

You can control access to the management services of XG Firewall from custom and default zones using the local service ACL (Access Control List).

Local services are management services specific to the internal functioning of XG Firewall, such as web admin and CLI consoles, and authentication services. You can allow or block access to local services from Administration > Device access.

  • Select the check boxes to allow access to these services from different zones. For more details about the services, go to Access to local services from zones.
  • To only allow specific hosts and networks to access the services, scroll down to Local service ACL exception rule, and click Add.

Local service ACL: How device access works

The following conditions apply to local services:

  • You can't control traffic to these services using firewall rules. You can only do so from Administration > Device access.
  • For custom zones, you can also allow or block access from Network > Zones.

  • To access a local service that shares a host's subnet, zone, or interface, you must select the zone. For example, to access the DNS service from the LAN zone when XG Firewall is the DNS server, you must select LAN for DNS.
  • The default ports are used to provide access to these services, and the destination IP address is set to XG Firewall.
  • You can change the default ports of some services, such as SSL VPN and user portal, from the corresponding settings pages. If you change the ports, we recommend that you don't use the SSL VPN port for other services. It allows access to the services from zones that you turned off here.

The default settings for the local service access control list are in the following image.


Local ACL default

Best practices

Administrative services and user portal: We do not recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port. If you must give access, we recommend using the best practices listed in the table in this section.

SSL VPN port: By default, all management services use unique ports. SSL VPN is set to TCP port 8443.

Warning If you manually change the default ports, we strongly recommend that you use a unique port for each service. Using a unique port ensures that services are not exposed to the WAN zone even after you turn off access. Example: If you use port 443 for both the user portal and SSL VPN, the user portal will be accessible from the WAN zone even if you turn off WAN access from this page.
Table 1. Best practices for access from WAN

Consoles

Secure access from WAN

Web admin console

  • Use Sophos Central. For more details, go to Central synchronization.

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
  • Use IPsec VPNs.
  • Use remote access clients.

CLI console

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
  • For additional security, use public-key authentication on Administration > Device access.
  • Use IPsec VPNs.
  • Use remote access clients.

User portal

For secure access from external networks, use VPNs and follow these best practices:

  • Provide only temporary access to download VPN clients or configuration to users who don't have VPN configured.
  • Use IPsec VPNs.
  • Use remote access clients.
  • Sophos Connect remote access client: Enable the user portal to allow automated provisioning of connection policies and re-provisioning after connection updates.
  • Make sure the user portal does not use the SSL VPN port.

Secure access based on user accounts:

  • User accounts stored on XG Firewall: Use multi-factor authentication (MFA) with one-time passwords (Authentication > One-time password).
  • External directory services: Use the MFA options provided by these services.

Default admin password settings

The factory configuration of XG Firewall carries a default super administrator with the following credentials:

Username: admin

Password: admin

You can use these to sign in to the web admin console and the CLI. You must change the default password when you configure XG Firewall for the first time.

Public key authentication for admin

You can use these public keys for secure access to the CLI. You can add, edit, or delete SSH keys.

  1. Turn on Enable authentication to allow secure access to the CLI using an SSH key.
  2. To generate a public-private key pair, use SSH tools (example: PuTTYgen).
  3. Go to Administration > Device access, and scroll down to Public key authentication for admin. Add the public key.
  4. Share the private key with the administrator who needs to access the CLI.

    To access the CLI, the administrator must enter the private key in the SSH tool (example: PuTTY).

    You can also use this method to give secure access to Sophos Technical Support for troubleshooting purposes.