Device access

Device access allows you to limit administrative access to certain services from custom and default zones (LAN, WAN, DMZ, VPN, Wi-Fi).

  1. Local service ACL: The device carries a default ACL (access control list) when connected and powered on for the first time. Details of the default services and ports are given below. Turn on or off access to the services from the specified zones.
    Note By default, all services are configured to use unique ports.
    Warning If you manually change the default ports, we strongly recommend that you use a unique port for each service. This ensures that services are not exposed to the WAN zone when they have been disabled. Example: If you use port 443 for both the user portal and SSL VPN, the user portal will be accessible from the WAN zone.
    Table 1. Admin services

    Zone

    HTTPS

    (TCP port 4444)

    SSH

    (TCP port 22)

    LAN

    active

    active

    WAN

    active

    active

    Wi-Fi

    active

    active

    Admin services
    LAN and Wi-Fi zones: HTTPS (TCP port 4444) and SSH (TCP port 22)
    WAN zone: HTTPS (TCP port 443) and SSH (TCP port 22)
    Authentication services
    LAN and Wi-Fi zones: Client authentication (UDP port 6060), captive portal authentication (TCP port 8090), Active Directory SSO, and RADIUS SSO.
    Network services
    LAN, WAN, and Wi-Fi zones: Ping/Ping6 and DNS
    Other services
    LAN and Wi-Fi zones: Web proxy and SMTP relay
    LAN, WAN, DMZ and Wi-Fi zones: SSL VPN (TCP port 8443)
    LAN and WAN zones: User portal and dynamic routing
    LAN, DMZ, VPN and Wi-Fi zones: SNMP
    Note User authentication services are required in order to apply user-based internet surfing, bandwidth, and data transfer restrictions. These are not required for administrative functions.
  2. Local service ACL exception rule: You can allow access to the device’s admin services from specified networks/hosts. A list of all the configured rules is displayed.
    Note
    Once you upgrade SFOS v15 to v16:
    • If HTTP was enabled in SFOS v15, all HTTP requests are redirected to HTTPS.
    • HTTP rules in which the action is set to Drop are deleted.
  3. Default admin password settings:
    1. Change the default password as soon as you deploy the device.
      Note The device is shipped with a default super admin with the user name and password set to admin. You can access the web admin console and CLI with these credentials. This administrator is authenticated locally by the device.
    2. Click Reset to default to restore the factory default password.
  4. Public key authentication
    1. Turn on Public key authentication for admin to allow access to the command line interface (CLI) using the SSH key.
      Note Only admin and support users can add an SSH sign-in key without authentication. All other users are required to provide a password for authentication before adding an SSH key.
    2. Add the list of Authorized keys for admin. Generate these SSH keys using SSH client tools (example: PuTTY).