Skip to content
Last update: 2021-10-21

Access to local services from zones

With local service ACL (Access Control List), you control access from custom and default zones to the management services of Sophos Firewall.

The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.

Services Zones Description
Admin services
  • LAN
  • Wi-Fi
HTTPS: TCP port 4444
Allows access to the web admin console.
SSH: TCP port 22
Allows access to the command-line console.
Admin services
  • WAN
HTTPS: TCP port 443
SSH: TCP port 22.
Authentication services
  • LAN
  • Wi-Fi
    AD SSO
    RADIUS SSO
    Chromebook SSO
    Captive portal: TCP port 8090
    Client authentication: UDP port 6060
    Allows the authentication of users and clients in the specified zones.
    Network services
    • LAN
    • WAN
    • Wi-Fi
    Ping/Ping6
    Allows ping requests to the WAN IP address of Sophos Firewall.
    Network services
    • LAN
    • Wi-Fi
    DNS
    Allows DNS resolution requests when Sophos Firewall is the DNS server.
    Other services
    • LAN
    • WAN
    • DMZ
    • Wi-Fi
    Wireless protection: Allows access points in these zones to connect to Sophos Firewall.
    Web proxy: Allows direct proxy traffic on port 3128.
    In addition to acting as a transparent proxy, Sophos Firewall acts as a direct proxy by default. It listens to port 3128 for the configured browsers for the destination ports specified in Web > General settings.
    SMTP relay: Allows hosts and networks from these zones to use Sophos Firewall for outbound mail relay.<
    Other services
    • LAN
    • WAN
    • DMZ
    • Wi-Fi
    SSL VPN: TCP port 8443
    To change the port, go to VPN > Show VPN settings.
    We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port.
    Other services
    • LAN
    User portal: Allows users to access the user portal from this zone.
    If you allow users to access the user portal from the WAN zone, it can compromise security.
    Dynamic routing: Sends and receives dynamic routing updates from the selected zones.
    Other services
    • LAN
    • DMZ
    • VPN
    • Wi-Fi
    SNMP: Select the zone in which the SNMP server is located.
    Back to top