Skip to content

Access to local services from zones

With local service ACL (Access Control List), you control access from custom and default zones to the management services of the firewall.

The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.

Services Zones Description
Admin services

LAN

Wi-Fi

HTTPS: TCP port 4444

Allows access to the web admin console.

SSH: TCP port 22

Allows access to the command-line console.

Authentication services None

AD SSO

Allows user authentication through Active Directory single sign-on (SSO) in the specified zones.

LAN

Wi-Fi

Captive portal: TCP port 8090

RADIUS SSO

Client authentication: UDP port 6060

Allows the authentication of users and clients in the specified zones.

None

Chromebook SSO

Allows the authentication of users and clients in the specified zones.

Network services

LAN

WAN

Wi-Fi

Ping/Ping6

Allows ping requests to the WAN IP address of the firewall.

LAN

Wi-Fi

DNS

Allows DNS resolution requests when the firewall is the DNS server.

Other services None

Wireless protection

Allows access points in these zones to connect to the firewall.

LAN

WAN

DMZ

Wi-Fi

SSL VPN: TCP port 8443

Go to Remote Access VPN > SSL VPN > SSL VPN global settings to change the port.

We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port.

LAN

Wi-Fi

Web proxy

Allows direct proxy traffic on port 3128.

In addition to acting as a transparent proxy, the firewall acts as a direct proxy by default. For direct proxy, the default port is 3128. You can change it on Web > General settings.

LAN

User portal: TCP port 443

Allows users to access the user portal from this zone.

If you allow users to access the user portal from the WAN zone, it can compromise security.

None

Dynamic routing

Sends and receives dynamic routing updates from the selected zones.

LAN

Wi-Fi

SMTP relay

Allows hosts and networks from these zones to use the firewall for outbound mail relay.

LAN

DMZ

VPN

Wi-Fi

SNMP

Select the zone in which the SNMP server is located.