Access to local services from zones
With local service ACL (Access Control List), you control access from custom and default zones to the management services of the firewall.
The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.
Services | Zones | Description |
---|---|---|
Admin services | LAN Wi-Fi | HTTPS: TCP port 4444 Allows access to the web admin console. SSH: TCP port 22 Allows access to the command-line console. |
Authentication services | None | AD SSO Allows user authentication through Active Directory single sign-on (SSO) in the specified zones. |
LAN Wi-Fi | Captive portal: TCP port 8090 RADIUS SSO Client authentication: UDP port 6060 Allows the authentication of users and clients in the specified zones. | |
None | Chromebook SSO Allows the authentication of users and clients in the specified zones. | |
Network services | LAN WAN Wi-Fi | Ping/Ping6 Allows ping requests to the WAN IP address of the firewall. |
LAN Wi-Fi | DNS Allows DNS resolution requests when the firewall is the DNS server. | |
Other services | None | Wireless protection Allows access points in these zones to connect to the firewall. |
LAN WAN DMZ Wi-Fi | SSL VPN: TCP port 8443 Go to Remote Access VPN > SSL VPN > SSL VPN global settings to change the port. We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port. | |
LAN Wi-Fi | Web proxy Allows direct proxy traffic on port 3128. In addition to acting as a transparent proxy, the firewall acts as a direct proxy by default. For direct proxy, the default port is 3128. You can change it on Web > General settings. | |
LAN | User portal: TCP port 443 Allows users to access the user portal from this zone. If you allow users to access the user portal from the WAN zone, it can compromise security. | |
None | Dynamic routing Sends and receives dynamic routing updates from the selected zones. | |
LAN Wi-Fi | SMTP relay Allows hosts and networks from these zones to use the firewall for outbound mail relay. | |
LAN DMZ VPN Wi-Fi | SNMP Select the zone in which the SNMP server is located. |