Skip to content

Admin settings

Modify the admin port settings and sign-in parameters. Customize the sign-in parameters to restrict local and remote user access based on time duration.

Hostname

Enter the host details of your Sophos Firewall.

Hostname: Enter a name in the form of a fully qualified domain name (FQDN).

Acceptable range: 0 to 256 characters.

Example: security.sophos.com

When you sign in to the web admin console, the browser tab shows this hostname. If you've signed in to multiple firewalls in the same browser window, you can identify a firewall by the hostname shown in the browser tab.

Note

When the device is deployed for the first time, the serial ID of the device is saved as the hostname.

Description: Enter a description.

Admin console and end-user interaction

Configure port and certificate settings for the web admin console and the user portal.

Ports

Admin console HTTPS port: HTTPS port configured in Sophos Firewall.

Default: 4444

User portal HTTPS port: Port number where users can access the user portal.

Default: 4443

Example

User portal port: 4443

User portal link for IP address (10.8.9.54): https://10.8.9.54:4443

User portal link for hostname (myfirewall): https://myfirewall:4443

Warning

If you manually change the default ports, we strongly recommend using a unique port for each service. This ensures that services aren't exposed to the WAN zone when you haven't configured WAN access for them.

You can't use the user portal and web admin console ports for any other service.

VPN portal HTTPS port: Port number where users can access the VPN portal.

Default: 443

Example

VPN portal port: 443

VPN portal link for IP address (10.8.9.54): https://10.8.9.54:443

VPN portal link for hostname (myfirewall): https://myfirewall:443

Users can access the VPN portal only if:

  • They're part of a remote access IPsec or SSL VPN, clientless SSL VPN, L2TP, or PPTP policy.
  • The VPN portal is accessible from the zone users access it from.

    For example, if they're accessing it from the WAN zone, make sure you turn on WAN access for the VPN portal.

    To turn on WAN access for the VPN portal, go to Administration > Device access, and under VPN portal, select WAN.

Restriction

WAF, VPN portal, and SSL VPN can share their ports with some restrictions. See Port sharing among services.

Certificate

Select the certificate to be used by user portal, captive portal, SPX registration portal and SPX reply portal.

Redirect users

When redirecting users to the captive portal or other interactive pages: Select an option to use when redirecting users to the captive portal or other interactive pages.

You can use the firewall’s configured hostname, the IP address of the first internal interface, or specify a different hostname. Click Check settings to test your configuration.

Login security

Set sign-in security for administrators.

Log out admin session after: Select to automatically sign out the administrator from the web admin console after the configured time of inactivity (in minutes).

Default: 10 minutes

Block login: Select to block sign-in for all types of authentication, such as the web admin console, CLI, or VPN. Enter the maximum number of failed sign-in attempts and the duration (in seconds) within which the attempts can be made from a single IP address. When the failed attempts exceed the number, the administrator is locked for the configured minutes. Specify the number of minutes for which the administrator will not be allowed to sign-in.

CAPTCHA: Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on Sophos Firewall and not on an external authentication server, such as an AD server.

The CAPTCHA isn't shown on XG 85 and XG 85w devices.

You can manually turn off the CAPTCHA for VPN zones from the command-line interface. Use the following commands:

system captcha_authentication_VPN [disable] [enable] [show]

Note

Failed CAPTCHA attempts aren't currently counted as failed sign-in attempts and don't trigger the Block login setting.

Administrator password complexity settings

Select to turn on password complexity settings for administrators and enforce the required constraints.

Login disclaimer settings

Select Enable login disclaimer to set messages for authentication, SMTP, administration, and SMS customization, which administrators must agree to before they can sign in to the web admin console and CLI. You can customize and preview messages too.

Sophos Adaptive Learning

Select to send the following application usage and threat data to Sophos: Unclassified applications (to improve network visibility and enlarge the application control library), data for IPS alerts, detected virus (including URLs), spam, ATP threats, such as threat name, threat URL/IP, source IP, and applications used.

The device sends periodic information to Sophos over HTTPS to improve stability, prioritize feature refinements, and to improve protection effectiveness. No user-specific information or personalized information is collected. The device sends configuration and usage data by default. This includes device information (example: model, hardware version, vendor), firmware version and license information (does not include owner information), features that are in use (status, on/off, count, HA status, central management status), configured objects (example: count of hosts, policies), product errors, and CPU, memory, and disk usage (in percentage).

More resources