Skip to content

Best practices

We don't recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port.

Web admin console

You can't allow web admin console access from all WAN sources. If you must give access, follow these best practices:

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

    You can't create the rule if you set the source network to Any or the source IP address to 0.0.0.0 because the firewall doesn't allow access to the web admin console from all WAN sources.

  • Use Sophos Central.

  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

Note

If you've allowed access in an earlier version, the firewall turns off access if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

CLI console

Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

For additional security, you can do one of the following:

  • Configure public-key authentication on Administration > Device access.
  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

User portal

For secure access from external networks, use VPNs and follow these best practices:

  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

For secure access based on user accounts, you can do the following:

  • Use multi-factor authentication (MFA) with one-time passwords for user accounts stored on Sophos Firewall. See Multi-factor authentication (MFA) settings.
  • Use the MFA options provided by External directory services.

Note

The firewall turns off access to the user portal from all WAN sources if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

SSL VPN port

By default, all management services use unique ports. SSL VPN is set to TCP port 8443.

Warning

If you manually change the default ports, we strongly recommend using a unique port for each service. This ensures that services aren't exposed to the WAN zone even after you turn off access. If you use the same port for different services, such as port 443, some services can remain accessible from the WAN zone even if you turn off WAN access from the Device access page.

You can't use the user portal and web admin console ports for any other service.