Skip to content

Admin and user settings

Check and specify the admin port settings and sign-in parameters. Customize the sign-in parameters to restrict local and remote user access based on time duration.


Hostname: Enter a fully qualified domain name (FQDN), such as

Acceptable range: 0 to 256 characters.

When you sign in to the web admin console, the browser tab shows the hostname. If you've signed in to multiple firewalls in the same browser window, you can identify a firewall by its hostname in the browser tab.


When the firewall is deployed for the first time, the serial ID is used as the hostname.

Description: Enter a description.

Admin console and end-user interaction

Configure the port and certificate settings.


Admin console HTTPS port: HTTPS port to access the firewall's web admin console.

Default: 4444

User portal HTTPS port: Port number for users to access the user portal.

Default: 4443


User portal port: 4443

User portal link for IP address (

User portal link for hostname (myfirewall): https://myfirewall:4443


You can't use the user portal and web admin console ports for any other service.

VPN portal HTTPS port: Port number for users to access the VPN portal.

Default: 443


VPN portal port: 443

VPN portal link for IP address (

VPN portal link for hostname (myfirewall): https://myfirewall:443

To allow users to access the VPN portal, do as follows:

  1. Remote access VPN: Select the users or their groups in a remote access IPsec or SSL VPN, clientless SSL VPN, L2TP, or PPTP policy.
  2. Device access: Allow access from the users' zones to the VPN portal. For example, if users must access it from the WAN zone, go to Administration > Device access, and under VPN portal, select WAN.


WAF, VPN portal, and SSL VPN can share their ports with some restrictions. See Port sharing among services.


Select the certificate to use for the following services:

  • Web admin console
  • User portal
  • VPN portal
  • Captive portal
  • SPX registration portal
  • SPX reply portal

The default certificate is a locally-signed certificate. So, browsers show an untrusted certificate error. To remove the error, see Remove untrusted certificate error.

Redirect users

When redirecting users to the captive portal or other interactive pages, use one of the following options:

  • Firewall's configured hostname. You configure this on Admin and user settings under Hostname.
  • IP address of the first internal interface.
  • A different hostname.

Click Check settings to test your configuration.

security settings

Login security

  1. Select Log out admin session after to automatically sign out administrators from the web admin console after the specified time of inactivity.

    Default: 10 minutes

  2. Select Block login to block sign-ins to all services for users and administrators based on the number of failed sign-in attempts.

    1. To block sign-ins from the user or administrator's source IP address, do as follows:

      1. Enter the number of failed sign-in attempts.
      2. Enter the time within which the attempts are made.
    2. Enter the block duration.

      For failed attempts to sign in to any service, the web admin console, CLI, VPN portal, and user portal won't open from the source IP address.


Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA by default.

Local users are registered in the firewall rather than an external authentication server, such as an AD server.

Failed CAPTCHA attempts aren't counted as failed sign-in attempts and don't trigger the Block login setting.


CAPTCHA isn't available on XG 85 and XG 85w devices.

To turn off CAPTCHA for VPN zones, enter the following command on the CLI:

system captcha_authentication_VPN disable

Administrator password complexity settings

Select Enable password complexity check to turn on password complexity settings for administrators and specify the settings.

User password complexity settings

Select Enable password complexity check to turn on password complexity settings for users and specify the settings.

Login disclaimer settings

  1. Select Enable login disclaimer to show a disclaimer when administrators try to sign in to the web admin console and CLI.
  2. To customize and preview the message, click the links.

    To sign in, administrators must click I accept after entering their credentials.

Sophos Adaptive Learning

Select to send the following application usage and threat data to Sophos: Unclassified applications (to improve network visibility and enlarge the application control library), data for IPS alerts, detected virus (including URLs), spam, Active threat response threats, such as threat name, threat URL and IP address, source IP address, and applications used.

The device sends periodic information to Sophos over HTTPS to improve stability, prioritize feature refinements, and to improve protection effectiveness. No user-specific information or personalized information is collected. The device sends configuration and usage data by default. This includes device information (example: model, hardware version, vendor), firmware version and license information (does not include owner information), features that are in use (status, on/off, count, HA status, central management status), configured objects (example: count of hosts, policies), product errors, and CPU, memory, and disk usage (in percentage).

More resources