Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=device-access-best-practices

Best practices

We don't recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and user portal from the WAN zone.

Note

You can't use the user portal and web admin console ports for any other service.

Web admin console

You can't allow web admin console access from all WAN sources. If you must give access, follow these best practices:

  • Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

    You can't create the rule if you set the source network to Any or the source IP address to 0.0.0.0 because the firewall doesn't allow access to the web admin console from all WAN sources.

  • Use Sophos Central.

  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

Note

If you've allowed access in an earlier version, the firewall turns off access if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

CLI console

Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.

For additional security, you can do one of the following:

  • Configure public-key authentication on Administration > Device access.
  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

User portal

For secure access from external networks, use VPNs and follow these best practices:

  • Use remote access or site-to-site VPNs.
  • Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).

For secure access based on user accounts, you can do the following:

  • Use multi-factor authentication (MFA) with one-time passwords for user accounts stored on Sophos Firewall. See Multi-factor authentication (MFA) settings.
  • Use the MFA options provided by External directory services.

Note

The firewall turns off access to the user portal from all WAN sources if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

SSL VPN port

By default, all management services use unique ports. SSL VPN is set to TCP port 8443.

Warning

We strongly recommend using a unique port-protocol combination for the services listed on Administration > Device access. When you turn on access to a service from a zone, you turn it on for the service's port-protocol combination. So, other services that share the same port and protocol become accessible from the zone even if you turn off access to them.

Let's suppose you change the SSL VPN's default port to TCP 443, which is the default VPN portal port, and allow SSL VPN access from WAN. The VPN portal then becomes accessible even if you turn off its access from WAN.