Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Access to local services from zones

With local service ACL (Access Control List), you control access from custom and default zones to the management services of the firewall.

The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.

Services Zones Description
Admin services

LAN

Wi-Fi

HTTPS: TCP port 4444

Allows access to the web admin console.

SSH: TCP port 22

Allows access to the command-line console.

Authentication services None

AD SSO

Allows user authentication through Active Directory single sign-on (SSO) in the specified zones.

If you turn off AD SSO for all zones, you can't use Kerberos or NTLM on the firewall.

LAN

Wi-Fi

Captive portal: TCP port 8090

Turning off captive portal stops user notifications from appearing, such as web filtering and zero day notifications.

RADIUS SSO

Clients: UDP port 6060

Allows users in the specified zones to use STAS or synchronized user ID authentication.

None

Chromebook SSO

Allows the authentication of users and clients in the specified zones.

Network services

LAN

WAN

Wi-Fi

Ping/Ping6

Allows ping requests to the WAN IP address of the firewall.

LAN

Wi-Fi

DNS

Allows DNS resolution requests when the firewall is the DNS server.

VPN services None

IPsec

Allows IPsec connections in the specified zones.

LAN

WAN

DMZ

Wi-Fi

SSL VPN: TCP port 8443

Go to Remote Access VPN > SSL VPN > SSL VPN global settings to change the port.

We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port.

None

VPN portal: TCP port 443

Allows users to access the VPN portal in the specified zones. See VPN portal.

RED

Allows access to RED services in the specified zones.

Other services None

Wireless protection

Allows access points in these zones to connect to the firewall.

Turn this off if you manage your access points in Sophos Central.

LAN

Wi-Fi

Web proxy

Allows direct proxy traffic on port 3128.

In addition to acting as a transparent proxy, the firewall acts as a direct proxy by default. For direct proxy, the default port is 3128. You can change it on Web > General settings.

LAN

User portal: TCP port 4443

Allows users to access the user portal from this zone.

If you allow users to access the user portal from the WAN zone, it can compromise security.

None

Dynamic routing

Sends and receives dynamic routing updates from the selected zones.

LAN

Wi-Fi

SMTP relay

Allows hosts and networks from these zones to use the firewall as the inbound and outbound mail transfer agent.

LAN

DMZ

VPN

Wi-Fi

SNMP

Select the zone in which the SNMP server is located.