Access to local services from zones
With local service ACL (Access Control List), you control access from custom and default zones to the management services of the firewall.
The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.
Services | Zones | Description |
---|---|---|
Admin services | LAN Wi-Fi | HTTPS: TCP port 4444 Allows access to the web admin console. SSH: TCP port 22 Allows access to the command-line console. |
Authentication services | None | AD SSO Allows user authentication through Active Directory single sign-on (SSO) in the specified zones. If you turn off AD SSO for all zones, you can't use Kerberos or NTLM on the firewall. |
LAN Wi-Fi | Captive portal: TCP port 8090 Turning off captive portal stops user notifications from appearing, such as web filtering and zero day notifications. RADIUS SSO Clients: UDP port 6060 Allows users in the specified zones to use STAS or synchronized user ID authentication. | |
None | Chromebook SSO Allows the authentication of users and clients in the specified zones. | |
Network services | LAN WAN Wi-Fi | Ping/Ping6 Allows ping requests to the WAN IP address of the firewall. |
LAN Wi-Fi | DNS Allows DNS resolution requests when the firewall is the DNS server. | |
VPN services | None | IPsec Allows IPsec connections in the specified zones. |
LAN WAN DMZ Wi-Fi | SSL VPN: TCP port 8443 Go to Remote Access VPN > SSL VPN > SSL VPN global settings to change the port. We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port. | |
None | VPN portal: TCP port 443 Allows users to access the VPN portal in the specified zones. See VPN portal. | |
RED Allows access to RED services in the specified zones. | ||
Other services | None | Wireless protection Allows access points in these zones to connect to the firewall. Turn this off if you manage your access points in Sophos Central. |
LAN Wi-Fi | Web proxy Allows direct proxy traffic on port 3128. In addition to acting as a transparent proxy, the firewall acts as a direct proxy by default. For direct proxy, the default port is 3128. You can change it on Web > General settings. | |
LAN | User portal: TCP port 4443 Allows users to access the user portal from this zone. If you allow users to access the user portal from the WAN zone, it can compromise security. | |
None | Dynamic routing Sends and receives dynamic routing updates from the selected zones. | |
LAN Wi-Fi | SMTP relay Allows hosts and networks from these zones to use the firewall as the inbound and outbound mail transfer agent. | |
LAN DMZ VPN Wi-Fi | SNMP Select the zone in which the SNMP server is located. |