Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=API-allow-access

Allow API access to administrators

Learn how to create an administrator profile with specific read-write permissions, assign the profile to administrators, and specify access controls, such as IP address restrictions and zone access.

API access is then limited to authorized administrators who sign in from trusted network zones, thereby maintaining system integrity and security.

Add an administrator profile

Create an administrator profile with read-write permission for objects and network.

  1. Go to Profiles > Device access and create an administrator profile with specific rights.

  2. Click Save.

    Administrator profile with read-write permission.

Add an administrator

Create a user and add the administrator profile.

When you add a user with the API administrator profile, you can limit the administrator's rights based on the profile. Alternatively, you can use an existing administrator account.

  1. Go to Authentication > Users and click Add.
  2. Set User type to Administrator.
  3. Select the API administrator profile you created.
  4. To allow access for a specific time, select the Access time.
  5. To allow access only from specific IP addresses, select an option for Login restriction for device access.

  6. Click Save.

    Select an administrator profile.

Allow API access

Turn on API configuration and allow API access from the administrator's IP address.

  1. Go to Backup and firmware > API.
  2. Select API configuration.
  3. For Allowed IP address, enter the IP address from which you'll make the API request and click the add button.

  4. Click Apply.

    Allow API access.

Allow device access

Device access permissions for the web admin console also apply to the API.

Allow access from LAN

You can configure the local service ACL to allow administrator access from the LAN zone for the web admin console and the API as follows:

  1. Go to Administration > Device access.
  2. Under HTTPS, select LAN.
  3. Click Apply.

Allow access from WAN

You can configure the local service ACL exception rule to allow access to the web admin console and API from the WAN zone for specific administrator IP addresses and networks.

Info

This task is optional. You need this only when you want to allow access from WAN for some administrators.

Warning

You can't allow web admin console and API access from all WAN sources under Local service ACL because it poses a security risk.

To add a local service ACL exception rule, do as follows:

  1. Go to Administration > Device access.
  2. Under Local service ACL exception rule, click Add.
  3. Enter a rule name.
  4. For rule position, select Top.

  5. Select an IP version.

    API admin access local service exception rule position and version.

  6. For Source zone, select WAN.

  7. For Source network/host, create and select the administrator's IP host, for example, APIAdminHost.
  8. For Destination host, select Any.
  9. For Services, select HTTPS.
  10. For Action, select Accept.
  11. Click Save.

API admin access local service exception rule settings.