Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Admin and user settings

Check and specify the admin port settings and sign-in parameters. Customize the sign-in parameters to restrict local and remote user access based on time duration.

Hostname

Hostname: Enter a fully qualified domain name (FQDN), such as security.sophos.com.

Acceptable range: 0 to 256 characters.

When you sign in to the web admin console, the browser tab shows the hostname. If you've signed in to multiple firewalls in the same browser window, you can identify a firewall by its hostname in the browser tab.

Note

When the firewall is deployed for the first time, the serial ID is used as the hostname.

Description: Enter a description.

Admin console and end-user interaction

Configure the port and certificate settings.

Ports

Admin console HTTPS port: HTTPS port to access the firewall's web admin console.

Default: 4444

User portal HTTPS port: Port number for users to access the user portal.

Default: 4443

Example

User portal port: 4443

User portal link for IP address (10.8.9.54): https://10.8.9.54:4443

User portal link for hostname (myfirewall): https://myfirewall:4443

Warning

You can't use the user portal and web admin console ports for any other service.

Note

VPN portal was introduced in SFOS 20.0. It uses the default port 443, which was previously used by the user portal. When you upgrade or restore a backup from an earlier version to SFOS 20.0 and later, the user portal's port (default 443 or custom port) is automatically assigned to the VPN portal. The user portal is then assigned the new default port 4443. If 4443 isn't available, 65040 is automatically assigned to the user portal. See New VPN portal in SFOS 20.0 and later.

VPN portal HTTPS port: Port number for users to access the VPN portal.

Default: 443

Example

VPN portal port: 443

VPN portal link for IP address (10.8.9.54): https://10.8.9.54:443

VPN portal link for hostname (myfirewall): https://myfirewall:443

To allow users to access the VPN portal, do as follows:

  1. Remote access VPN: Select the users or their groups in a remote access IPsec or SSL VPN, clientless SSL VPN, L2TP, or PPTP policy.
  2. Device access: Allow access from the users' zones to the VPN portal. For example, if users must access it from the WAN zone, go to Administration > Device access, and under VPN portal, select WAN.

Restriction

WAF, VPN portal, and SSL VPN can share their ports with some restrictions. See Port sharing among services.

If the VPN portal and SSL VPN use the same port and protocol, the VPN portal becomes accessible from SSL VPN's access zones. See SSL VPN port.

Certificate

Select the certificate to use for the following services:

  • Web admin console
  • User portal
  • VPN portal
  • Captive portal
  • SPX registration portal
  • SPX reply portal

The default certificate is a locally-signed certificate. So, browsers show an untrusted certificate error. To remove the error, see Remove untrusted certificate error.

Redirect users

When redirecting users to the captive portal or other interactive pages, use one of the following options:

  • Firewall's configured hostname. You configure this on Admin and user settings under Hostname.
  • IP address of the first internal interface.
  • A different hostname.

Click Check settings to test your configuration.

Sign-in security settings

Login security

  1. Select Log out admin session after to automatically sign out administrators from the web admin console after the specified time of inactivity.

    Default: 10 minutes

    If you don't select this option, you're signed out automatically after 30 minutes.

  2. Select Block login to block sign-ins to all services for users and administrators based on the number of failed sign-in attempts.

    1. To block sign-ins from the user or administrator's source IP address, do as follows:

      1. Enter the number of failed sign-in attempts.
      2. Enter the time within which the attempts are made.
    2. Enter the block duration.

      For failed attempts to sign in to any service, the web admin console, CLI, VPN portal, and user portal won't open from the source IP address.

CAPTCHA

Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA by default.

Local users are registered in the firewall rather than an external authentication server, such as an AD server.

Failed CAPTCHA attempts aren't counted as failed sign-in attempts and don't trigger the Block login setting.

To turn off CAPTCHA for VPN zones, enter the following command on the CLI:

system captcha_authentication_VPN disable

Administrator password complexity settings

Select Enable password complexity check to turn on password complexity settings for administrators and specify the settings.

User password complexity settings

Select Enable password complexity check to turn on password complexity settings for users and specify the settings.

Login disclaimer settings

  1. Select Enable login disclaimer to show a disclaimer when administrators try to sign in to the web admin console and CLI.
  2. To customize and preview the message, click the links.

    To sign in, administrators must click I accept after entering their credentials.

Sophos Adaptive Learning

Select to send the following application usage and threat data to Sophos: Unclassified applications (to improve network visibility and enlarge the application control library), data for IPS alerts, detected virus (including URLs), spam, Active threat response threats, such as threat name, threat URL and IP address, source IP address, and applications used.

The device sends periodic information to Sophos over HTTPS to improve stability, prioritize feature refinements, and to improve protection effectiveness. No user-specific information or personalized information is collected. The device sends configuration and usage data by default. This includes device information (example: model, hardware version, vendor), firmware version and license information (does not include owner information), features that are in use (status, on/off, count, HA status, central management status), configured objects (example: count of hosts, policies), product errors, and CPU, memory, and disk usage (in percentage).

More resources