This article provides information about Local Service ACL (Access Control List) and how it works on the Sophos XG Firewall. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Local Service ACL is located in Administration > Device Access. The device carries a default ACL when connected and powered on for the first time. Details of the default services and ports are given below. Click to enable or disable access to the services from the specified zones and then click Apply.
Note: User authentication services are required in order to apply user-based Internet surfing, bandwidth, and data transfer restrictions. These are not required for administrative functions.
The following are the default configuration of the Local Service ACL.
Local Service ACL allows or denies access to the specified services in a zone.
For example, by default, Ping/Ping6 is disabled for the WAN zone. A user from the internet tries to ping the Sophos XG Firewall's WAN IP. Since the Ping/Ping6 service is disabled for the WAN zone, the packets will then be dropped and therefore the ping will fail.
Another example is for Dynamic Routing. By default, Dynamic Routing is disabled for all the zones. Consider the following scenario:
XG1's Local Service ACL configuration
XG2's Local Service ACL configuration
In the Local Service ACL configurations of the firewalls, Dynamic Routing is enabled for the WAN zone of XG1 and Dynamic Routing is disabled for the WAN zone of XG2.
RIP updates are configured to be sent via the WAN zones of both firewalls. Since only the XG1 has Dynamic Routing enabled for the WAN zone, only XG1 will receive the RIP updates coming from XG2. The RIP updates that XG1 is sending to XG2 will be dropped since XG2 has Dynamic Routing disabled for the WAN zone.
Therefore, in the routing table, XG1 will show the networks advertised by XG2 but XG2 will not show the networks advertised by XG1.
XG1 routing table
XG2 routing table
Note: There is a known issue in SFOS 17.5 MR10 & MR11, where if an Any-Any Drop firewall rule is matched, the ACL exception is ignored. NC-58339. A fix is targeted for the next maintenance release, however in the meantime please contact Technical Support to implement a workaround.
Use Local Service ACL Exception Rule to allow access to the device’s admin services from a specified network/host.
Select the IP version.
Click Add new item to select the admin Services to which the rule applies.
Select an action.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.