Sophos continually investigates product security in order to close any potential risks to our customers. As a result, we have identified a subset of XG Firewalls with local users that require a password reset. For users signing in to the XG Firewall via the LAN or VPN connection (except clientless VPN), there is no action required. For local and guest users that have not reset their password since 2200 UTC on April 25, 2020, they will be blocked from signing in to the User Portal on the WAN until their password is reset (including those using bookmarks via clientless access VPN). Local user and guest accounts are defined as user accounts created and authenticated on the XG Firewall.
Note: User accounts created and authenticated with directory services like Active Directory (AD) and LDAP are not affected, and no action is required.
For rare cases, where local and guest users are blocked from signing in to the User Portal on the WAN (or clientless access VPN), even though they have reset their password since 2200 UTC on April 25, 2020, we are providing the ability to override this block. We are also providing relevant commands for administrators to identify and take action on locally defined user accounts who require changes.
The following sections are covered:
Applies to the following Sophos product(s) and version(s) Sophos XG Firewall Versions 17.0, 17.1, 17.5, 18
Determine that you have the latest hotfix by looking at the XG Control center. "HF052220.1" will be visible on every firewall regardless of whether further action is required or not. Additionally, inspect your alert log to determine if you have the following highlighted alert.
No action is required.
For all other cases, you will need to access the XG Firewall console. There are two options to access the console:
Override the User Portal block for local and guest users signing in on the WAN.
console> system localusers userportal_login_WAN [enable | show]
Allows local and guest user access to the User Portal from the WAN zone, regardless if they have changed their password or not. This also removes the control center alert.
You have two options:
system localusers localuser_list_unchanged_passwords show
system localusers set_pin users_unchanged_passwords pin <my4characterpin>
console> system localusers all_localuser_list show
console> system localusers set_pin all_users pin <my4characterpin>
Now that you have defined a temporary password for locally defined users and guest users on the XG Firewall, as required, you will need to contact your locally defined users to inform them of the new temporary password and ask them to reset their password.
Here is some sample text you may consider, when contacting your users:
As a security best practice, we have reset the password for your [user/guest] account on the XG Firewall. This is a temporary password change and we recommend you now reset the password for your account to a strong password of your choosing.
The temporary password for your local user account is your existing password + [XXXX]. Please choose a new password as soon as possible by logging into your account on the User Portal and following the instructions in KBA135495 to reset a local user password.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.