XG Login with Captcha

This should also be an option to turn on, best practice or not, for users or admins.  Every time I think about trying XG again, I'm just being given more reasons not to, and stick to UTM.  If captcha goes to UTM, I'm uninstalling it.  There are ways around captcha and while may be a 'best practice', it's certainly not the 'best way to do it' and old tech ways of making someone just feel secure.

If I understand your point well, like it was mentionned before, these are CLI commands related to captcha

system captcha_authentication_VPN show
system captcha_authentication_VPN enable
system captcha_authentication_VPN disable

They just don't work however.  Except for the "show" option.

Regards

Paul Jr

Two consecutive screenshot:

So.  No it does not work.

Paul Jr

Hi Big_Buck 

Could you please raise a support case and PM me with your case number for further investigation?

Thanks,

Case open.

Paul Jr

Received an answer from support this morning.

The Captcha added are for the security purpose. You would not be able to remove them as of now. They will be visible if the firewall or user portal is access from WAN.

Well.  Clearly, the tech there haven't read this post.  None of our Firewall behaves the same, and none is accessed from WAN or User Portal.  And yet, one consistently shows Captcha.  The screen shot aint lying.

Paul Jr

Hi Big_Buck 

When the firewall is accessed using its public IP(in your case Port2) address the Captcha will appear and there is no option to disable it as of now on the WAN zone. 

Captcha authentication serves as an extra security defense against scripted automated login attempts Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones.

Thanks,

H_Patel said:

 

Captcha authentication serves as an extra security defense against scripted automated login attempts Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones.

Ban IP after x unsuccessful attempts, allow admin access only from specified ACL (perhaps with the ability to use name and not only IP), adding two factor auth (OTP, FIDO, DUO, ecc.. ). These are the extra security defense against scripted automated login.

The only achievement for capcha is annoy the hell out of me every time I try to connect. And beeing an MSP this happens a lot of times in a single day.

I'm testing the version 18, and the captcha is still present on both LAN and WAN. I think that Sophos whitelisted only the traffic coming from subnet directly attached to LAN zone and not all traffic incoming from LAN zone.

For example: if your Sophos LAN PortA subnet is 192.168.10.0/24, all traffic incoming from that subnet entering PortA won't ask you for captcha. Instead if the request came from a different subnet routed correclty on Sophos LAN PortA will present you the captcha form.

I just upgraded to 18 as well and had the same issue, but after I set the "Management" IP it stopped happening. Almost like that was the identifier for what interface NOT to put the CAPTCHA on.