Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use FQDN-Host Object for Device Access ACL

Is there an workaround to use FQDN-Host Objects as a source for ACL exception rule on Device access?

I used "DNS Host" Objects back in Sophos SG/UTM to limit WebAdmin Access by keeping flexibility of centrally changing DNS-Entrys.

How to do this in XG/SFOS? I can select FQDN-Host Object as Source within (D-)NAT-Rules, but not in DeviceAccess ACL?

This thread was automatically locked due to age.
  • That is currently not possible. I would always recommend to use Central to have Webadmin access. For SSH, use a VPN Client. 


  • Is there anything on the roadmap to change this in (near) future releases?
    Would be great to use definitions, as FQDN-Hosts consistent in nearly every Spot you can select other network object.

    There's probably no security reason for not allowing fqdn-host objects as you can select a whole country as a source for an exception.

  • What device access do you want to expose to the WAN? If it's Admin Services (HTTPS, SSH) I'd require them to VPN in and allow that access from the VPN. But there are also complications to doing that, and in the end I did start using Sophos Central and I really like it.

    I also converted to running APs from Central as well (rather than from the appliance) and that's working well. I was able to figure out how to do the multiple steps to convert from appliance-run to Central-run wireless, so it's not hard but it's not automatic either. And once you're running multiple things from Central it's more useful.