Nice Bug on XG/XGS with non-standard port for User-Portal Access

Question

Hello,MR 
 I think I found a nice bug on Sophos firewall (XG/XGS) Version 19.0 and 19.0.1 
 As soon as you change the port for "User portal access" from default = 443 to something else, you can access it from any zone, no matter what you checked under "Device access". So disabling "User portal" under "WAN" has no effect. Seems it only checks port 443 and doesn't hinder you from accessing when you use another port. 
 So I tried: 
 
 Then went here: 
 
 And I can still access the user portal from outside. 
 If I switch it back to 443, then disabling "device access" cuts it off, as it should. 
 I would be interested, if anybody can confirm the behaviour I am watching.

LuCar Toni · Accepted Answer

SSLVPN and User Portal can share the same port. So if you have SSLVPN enabled and User Portal on the same port, it will share the same rule 
 . https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html#local-service-acl-how-device-access-works 
 SSL VPN port: By default, all management services use unique ports. SSL VPN is set to TCP port 8443. 
 
 Warning 
 If you manually change the default ports, we strongly recommend that you use a unique port for each service. Using a unique port ensures that services are not exposed to the WAN zone even after you turn off access. Example: If you use port 443 for both the user portal and SSL VPN, the user portal will be accessible from the WAN zone even if you turn off WAN access from this page.

Prism · Answer

Hello! 
 I've couldn't replicate this issue on my XG, but there's two things that could be causing this: 
 
 Do you have any custom ACL in place that could be causing this? 
 Is SSLVPN using the same port 8443? If It is then this could be te reason why the user portal is also accessible. 
 
 Thanks!

Nice Bug on XG/XGS with non-standard port for User-Portal Access

Top Replies