XGS - V19.0.2 - WAN Side Telnet (23) Open!

Question

Hi Guys, hi Sophos .... 
 
 Why is Telnet on Port 23 on WAN open?

emmosophos · Accepted Answer

Hello Guenter, 
 GES has found that somebody has configured "Appliance Access" to be enabled; this will cause all the ports to accept incoming traffic. 
 console> sys appliance_access show Appliance access enabled. 
 To disable this, you can run 
 console> sys appliance_access disable 
 Regards,

LuCar Toni · Answer

Essentially this is a relic from back in the day. 
 SFOSv17.5 and below supported Telnet for administration. 
 This was removed to be configurable via Device Access. See: https://youtu.be/zkD1kZFssCg?t=36 
 So by using the Appliance Access Switch, it will also open this old Port and 4444/22 etc. 
 So essentially, you will have the same problem for Port23 like 22. This option should only be used in Emergency Situation and is actually outdated in case of Central Management, as Central Management always gives you access to the Firewall. So the use case of this switch (device access) is more likely a relic for absolute edge cases. 
 Lets discuss, why you enabled the switch in the first place?

emmosophos · Answer

Hello, 
 When you run the command via the console to enable it, it warns you about what is going to happen: 
 "This will override the configured Appliance Access and allow access to all the services. All internet traffic will be dropped." 
 The documentation states, " Allows you to override or bypass the configured device access settings and allow access to all the Sophos Firewall services." 
 This setting isn&rsquo;t meant to be left turned on and only used in "emergency" situations when you have let yourself out of the firewall. 
 But I will pass your feedback to PM about having a banner or alert when this setting has been enabled. 
 Regards,

XGS - V19.0.2 - WAN Side Telnet (23) Open!

Top Replies