Firewall role configuration

Question

Hello, I have one question, please. We want to renew our TI SAX security certificate, and the Tisax forwards us a VM scan appliance to run in our network to discover if we have any security issues. Besides this VM appliance, he asks us to give this machine full access to all ports and all subnetworks. Could you please show me what role I should, I create to have this specific requirement? 
 Below Tisax team requirements: 
 - A port forwarding on port 22 (SSH), which leads to the IP of the scanning appliance when accessing from our public IP to your public IP. 
 - Free access to all ports from the scanning appliance to all networks to be scanned

Thank you

Raphael Alganes · Answer

Hello Alpha , 
 Thanks for reaching out to Sophos Community. 
 You may review the Device Access Profiles and their privileges on this doc guide: https://doc.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Profiles/DeviceAccess/index.html 
 Regards,

Raphael Alganes · Answer

Hello Alpha , 
 Thanks for the additional information. I misunderstood your initial question, and I was under the impression that you were asking for role-based administration details. 
 Nonetheless, for the given details, you would need a DNAT rule to the VM provided to Tisax Team, and in Sophos Firewall create a Firewall rule that allows the VM to access any subnet in the network. 
 Regards,