Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 41 subscribers
  • Views 35514 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote administration

BrandonRiffel

I'd like to allow remote access to the SSL admin page.  I have the XG firewall software running inside a VM in my home lab (acting as my production firewall on my ATT Gigapower.  Their gateway is total garbage).  I would like to restrict access to that admin page ONLY from connections coming from my place of employment (I am the admin there as well).  So I need to enable the admin portal on the WAN connection, but then restrict connections on port 4444 to only allow from the public IP of my office.  So that way I can check my logs and make changes at home, from work.

Right now it is wide open and so I can manage it from work, from my phone, from the coffee shop, etc.  Obviously not good.  What rule do I create to restrict this?  Thank you



This thread was automatically locked due to age.
  • 0
    Now I have unchecked the box for System>Administration>Device Access to allow HTTPS access to the Admin services from the WAN zone, yet I'm still able to log in and make config changes...
  • 0
    Ok, so I may have figured out something. On the Device access page. I unchecked the WAN HTTPS checkbox, expecting it to block my port 4444 access to the admin page from here at work. It didn't. Then I saw that I had previously created a Local Service ACL exception rule called remoteadmin:

    Source Zone: Any
    Network/Host: (created an item with the static external IP of my work gateway)
    Services: HTTPS (predefined in the list)
    Action: Accept

    Is this the best practice method for allowing remote access to the admin page of the XG appliance from a single remote IP address?
  • 0 in reply to BrandonRiffel
    Jhawk44,

    the ACL Exception rule is the best way to allow access to webadmin webpage. Anyway you should allow access to Webadmin only from certain internal IP. If you need to access it from external, setup a VPN on XG.

    Luk
  • 0 in reply to BrandonRiffel
    Jhawk44,
    I've the same "issue" and would like to do the same thing that you : please, could you tell me the complete config ? You only defined the "source" zone but you say nothing for the "destination" zone...
    Thank you !
    Olivier
  • 0 in reply to openfield
    Hi Oliver, When creating the appliance access bypass rules you only specify the source zone, the destination is alway the appliance it's self. Depending on your requirements you can simply disable WAN access for all remote administration functionality and then create a bypass rule to enable the desired features from your specific remote IP Address. Alternatively you can create a broader (but less secure) bypass that allows access from within your country by using the Country Hosts/Country Host groups. Remember it is generally recommended that you remote admin through a VPN session which layers your security by not making admin directly accessible from the Internet. Hope that helps, Leon

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Unfiltered HTML