Sophos XG Firewall: What to do when the Web Admin is not accessible

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Hi Community,

Having trouble accessing the Web Admin of your XG Firewall?

Note: The information below is taken from the KB:Sophos XG Firewall: Troubleshooting steps when unable to access the GUI

Check the connectivity to the XG 

  1. Verify the IP and port through which you are accessing the firewall is correct. If it’s correct follow the steps  in Connect to the XG from the CLI section Otherwise try to access the device on the correct IP and port.
  2. Verify if the XG is live though PING on LAN/DMZ/WAN IP of the XG.
  3. Try to access the User Portal
    • https://<LAN_IP_OF_XG>:<Port(default port is 443)>
  4. Try to use another browser.
  5. Try to SSH to the firewall on its LAN interface IP on port 22 via putty. If you get the access to the firewall, follow the steps in Check the tcpdump output and logs section.

Connect to the XG from the CLI

  1.  Refer to Sophos XG Firewall: How to setup a Serial connection with a console cable 
  2. Verify if the appliance access is disabled by running the following command from the console: 

    system appliance_access show

  3. If the Appliance access is disabled, we need to enable it with the following command.

    system appliance_access enable

    Note: This will cause a network interruption and it will override the configured Appliance Access and allow access to all the services.

  4. Try to log into the GUI, if it is successful:
    1. go to Administration > Device access to enable HTTPS on the required zone.

       

    2. Disable the Appliance access from the CLI using the following command:

      system appliance_access disable

    3. For Further analysis, you can do a Packet capture when you're trying to access the GUI to find out more about the root cause. Read more in Sophos XG Firewall: How to filter packets using packet capture.

  5.  If the GUI still inaccessible, verify the configured destination port used for https GUI access using the following command:

    psql -U nobody -d corporate -c "select destinationport from tbllocalservicedetails WHERE localserviceid =2"

  6. Continue to the following sections. 

Check the tcpdump output and logs

  1. Make sure the date and time are set correctly on the firewall. This helps analyzing the tcpdump output accurately. 
  2. From the Advanced Shell CLI, run the following command while accessing the GUI:

    tcpdump -nei any port 4444 <or any port which you have configured to access the firewall>

  3. Analyse if there is traffic reaches the XG Firewall, if not, that's mean something else out of the XG perimeter is blocking the traffic. 
  4. If there is no drop packet while accessing the XG, check the following logs for further analysis:
    • tomcat.log
    • csc.log
    • syslog.log

Note: using these commands:

tail -f /log/tomcat.log

tail -f /log/csc.log

tail -f /log/syslog.log

Check and restart services

  1. Check services status using the following command

    service -S (will show status of all services)

  2. Specifically you need to check the status of tomcat service (service of GUI) using the following command:

    service -S | grep  -iE 'tomcat|apache' (After grep you can specify any service name which you would like to grep)

  3. If the tomcat or apache service shows STOPPED, start it respectively with the following command.

    service tomcat:start -ds nosync

    service apache:start -ds nosync

  4. If tomcat or apache service shows DEAD, use the below command respectively to restart it.

    service tomcat:restart -ds nosync

    service apache:restart -ds nosync 

Reset the web admin console certificate to default device certificate

  1. From the Advanced Shell CLI:
    • Choose option 2. System Configuration
    • Then option 4. Reset Default Web Admin Certificate
  2. Type to the following message:

  3. This should reset the admin certificate to its default which is ApplianceCertificate.

Additional Troubleshooting Suggestions

  • If you are unable to access the Web Admin from a certain zone, first check your Local Service ACLs:
  • Check if your device's Certificate Authority is up to date:
    • Certificates > Certificate Authorities > Default



  • Confirm which web admin certificate is being used:
    • Administration > Admin Console and user-user interaction > Certificate



  • Check if a conflicting DNAT/Business Application rule has been created for the web admin port (Default: 4444)
Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback! https://community.sophos.com/community-chat/f/user-assistance-feedback