This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User Portal disabled across multiple XG firewalls by CLI user

This morning we found many of our XG firewalls had the User Portal disabled on the WAN zone, causing problems for users trying to download the VPN client while working remotely. Anyone else experience this issue? How are you providing users with the ability to download the VPN client when they are not in the office?

This thread was automatically locked due to age.
  • Hi,

    which version of XG are you using?


    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • The problem is not specific to a firmware revision or model, different firmware versions and models affected simultaneously

  • Hi,

    okay are we talking all v17 or some v18?

    If they are all v17 does the notification at the top the forums apply?


    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Same here for > 20 devices with V17.x

  • Hi S248

    As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling any unused services on the WAN interface.

    Until recently, the user portal was enabled on the WAN interface by default for XG firewall. From v17.5 MR12 and v18 MR1 the default value was changed from enabled to disabled for the brand new installs. For any customer upgrading an existing deployment to these releases (or later), the current settings remained unchanged.

    In a recent hotfix, Sophos performed a one-time update to disable the User Portal on the WAN interface if it was not actively being used by customers. This determination was made on-box.

    If it has been disabled, and you actively need/use it, please enable it and it will remain enabled.

  • We're also starting to see our customer's XGs disable the User Portal for deployments that do use this. Do you know how are Sophos working this out to then apply this change?

  • Hello Parth,

    Sophos should absolutely not be dictating how things should be done by just doing it themselves and pushing out hidden hotfixes or changes which modify the functionality of our Customer firewalls without express notice. A vendor should only make recommendations and best practices on how the firewalls should be configured, if you want to take this route of modifying Customer firewalls without their or the Partners express consent, then you need to be far more up front.

    I have 4 firewalls in the past 24 hours that have had the User Portal disabled, of which two were my own where I use to access my home and cloud servers via the RDP bookmarks and to get my SSL VPN configuration. Another Customer distributes SSL VPN via their User Portal. These are just the first 4 I had access to.

    What was the criteria and why was there not notification in the message center? You cannot take liberties with my Customer firewalls.

    I am now going to have to send out an email to all our Customers asking to double check their User Portal if it needs to be accessible from the WAN and re-enable due to this brazen action by yourselves wherein the criteria is not obvious and was not expressly stated, this was extremely unprofessional from Sophos and the decision makers. Unfortunately, at this time, the only "official" communication is from you.

    I will be raising this as a complaint and adding any of our Customer names who wish to follow this up to it as well.

    If you wish to follow this up privately, please feel free to email me.


  • How was that determination made? What was the criteria? Users were impacted within hours of the change being applied. Making this change in mass across customer firewalls, without any notification at all, is absolutely unacceptable. Instead you've left it up to XG customers to react to end users being affected, and for XG admins to work out what happened on their own. An e-mail in advance would be better. Or send us an advisory with the recommendation rather than just making the changes on our firewalls without warning. 

  • Florentino
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • Ok.  But we need far more explanations on what's happening behind the scene to first judge if that was necessary.  But also, and most importantly ascertain risks we face if we ever put Users Portals enabled again.

    The CVE linked posted by Sophos is actually inexistent.

    We can’t work blinded that way.

    Paul Jr