XG Firewall offers SSH access to the CLI. Access it in one of the following ways: Go to the web admin console and select admin Console in the upper-right corner. Use an SSH client, such as PuTTY. An administrator can connect and access XG Firewall through HTTPS, telnet, or SSH services. Depending on the administrator sign-in account profile used for access, an administrator can access number of administrative interfaces and the web admin console configuration pages.
Sophos XG Firewall Check the connectivity to the XG Verify the IP and port through which you are accessing the firewall is correct. If it’s correct follow the steps in Connect to the XG from the CLI section Otherwise try to access the device on the correct IP and port. XG Firewall provides an elegant and effective web-based management console and integrates with Sophos Central for powerful cloud management across your entire network and Sophos product portfolio. Sophos Central provides the ultimate cloud management platform for all your Sophos products including XG firewall at no extra charge.
- This article provides information about Local Service ACL (Access Control List) and how it works on the Sophos XG Firewall.
Introducing Local Service ACL
- Local Service ACL is located in Administrator > Device Acces. The device carries a default ACL when connected and powered on for the first time. Details of the default services and ports are shown below. Click to turn on or turn off access to services from the designated areas and then click Apply.
|HTTPS (TCP Port 4444)|
Telnet (TCP port 23)
SSH (TCP port 22)
|WAN||HTTPS (TCP port 443)|
Telnet (TCP port 23)
SSH (TCP port 22)
|Client Authentication (UDP port 6060)|
Captive Portal Authentication (TCP port 8090)
|SSL VPN (TCP port 8443)|
- Note: User authentication services are required in order to apply user-based Internet surfing, bandwidth, and data transfer restrictions. These are not required for administrative functions.
- The following are the default configuration of the Local Service ACL.
- Local Service ACL allows or denies access to specified services in a zone.
- For example, by default, Ping / Ping6 is disabled for the WAN area. A user from the internet tries to ping Sophos XG Firewall’s WAN IP. Because the Ping / Ping6 service is disabled for the WAN area, the packets will be dropped and therefore ping will fail.
- Another example is for Dynamic Routing. By default, Dynamic Routing is disabled for all regions. Consider the following issue.
- The following is a diagram of configuring dynamic RIP routing between two WAN ports of two XG firewall devices, FW1 and FW2.
- First we log into the admin page of FW1 using the LAN port with the link https://172.16.16.164444 and click Administrator> Device Access to access the Local Service ACL.
- Check the Dynamic Routing box in the WAN area and click Apply to enable it for the WAN area.
- Next we log into the admin page of FW1 with the LAN port with the link https://172.16.17.16:4444 (changed LAN address during installation) and click Administrator> Device Access to access the Local Service ACL.
- We see that Dynamic Routing is still not enabled for WAN port, we keep this configuration.
- At this point in the Local Service ACL configuration of the two firewall device. Dynamic Routing turned on for the WAN area in FW1 and Dynamic Routing turned off for the WAN area at FW2.
- Next we will configure RIP routing for both FW1 and FW2 devices.
- You can see the instructions here.
- After configuring RIP routing, RIP updates are configured to be sent across WAN areas of both firewalls. Because XG1 is enabled Dynamic Routing for WAN area, XG1 will receive RIP updates from XG2. RIP updates that XG1 is sending to XG2 will be canceled because XG2 is disabled Dynamic Dynamic Routing for WAN area.
- Therefore, in the routing table, XG1 will display the networks promoted by XG2 (172.16.17.0/24 network layer) but XG2 will not display the networks promoted by XG1 (network layer 172.16.16.0/24) . We click Routing> Information to enter the routing table of both devices.
FW1 routing table
- As you can see, the routing table of FW1 with 172.16.17.0/24 network is updated from FW2 via RIP routing.
FW2 routing table
- As you can see, the routing table of FW2 does not receive the 172.16.16.0 network layer from FW1 since we have not enabled Dynamic Routing for the WAN area on FW2.
Introducing the Local Service ACL Exception Rule
- Use the Local Service ACL Exception Rule to allow access to device administrator services from a designated network / server.
- To create this rule, click Administrator > Device Access. Under the Local Service ACL Exception Rule click Add to add the rule.
- For example, here we will create a rule that prohibits users from the 172.16.16.0/24 network layer in the LAN area to connect SSH to the firewall device using the LAN (port 1) on the firewall device.
- We need to fill in the information as shown below.
- Rule Name: Name the rule.
- Rule Position: Select the location for the rule.
- Description: Enter the description for the rule.
- IP Version: Supports both IPv4 and IPv6, in this example choose IPv4.
- Source zone: Select an arbitrary zone, in this example choose LAN Zone.
- Source Network / Host *: Click Add new item to select the source host (based on the network layer, IP address or list) that this rule will apply. Click Create New to create a new source host. In this example, I will click Add new item> Create New> Network. A table appears, enter the name in the Name of IP LAN field, select Network and enter IP address in the IP address box. The IP address in this example is 172.16.16.0 and Subnet is / 24.
- Destination host *: Select # Port1 because this port is a LAN port and for example we will ban users from connecting SSH from the IP address of this port.
- Service *: click Add new item and select SSH.
- Action: select Accept to allow and select Drop to ban, here will select Drop.
- Click Save.
- Then access the LAN user computer with the IP address of the 172.16.16.0/24 network layer and make an SSH connection to the firewall device with the LAN port address as 172.16.16.16 using the PuTTy application and we will see that access is denied.
Sophos Xg Restore From Backup
- This article describe the steps to access the command interface of the Sophos XG firewall device with console cable
- A console cable with one end is RJ45 and one end is a VGA port.
- Install PuTTy software on the computer.
- First we will use the RJ45 end of the console wire attached to the COM port on the Sophos XG firewall device.
- The other VGA head attaches to the VGA port on the computer (If the computer does not have a VGA port, we can use a cord that converts from VGA to USB or HDMI).
- Then right-click on This PC and select Manage.
- The Computer Management panel pops up, click on Device then click on the “>” icon to the left of Ports (COM & LPT) the drop down list and we will see the Serial port name connecting.
- Next we turn on the PuTTy software, at the Connection type we select Serial, in the Serial line box we enter the name of the connecting Serial port we have seen above in this example is COM3 and in the box The speed we entered in 38400 is the default number.
Sophos Xg Ssh Free
- Click Open to connect, enter the firewall’s password and press Enter to log into the Command interface of the firewall.