Access to local services from zones
With local service ACL (Access Control List), you control access from custom and default zones to the management services of Sophos Firewall.
The default configuration of the access control list is in the table below. Access to the services is allowed from the zones listed.
|Admin services|| ||HTTPS: TCP port 4444 |
Allows access to the web admin console.
SSH: TCP port 22
Allows access to the command-line console.
|Admin services|| ||HTTPS: TCP port 443 |
SSH: TCP port 22.
|Authentication services|| ||AD SSO |
Captive portal: TCP port 8090
Client authentication: UDP port 6060
Allows the authentication of users and clients in the specified zones.
|Network services|| ||Ping/Ping6 |
Allows ping requests to the WAN IP address of Sophos Firewall.
|Network services|| ||DNS |
Allows DNS resolution requests when Sophos Firewall is the DNS server.
|Other services|| ||Wireless protection: Allows access points in these zones to connect to Sophos Firewall. |
Web proxy: Allows direct proxy traffic on port 3128.
In addition to acting as a transparent proxy, Sophos Firewall acts as a direct proxy by default. It listens to port 3128 for the configured browsers for the destination ports specified in Web > General settings.
SMTP relay: Allows hosts and networks from these zones to use Sophos Firewall for outbound mail relay.<
|Other services|| ||SSL VPN: TCP port 8443 |
To change the port, go to Remote Access VPN > SSL VPN > SSL VPN global settings.
We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port.
|Other services|| ||User portal: Allows users to access the user portal from this zone. |
If you allow users to access the user portal from the WAN zone, it can compromise security.
|Dynamic routing: Sends and receives dynamic routing updates from the selected zones.|
|Other services|| ||SNMP: Select the zone in which the SNMP server is located.|