Do not use "Any" for SSH and Webadmin access for the WAN Zone
It is recommended to limit exposure of firewall administration services from WAN/untrusted zone. When necessary, leverage on remote VPN or limiting only from selected IP addresses, or use of Sophos Central for firewall administration.
For additional security control, enable RBAC and administrative accounts with 2-factor authentication using built-in RADIUS Server.
When the device is exposed to the internet with service ports, it could be subjected to DoS, brute force attempts, and underlying vulnerability on service ports can be discovered by the attacker.
Exposing SSH and Webadmin access to any IP address could lead to brute force attempts on the Webadmin interface, Denial-of-Service (DoS) attacks from a wide range of IP addresses, and increased attack surface from potential adversaries.