Best practices User, vpn portal
Zitat von mpachmann am 5. September 2024, 17:45 Uhrhttps://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessBestPractices/index.html#web-admin-console
We don't recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port.
Web admin console
You can't allow web admin console access from all WAN sources. If you must give access, follow these best practices:
- Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.You can't create the rule if you set the source network to Any or the source IP address to 0.0.0.0 because the firewall doesn't allow access to the web admin console from all WAN sources.
- Use Sophos Central.
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
Note
If you've allowed access in an earlier version, the firewall turns off access if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.
CLI console
Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
For additional security, you can do one of the following:
- Configure public-key authentication on Administration > Device access.
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
User portal
For secure access from external networks, use VPNs and follow these best practices:
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
For secure access based on user accounts, you can do the following:
- Use multi-factor authentication (MFA) with one-time passwords for user accounts stored on Sophos Firewall. See Multi-factor authentication (MFA) settings.
- Use the MFA options provided by External directory services.
Note
The firewall turns off access to the user portal from all WAN sources if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.
SSL VPN port
By default, all management services use unique ports. SSL VPN is set to TCP port 8443.
Warning
If you manually change the default ports, we strongly recommend using a unique port for each service. This ensures that services aren't exposed to the WAN zone even after you turn off access. If you use the same port for different services, such as port 443, some services can remain accessible from the WAN zone even if you turn off WAN access from the Device access page.
You can't use the user portal and web admin console ports for any other service.
https://community.sophos.com/sophos-xg-firewall/f/discussions/147381/disabling-vpn-portal-breaks-sslvpn-connections
To look into this in more detail:
Sophos Connect using the Provisioning file uses a mechanism to update the file. For doing this, it is reaching out to the VPN Portal first.
If you disable the VPN Portal, the connection is not enabled. If you use only the OVPN File, you do not need the VPN portal to build up a connection.
If you separate the VPN Portal from the SSLVPN Port, you can also control the access policies.
We don't recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port.
Web admin console
You can't allow web admin console access from all WAN sources. If you must give access, follow these best practices:
- Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.You can't create the rule if you set the source network to Any or the source IP address to 0.0.0.0 because the firewall doesn't allow access to the web admin console from all WAN sources.
- Use Sophos Central.
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
Note
If you've allowed access in an earlier version, the firewall turns off access if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.
CLI console
Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
For additional security, you can do one of the following:
- Configure public-key authentication on Administration > Device access.
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
User portal
For secure access from external networks, use VPNs and follow these best practices:
- Use remote access or site-to-site VPNs.
- Use remote access clients, such as Sophos Transparent Authentication Suite (STAS).
For secure access based on user accounts, you can do the following:
- Use multi-factor authentication (MFA) with one-time passwords for user accounts stored on Sophos Firewall. See Multi-factor authentication (MFA) settings.
- Use the MFA options provided by External directory services.
Note
The firewall turns off access to the user portal from all WAN sources if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments. Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.
SSL VPN port
By default, all management services use unique ports. SSL VPN is set to TCP port 8443.
Warning
If you manually change the default ports, we strongly recommend using a unique port for each service. This ensures that services aren't exposed to the WAN zone even after you turn off access. If you use the same port for different services, such as port 443, some services can remain accessible from the WAN zone even if you turn off WAN access from the Device access page.
You can't use the user portal and web admin console ports for any other service.
To look into this in more detail:
Sophos Connect using the Provisioning file uses a mechanism to update the file. For doing this, it is reaching out to the VPN Portal first.
If you disable the VPN Portal, the connection is not enabled. If you use only the OVPN File, you do not need the VPN portal to build up a connection.
If you separate the VPN Portal from the SSLVPN Port, you can also control the access policies.