Allow nmap scan of public wan address

Hi Sophos User90 

Thank you for reaching out to the Community! 

Did you try to configure Local ACL exception for the list of source IP addresses that needs access to the WAN IP address of the firewall? 

Please check out the following KBA: Sophos XG Firewall: Local Service ACL (Access Control List) and specifically "Local Service ACL Exception Rule."

Thanks,

Hi,

Thankyou for your reply.

That is one thing that I had not considered and could well be the answer!

I will configure this and get the test run again and see if there is any improvement

Many thanks

So using local acl exception does allow access to scan the few services that are available to add in the acl excpetion rule which is good. (HTTPS, VPN, SSL  etc..)

However i guess my question is, is there a way to allow an external ip access to scan every port unfiltered on the xg without being denied like this packet capture shows?

So basically what we would like is for the source ip to have full access to everything unfiltered on the destination ip.

Is such a thing even possible?

Hi Sophos User90 

It is not possible the way you want to scan the XG firewall. If it is for an internal server, you could create a DNAT rule and allow services that you want to scan on the server. 

Thanks,