Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 774 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pls help me understanding the XG v18 ACL matrix

J Thai

Hi everyone,

This is the ACL matrix of Sophos XG v18 firewall system.

Would you please explain to me in more details about the rows and columns of this ? I would like to know more in partiular about the SSL VPN column :

  1. If I uncheck the SSL VPN box at WAN row, can I still access the XG system remotely via SSL VPN ?
  2. Why is the SSL VPN box at VPN row disabled ? I can not check it by any means.

Thank you very much in advance.



This thread was automatically locked due to age.
  • +2

    The row is the zone from which you want access and the column is the service to which you want access. So answer 1 is NO. The answer to 2 is "why would you want to access the VPN server when you're already on the VPN server and hence in the VPN zone?" Note that this box cannot be checked.

  • 0

    Just 2 more questions. Despite having unchecked all services available on the WAN row, why are there still signals from strange foreign IP addresses trying to contact my XG Firewall at different port numbers, to which it has denied ?

    Also, in the log viewer, how may I view the traffic connections that have been allowed by the firewall system ?

    Thank you in advance.

  • 0 in reply to Wayne Folta

    Thank you for your comment. I have just posted 2 more questions regarding the ACL & the Log Viewer functions as well. If you still have time, I welcome you to take a look at it below.

    Thank you again buddy.

  • 0 in reply to J Thai

    Hi : The Packets will reach XG as IP is publicly routable but the intended destination service is not on or not configured ON XG due to that firewall will drop the same with denied action with invalid traffic. If you do not want traffic should not reach to XG then on (next hop device) possible ISP router on your premise - you may block those destination and that will not forward those specific destination traffic on XG

    To see allow traffic/connection, you may apply the filter with IP and with the allowed conditions. 

    Example:

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0

    If SSLVPN and User Portal is on the same Service Port (443 or 8443) it will share the service. Therefore ACL will not block it. ACL is based on service port. So you can block 443 in this matrix, but it will not block it, if SSLVPN is enabled and User Portal is disabled. If you do not want this behavior, service port change could be a approach. 

    SSLVPN cannot be blocked on a virtual zone like VPN. So VPN is everything, IPsec or SSLVPN is active. You cannot disable SSLVPN in a SSLVPN Tunnel. That would not make sense. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?