Pls help me understanding the XG v18 ACL matrix

Question

Hi everyone, 
 This is the ACL matrix of Sophos XG v18 firewall system. 
 
 Would you please explain to me in more details about the rows and columns of this ? I would like to know more in partiular about the SSL VPN column : 
 
 If I uncheck the SSL VPN box at WAN row, can I still access the XG system remotely via SSL VPN ? 
 Why is the SSL VPN box at VPN row disabled ? I can not check it by any means. 
 
 Thank you very much in advance.

Wayne Folta · Accepted Answer

The row is the zone from which you want access and the column is the service to which you want access. So answer 1 is NO. The answer to 2 is "why would you want to access the VPN server when you're already on the VPN server and hence in the VPN zone?" Note that this box cannot be checked.

Vishal_R · Answer

Hi J Thai : The Packets will reach XG as IP is publicly routable but the intended destination service is not on or not configured ON XG due to that firewall will drop the same with denied action with invalid traffic. If you do not want traffic should not reach to XG then on (next hop device) possible ISP router on your premise - you may block those destination and that will not forward those specific destination traffic on XG To see allow traffic/connection, you may apply the filter with IP and with the allowed conditions. Example:

LuCar Toni · Answer

If SSLVPN and User Portal is on the same Service Port (443 or 8443) it will share the service. Therefore ACL will not block it. ACL is based on service port. So you can block 443 in this matrix, but it will not block it, if SSLVPN is enabled and User Portal is disabled. If you do not want this behavior, service port change could be a approach. 
 SSLVPN cannot be blocked on a virtual zone like VPN. So VPN is everything, IPsec or SSLVPN is active. You cannot disable SSLVPN in a SSLVPN Tunnel. That would not make sense.

Pls help me understanding the XG v18 ACL matrix

Top Replies

Submitted a Tech Support Case lately from the Support Portal?