Unable to enforce local service ACL on Sophos xg v19.0.1 MR-1

Hello there,

The Local ACL doesn't need a Firewall Rule to work; they take precedence. 

For your ACL exception rule, you shouldn't use #; only select ANY, and for Source Zone, select LAN and Services HTTPS.

Ensure you’re also using Sophos Central to access your Device before making any ACL changes. 

Regards,

Hi,

As I mentioned in my post, I have changed Source Zone from ANY to LAN and services are already HTTPS. What do you mean by the below point:

emmosophos said:

Ensure you’re also using Sophos Central to access your Device before making any ACL changes. 

FYI:

• Firewall is not registered on Sophos Central
• This is configured in Active-Passive Cluster. ACL is being configured on Active Device

Hello,

I don't remember you mentioning anything in your post about changing the Source Zone to LAN.

Have you changed the Destination Host?

Accessing your Firewall via Central is the safest way to access from WAN. Since you’re going to be modifying your ACL rules, and you might lock out accidentally, it is good to have a "backdoor".

All changes you made in your Active device will replicate automatically to your Passive device.

Regards,

Hi Emmanuel,

Thanks for sharing info on Sophos Central. I have not opened HTTPS access on WAN zone. Just trying to restrict access on LAN so that only specified IP's can access the Web Admin GUI. I've disabled HTTPS from Device Access on LAN Zone and, In My Local ACL Exception Rule:

• Source Zone: LAN
• Source Network/ Host: IPv4 Host
• Destination Host: Lan Port
• Services: HTTPS
• Action: Accept

Regards,

Hello,

The information for Central was so you have a "backdoor" in case you lost access to your Firewall while configuring the ACL for the LAN.

If the issue persists after the ACL is correct and you have confirmed the Source Network IP is correct too, run the following command from the console of the Sophos Firewall (SSH into the Sophos Firewall and press 4 > 3)

console > show advanced-firewall

And make sure you have nothing under Bypass Stateful Firewall

Additionally, to this make sure the output of the following command is disabled

console> system appliance_access show

If this is enabled, run the following command to diable it

console> system appliance_access disable

Regards,

Hi,

Still rules are not applying. Please check below picture

Regards,

Abdullah

Hi Abdullah,

Apologies for reiterating your query.

You want to turn off all LAN access going to your web Admin GUI except the "Ammar System IP" 

I've replicated your configurations, and this is working on my side. Only the IP address (172.16.16.17 and .100 ) defined on my Source Network/Host* are allowed. 

Once I removed the IP of .100, this one got blocked.

Would it be possible to retry the IPs that aren’t included on your "Ammar System IP" and send a screenshot of the logs

Hi Abdullah,

Apologies for reiterating your query.

You want to turn off all LAN access going to your web Admin GUI except the "Ammar System IP" 

I've replicated your configurations, and this is working on my side. Only the IP address (172.16.16.17 and .100 ) defined on my Source Network/Host* are allowed. 

Once I removed the IP of .100, this one got blocked.

Would it be possible to retry the IPs that aren’t included on your "Ammar System IP" and send a screenshot of the logs

Hi Erick,

Yes, we want to turn off Web Admin for LAN users except Ammar IP. Thanks for reproducing the scenario at your end, I'll again check at my end tomorrow morning and revert back with Logs.

Regards,

Abdullah