Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 25979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managing Admin Services access, How it works?

lferrara

Creating an additional VLAN and Zones, where I did not give access to Admin services, allows users from this vlan to access the https://xglanip:4444 interface (because a Policy rule from lan to add. zone exist with all services).

This is not save. See screenshot.

Luk



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Hello lferrara - I am using Sopho XG Firewall Home Edition Version: 16.01.2.

    I have multiple sub interfaces, each on different VLANs.  Regardless of which VLAN I am using, I am able to access the Sophos Mgt Console via ANY of the VLANs GW IP's and port 4444.

    So for instance If I am on a VLAN with GW of 10.1.100.1, i can access not only the Sophos Mgt Console of 10.1.100.1:4444 but also, from the other VLANs as well such as 192.168.100.1:4444 and 10.2.100.1:4444.

    The VLANs are not able to talk to one another as I do not have any Intra-Vlan communication setup.  Each respective VLAN is only able to communicate to IP's on their own VLANs only (verified with NMAP).  Problem is just with hosts accessing the Sophos Mgt Console....

    So I too am in need of blocking access to the Sophos Mgt Console not only from individual VLANs, but also from hosts ability to access it in VLANs even outside of there own.

    One test for example is I tried creating a FW Rule to specifically block Source Zone: LAN Source IP: (vlans subnets) to Destination Zone: LAN Destination IP: 192.168.100.1 Port: 4444 but this did not work and rule never gets hit.

    Packet captures via Sophos Mgt Console show that the port 4444 traffic is being allowed via Rule ID 0 (which is local ACL). 

    I have seen other ports such as printer port for instance being dropped by Rule ID 0 (local ACL) for intra-vlan communication attempts, however when I have created a rule to allow printer port it does work.  For some odd reason, even though I create a FW Rule to Deny port 4444, it is being ignored and Rule ID 0 continues to allow access to Sophos Mgt Console.

    If anyone comes up with a way to block, please share.

     

    thanks

  • 0 in reply to Rodrigo DS

    Have you tried fiddling around with the "Local Service ACL Exception Rule" section on the device access page?

    You can specify drop rules and from my understanding is what handles rule id 0. Let us know if that works.

  • 0 in reply to lferrara

    Hi Luk

    I came across this old post of yours and I am sure you found a proper solution, right?

    I tried the suggestion regarding "Local Service ACL Exception Rule" but it didn't help. Would you mind sharing your findings?

    Thanks, Patric