Hi,
I am a SOC Analyst who works with a client who has Sophos UTM. When I'm analyzing their network, I'm seeing two way traffic (mostly TOR/Malicious scanners) hitting TCP(4444) and getting two-way traffic. Are there any best practices around hardening the Ports that are used for administration of the UTM? I'm anxious when I see this.
I'm a newbie, but found this on the forum from 8 years ago.
"Your need is more sophisticated, and, in fact, you can write a firewall rule that's applied before proxies. The trick is to use the "(Address)" object created by WebAdmin when you define an Interface or an Additional Address.
With, for example, an Additional Address of "Card Auth" on the External interface, use "External [Card Auth] (Address)" as the 'Destination' in the traffic selector portion of the rule. The rule then will apply to the INPUT chain and be processed before the traffic gets to the WAF.
So, you would have a rule like '{group of allowed IPs} -> HTTPS -> External [Card Auth] (Address) : Allow' followed by a similar Drop rule for "Any" traffic arriving"
Thank you in advance for any assistance you can provide.
Paul Misner
This thread was automatically locked due to age.
