Create firewall port overrides without compromising overall security

Your Sophos XG Firewall if installed by TechNosis will have a baseline configuration derived from the best practices of our managed services business. This baseline is derived from many years of experience balancing the needs for security and usability for a wide variety of customers and situation. 


No configuration is perfect and you may have to open additional ports to meet your business needs. You can contact support@technosis.biz and we will make those changes for you; or you can follow these simple instructions to insert new setting into the configuration.  Your baseline configuration as a predesigned location for the additions that ensure you can quickly add your additions without fear of compromising the security of the rest of your configuration.


1. Login to your Sophos XG Webadmin console at: https://portal.yourdomain.com:4443  (use your enduser admin account, not the default "admin" user to ensure your change audit trail is meaningful)




2. From the main dashboard look to see if your system says "Sophos Firewall manager: us-xxxxxxxxxxx" if it does then TechNosis in manager your firewall as part of your services. When this is true we make regular backups of your configuration and you can skip step 3. If Firewall manager is missing or blank; then we are not managing your system and you should make a backup of your configuration before preceding.




3. To make a backup of you configuration follow this 6 click flow. Not that you will have to click on local a two different points in the process.  (If you don't make a backup and you make a mistake it is highly possible that you will lock yourself out and half reset you firewall to factory default to repair it. This sort of error is a lot more common that it was on the Sophos SG system).




4. After the backup is done:


  • Click on "Protect>Firewall"
  • Open up the Overrides/Bypass Group
  • Click on the edit ellipses
  • Click on the edit option




5. Verify that you are in the edit screen for "Special Ports" and click on Services > Add New Item.




6. If you are opening a well know port you can search for it in the list. In this example we type in "imap" and get a list of 4 known imap services. Select the services you want with the check boxes and click Apply 2 selected items.




7. If the ports you need to open are not standard you can add them as customer ports:


  • Click "Create new"
  • Click "Services"


8. The add service dialog will appear:


  • Give the service an identifiable name
  • Set the service type
  • You the blue plus sign to add as many service lines as you need.
  • You source port will always be 1:65535 your destination can be a single port or a colon delimited port range.




9. To save your changes to the rule: (so far you have only saved your custom service):


  • Scroll to the bottom of the page; leaving all the other settings alone.
  • Click save at the bottom of the page so save you change to the firewall rule.



How did we do?