Sophos Firewall - Set up support access for Avanet
In this knowledge base article, you will learn step by step how to set up support access for Avanet on your Sophos Firewall. To do this, you create a new user, allow access via HTTPS and SSH (only from the Avanet IP or DNS host) and add a public SSH key if required.
Add user “avanet
- open the “Authentication” menu
Click on Authentication in the left navigation and then on Users.
- create new user
- Click on Add.
- For example, enter avanet under Username.
- Enter Avanet for Full name.
- Set profiles to Administrator so that Avanet has full rights.
- Set a secure password under Password.
- Enter an address such as service@avanet.com under Email.
- save
Click on Save or Add to create the new user.
Create FQDN host for support.avanet.com
- switch to the “Hosts and services” menu
- Click on Hosts and services on the left.
- Select FQDN hosts.
- add FQDN host
- Click on Add.
- Enter a unique name under Name, e.g. support.avanet.com.
- Under FQDN enter support.avanet.com.
- Add a description, e.g. “Avanet support access”.
- Click on Save.
This creates a DNS object that points to the IP address(es) of support.avanet.com.
Set up Local Service ACL Exception Rule
- administration → Device access
Click on Administration in the left-hand navigation and then on Device access.
- add ACL exception rule
- Scroll to Local service ACL exception rule and click on Add.
- Enter a title under Rule name, e.g. Avanet Support.
- Rule position: Make sure that it fits in your order (e.g. “Bottom” so that other rules are not overwritten).
- carry out configuration
- IP version: Select IPv4 (or IPv6 if you need it).
- Source zone: Make sure you select the correct zone (e.g. Any or a specific zone).
- Source Network / Host: Select the FQDN object just created support.avanet.com.
- Destination host: Any or specifically the firewall (depending on your configuration).
- Services: Mark HTTPS and SSH so that Avanet can access the admin interface (HTTPS) and via SSH.
- Action: Set to Accept to allow access.
- save
Click on Save to create the new exception rule.
This allows Avanet to access the firewall administration exclusively via the DNS host support.avanet.com.
Add public SSH key (optional)
If Avanet requires SSH key-based access, you can store the public key either for the default admin or for the new user “avanet”:
- administration → Device access
- Click on Administration and then on Device access.
- public key authentication
- Scroll to Public key authentication for admin (or for the user “avanet”, if available).
- Click on the + symbol or Add to insert the public key.
- Enter the supplied SSH public key (e.g. ssh-rsa AAAAB3NzaC1yc2EAAA…) in the field.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyVlHzNIcVvEcEaxcgCj3RjNcJpzXFbjkT0S9e/Mi3LEVXKBUlG6MkL0zuxamcSjmEyNWeHJ/K9uuDwch6nozuQloucOMRIe3IulRrE3kDvUre3/WDdMC5j0/ceGv6ZtkDLI1zyDu4h/mBLemM3TKaq2P232TuL7RQ9LGm4HNutKP+ShAS+aiIEmGd/oWaMUK9bHFe4LNcekCgCs854gDtMANG12S8bgZEo+aLs8inVE/nolagyuZkQHM+fCWg2Efe2XOJrqkhu1BtwFrdlK+hehb5e9hxX7fzWn858kNn6Z5FKiK47X6NlxT8CsYH0dV41YOtQuHhwNCla/IRVEbFEwDoNEZMklaKCt9snFeles2Uy7oyaMXdJkkChDHlpcicph/cqC3g/Ik4Xh9QYDTgCgYjxPBUsBRDmalRcHhm8r3aJG+PHm51N5sCsU5BBkMmOeqGnC42QtF7kFl6lcqcbqJlNZnKgGTRTQhp4lG0NCx1s5riWyZRWq751cEoWPew14fNPcs24eUevCy6+TBzDmFx7s8Utd0ZtDgu7kA7SkNHwzysAmBEtDzS90ExAaRRrQcOAPh485y5L0X0jQ0VbM1ehyS8QZQEmWw9G1qdHftRdYkiyn4fZdRC4sW9SX/IONNFxKbdOo0DKfz/EhHR1/uhFVU6jTXl551lHVmW+w==
- save
Click on Save.
Avanet can then authenticate itself using an SSH key, provided the firewall settings allow SSH access.
FAQ
What happens if the IP address behind support.avanet.com changes?
The firewall uses the FQDN entry (DNS) to determine the IP address. If the IP changes, the firewall automatically uses the new IP after a short DNS update. Make sure the DNS entry is configured correctly.
Do I need to allow additional ports besides HTTPS (443) and SSH (22)?
Usually not for support access. If Avanet needs additional services, you may need to allow further ports or create corresponding ACL exceptions, unless the Sophos Firewall is behind a NAT router.