To prevent exposing your device from WAN, which is the default, get to the GUI or SSH locally and run these commands. Change the addresses as needed.
configure set service gui listen-address 192.168.20.1 set service ssh listen-address 192.168.20.1 commit save exit
This is a good option if you do not want WAN access at all, however what if you are at another location and you do actually need remote access. Alternate option would be to configure in the GUI for WAN_LOCAL for remote access 443,22 for source IP’s as you authorize. That way your remote IP it allowed through but not ones you do not specify. We do this, tested.