Sophos UTM Device

For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Important:  Make sure device firmware is always up to date.

Enabling WAN Ping Response:

Once logged in to the Sophos go to Network Protection > Firewall. When in the general Firewall settings go to the tab ICMP. Then under "Global ICMP Settings" check the box next to "Allow ICMP on Gateway" then press "Apply".

Setting up the Cytracom Network Definition:

Once logged in to the Sophos go to Definitions & Users > Network Definitions > New Network definition... > Input the following info > Name = "Cytracom" ; Type = Range ; IPv4 From =  209.105.249.194 ; IPv4 To = 209.105.249.252 ; No Advance configuration Necessary. 

Setting up Inbound Traffic Selectors for QOS:

Once logged in to the Sophos go to Interfaces & Routing > Quality of Service (QoS). Once in the QoS Settings go to the Traffic Selectors Tab. Now press New Traffic Selector... > Input the following info > Name = "Cytracom IN" ; Type = Traffic Selector ; Source = "Cytracom" ; Service = Any ; Destination = Any ; Comment = Optional ; No Advanced Configuration Needed on the inbound because it will not retain the DSCP coming back. This is only needed on outbound traffic. Press Save, then find the new rule in the list and click the slider to enable it.

Setting up Outbound Traffic Selectors for QOS:

Once logged in to the Sophos go to Interfaces & Routing > Quality of Service (QoS). Once in the QoS Settings go to the Traffic Selectors Tab. Now press New Traffic Selector... > Input the following info > Name = "Cytracom Out" ; Type = Traffic Selector ; Source = Any ; Service = Any ; Destination = "Cytracom" ; Comment = Optional ; Open the Advanced sections and input the following > TOS/DSCP = DSCP-Bits ; DSCP-Bits = DSCP Value ; DSCP Value = 46 ; Amount of data sent/received = unchecked > Helper = None. Press Save, then find the new rule in the list and click the slider to enable it.  

Setting up the Cytracom bandwidth pool:

Once logged in to the Sophos go to Interfaces & Routing > Quality of Service (QoS). Once in the QoS Settings go to the Bandwidth Pools Tab. Now Press New Bandwidth Pool... > Input the following > Name = "Cytracom Pool" ; Interface = WAN ; Position = Top ; Bandwidth (kbit/s) = {This depends on how many phones there are.  Each phone will need to be multiplied by 70 kb, and then double it because this is for both in and outbound phone traffic concurrently.} ; Traffic Selectors = Check both Cytracom IN and Cytracom Out ; Comment = Optional. Press Save. 

Disabling SIP Helper

Once logged in to the Sophos go to Network Protection > VoIP and make sure that SIP Protocol Support is switched to off.

Increasing UDP Timeout

Using either SSH or putty, terminal into the device and log into the console. Type the following command to show the current configuration:

 If the "ip_conntrack_udp_timeout" and "ip_conntrack_udp_timeout_stream" are not showing as 180 seconds then the following commands will apply this change:

Note: The commands entered above will clear out upon a reboot of the Sophos UTM so you will need to enter these each time a reboot has occurred or create a cron job in the config to re-apply these commands upon start up. This configuration is not directly supported by the firmware so please consult your Sophos support representative in order to get this set up if you are unsure of how to configure the device in this way.

Was this article helpful?
5 out of 7 found this helpful