Cytrcom UCaaS: Setting up a Sophos XG firewall

Topic

This article discusses how to set up a Sophos XG firewall for use with Cytracom UCaaS.

Environment

  • Cytracom UCaaS

Description

Follow these steps in order to ensure correct configuration. 

Refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Index

  1. Create a Cytracom IP host group and hosts
  2. Enable traffic shaping
  3. Set up the traffic shaping policy
  4. Add rules
  5. Disable SIP-ALG and increase UDP timeout
  6. Enable ICMP or WAN Ping to allow network monitors

Procedure

Create a Cytracom IP host group and hosts

Create the IP host group

1. Navigate to SystemHosts and Services, then click IP Host Group

UCaaS_Add_Sophos_AddHostGroup.png

Figure 1: Add IP host group (click to enlarge)

1. In SystemHosts and Services, click IP Host Group.

2. Select Add a group, then give the group a descriptive name. We recommend "Cytracom Host Group." 

When finished, click Save

Create the hosts

1. Under IP Host, select Add, then configure the first host as follows:

  • Name: Cytracom Voice 1
  • IP Version: IPv4
  • Type: IP Range
  • Address range: 209.105.249.194 - 209.105.249.252
  • IP host group: Cytracom Host Group

When finished, click Save

2. Use the same configuration options as in step 1, above, to create additional hosts for the following IP address ranges:

  • 184.175.130.161 - 184.175.130.186
  • 205.142.242.20 - 205.142.243.254
  • 3.208.72.128 - 3.208.72.158

When finished, click Save

UCaaS_AddSophos_AddAHost.png

Figure 2: Add hosts (click to enlarge)

Enable traffic shaping

1. In the Sophos UI's Navigation menu, click System Services, then select Traffic shaping settings

UcaaS_AddSophos_SystemServicesLink.png

Figure 3: System services in the Navigation Menu (click to enlarge)

2. Configure the traffic shaping settings as follows:

  • Total available WAN bandwidth: Set for the ISP link.
  • Optimize for real-time [VoIP]: Disabled.
  • Enforce guaranteed bandwidth: Enabled.
  • Default policy: 
    • Guarantee: 1 (do not guarantee anything fror bulk traffic).
    • Limit: Subtract 5% from your total WAN bandwidth and enter the result. This provides a buffer to decrease the likelihood of network saturation on the ISP's side.
    • Priority: 4 (normal).

When finished, click Apply

UCaaS_AddSophos_TrafficShapingSettings.png

Figure 4: Traffic shaping settings (click to enlarge)

Set up the traffic shaping policy

1. In Traffic shaping settings, click Traffic shaping, then select Add.

2. Configure the traffic shaping policy as follows:

  • Name: "Cytracom Traffic Shaping" (recommended).
  • Policy association: Rules.
  • Rule type: Guarantee.
  • Limit upload/download separately: Enable.
  • Priority: 0 [Real Time - e.g. Voip] (highest).
  • Guarantee-limit upload: Multiply the number of phones by 100kbps; the limit should be your total bandwidth. 
  • Guarantee-limit download: Multiply the number of phones by 100kbps; the limit should be your total bandwidth. 
  • Bandwidth usage type: Shared.

When finished, click Save

UCaaS_AddSophos_TrafficShapingPolicy.png

Figure 4: Traffic shaping policy settings (click to enlarge)

Add rules

Add a firewall rule

1. In the Sophos UI's Navigation menu, click Rules and policies

UcaaS_AddSophos_RulesPoliciesLink.png

Figure 5: Rules and policies in the Navigation menu (click to enlarge)

2. Select New firewall rule from the drop-down menu in the upper right-hand corner of the screen. 

UCaaS_AddSophos_NewFirewallRuleMenu.png

Figure 6: New firewall rule (click to enlarge)

3. Configure the new firewall rule as follows:

  • Name: "Cytracom Outbound Rule" (recommended).
  • Rule position: Top.
  • Rule group: Traffic to WAN.
  • Source Zones: Any.
  • Source networks and devices: Any.
  • Destination zones: Any. 
  • Destination networks: Any. 

UCaaS_AddSophos_OutboundFirewallRule.png

Figure 7: Firewall rule configuration (click to enlarge)

Add a NAT rule

1. In the Rules and Policies window, click the NAT rules tab. 

UCaaS_AddSophos_NatRulesTab.png

Figure 8: The NAT rules tab (click to enlarge)

2. Click Create Linked NAT Rule and configure the rule as follows:

  • Rule position: Top.
  • Translated source [SNAT]: MASQ.

Leave all other options in their default state. When finished, scroll down and click Save.

UCaaS_AddSophos_ConfigureNATRule.png

Figure 9: NAT rule configuration (click to enlarge)

3. On the same page, scroll down to Security features and configure the following option:

  • Web Policy: None.

UCaaS_AddSophos_SecurityFeatures.png

Figure 10: Security features (click to enlarge)

4. On the same page, scroll down to Other security features and configure the following option:

  • Shape Traffic: Cytracom Traffic Shaping

UCaaS_AddSophos_OtherSecurityFeatures.png

Figure 11: Other security features (click to enlarge)

When finished, click Save

Disable SIP-ALG and increase UDP timeout

1. Access the command line interface (CLI) by logging in via Telnet or SSH, or by clicking AdminConsole in the upper right-hand corner of the Admin Console window. 

UCaaS_AddSophos_CLILogin.png

Figure 12: The Admin menu (click to enlarge)

 

2. In the device console, enter the following command to disable the SIP-ALG service:

system system_modules sip unload

Enter the following command to verify the SIP-ALG service is no longer active, and ensure the phones are no longer showing SIP-ALG:

ps | grep sip

3. Enter the following command to show the current UDP timeout time:

show advanced-firewall

4. Enter the following command to seet the UDP timeout time to 180 seconds:

set advanced-firewall udp-timeout-stream 1700

5. Enter the following command to disable the backend SIP intrusion service:

set ips sip_preproc disable

Enable ICMP or WAN Ping to allow network monitors

1. In the Sophos UI's Navigation menu, click Administration, then select the Device Access tab. 

UCaaS_AddSophos_AdminLink.png

Figure 13: Administration in the Navigation menu (click to enlarge)

2. In the WAN row, check the Ping/Ping6 box. 

UCaaS_AddSophos_DeviceAccessTab.png

Figure 14: The Device Access window (click to enlarge)

Your Sophos firewall should now be correctly configured. 

Still have questions? Click here to learn how to contact Cytracom Technical Support.

Was this article helpful?
6 out of 9 found this helpful