Topic
This article discusses how to set up a Sophos XG firewall for use with Cytracom UCaaS.
Environment
- Cytracom UCaaS
Description
Follow these steps in order to ensure correct configuration.
Refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Index
- Create a Cytracom IP host group and hosts
- Enable traffic shaping
- Set up the traffic shaping policy
- Add rules
- Disable SIP-ALG and increase UDP timeout
- Enable ICMP or WAN Ping to allow network monitors
Procedure
Create a Cytracom IP host group and hosts
Create the IP host group
1. Navigate to System→Hosts and Services, then click IP Host Group.
Figure 1: Add IP host group (click to enlarge)
1. In System→Hosts and Services, click IP Host Group.
2. Select Add a group, then give the group a descriptive name. We recommend "Cytracom Host Group."
When finished, click Save.
Create the hosts
1. Under IP Host, select Add, then configure the first host as follows:
- Name: Cytracom Voice 1
- IP Version: IPv4
- Type: IP Range
- Address range: 209.105.249.194 - 209.105.249.252
- IP host group: Cytracom Host Group
When finished, click Save.
2. Use the same configuration options as in step 1, above, to create additional hosts for the following IP address ranges:
- 184.175.130.161 - 184.175.130.186
- 205.142.242.20 - 205.142.243.254
- 3.208.72.128 - 3.208.72.158
When finished, click Save.
Figure 2: Add hosts (click to enlarge)
Enable traffic shaping
1. In the Sophos UI's Navigation menu, click System Services, then select Traffic shaping settings.
Figure 3: System services in the Navigation Menu (click to enlarge)
2. Configure the traffic shaping settings as follows:
- Total available WAN bandwidth: Set for the ISP link.
- Optimize for real-time [VoIP]: Disabled.
- Enforce guaranteed bandwidth: Enabled.
-
Default policy:
- Guarantee: 1 (do not guarantee anything fror bulk traffic).
- Limit: Subtract 5% from your total WAN bandwidth and enter the result. This provides a buffer to decrease the likelihood of network saturation on the ISP's side.
- Priority: 4 (normal).
When finished, click Apply.
Figure 4: Traffic shaping settings (click to enlarge)
Set up the traffic shaping policy
1. In Traffic shaping settings, click Traffic shaping, then select Add.
2. Configure the traffic shaping policy as follows:
- Name: "Cytracom Traffic Shaping" (recommended).
- Policy association: Rules.
- Rule type: Guarantee.
- Limit upload/download separately: Enable.
- Priority: 0 [Real Time - e.g. Voip] (highest).
- Guarantee-limit upload: Multiply the number of phones by 100kbps; the limit should be your total bandwidth.
- Guarantee-limit download: Multiply the number of phones by 100kbps; the limit should be your total bandwidth.
- Bandwidth usage type: Shared.
When finished, click Save.
Figure 4: Traffic shaping policy settings (click to enlarge)
Add rules
Add a firewall rule
1. In the Sophos UI's Navigation menu, click Rules and policies,
Figure 5: Rules and policies in the Navigation menu (click to enlarge)
2. Select New firewall rule from the drop-down menu in the upper right-hand corner of the screen.
Figure 6: New firewall rule (click to enlarge)
3. Configure the new firewall rule as follows:
- Name: "Cytracom Outbound Rule" (recommended).
- Rule position: Top.
- Rule group: Traffic to WAN.
- Source Zones: Any.
- Source networks and devices: Any.
- Destination zones: Any.
- Destination networks: Any.
Figure 7: Firewall rule configuration (click to enlarge)
Add a NAT rule
1. In the Rules and Policies window, click the NAT rules tab.
Figure 8: The NAT rules tab (click to enlarge)
2. Click Create Linked NAT Rule and configure the rule as follows:
- Rule position: Top.
- Translated source [SNAT]: MASQ.
Leave all other options in their default state. When finished, scroll down and click Save.
Figure 9: NAT rule configuration (click to enlarge)
3. On the same page, scroll down to Security features and configure the following option:
- Web Policy: None.
Figure 10: Security features (click to enlarge)
4. On the same page, scroll down to Other security features and configure the following option:
- Shape Traffic: Cytracom Traffic Shaping
Figure 11: Other security features (click to enlarge)
When finished, click Save.
Disable SIP-ALG and increase UDP timeout
1. Access the command line interface (CLI) by logging in via Telnet or SSH, or by clicking Admin→Console in the upper right-hand corner of the Admin Console window.
Figure 12: The Admin menu (click to enlarge)
2. In the device console, enter the following command to disable the SIP-ALG service:
system system_modules sip unload
Enter the following command to verify the SIP-ALG service is no longer active, and ensure the phones are no longer showing SIP-ALG:
ps | grep sip
3. Enter the following command to show the current UDP timeout time:
show advanced-firewall
4. Enter the following command to seet the UDP timeout time to 180 seconds:
set advanced-firewall udp-timeout-stream 1700
5. Enter the following command to disable the backend SIP intrusion service:
set ips sip_preproc disable
Enable ICMP or WAN Ping to allow network monitors
1. In the Sophos UI's Navigation menu, click Administration, then select the Device Access tab.
Figure 13: Administration in the Navigation menu (click to enlarge)
2. In the WAN row, check the Ping/Ping6 box.
Figure 14: The Device Access window (click to enlarge)
Your Sophos firewall should now be correctly configured.
Still have questions? Click here to learn how to contact Cytracom Technical Support.