For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Create a Cytracom IP/Host Group + Hosts
- Go to System -> Hosts and Services
- Under IP Group select Add a group
- Name: Cytracom
- Then click Save at the bottom
- Under IP Host select Add a host
- Name: Cytracom_Register
- IP Version: IPv4
- Type: IP Range
- 209.105.249.194 - 209.105.249.252
- IP host group: Cytracom
- Then click Save at the bottom
- Under IP Host select Add a host
- Name: Cytracom_Failover
- IP Version: IPv4
- Type: IP Range
- 184.175.130.161 - 184.175.130.186
- IP host group: Cytracom
- Then click Save at the bottom
- Under IP Host select Add a host
- Name: Cytracom_BLF
- IP Version: IPv4
- Type: IP Range
- 3.208.72.128 - 3.208.72.158
- IP host group: Cytracom
- Then click Save at the bottom
- Under IP Host select Add a host
- Name: Cytracom_FW
- IP Version: IPv4
- Type: IP
- 52.90.29.99
- IP host group: Cytracom
- Then click Save at the bottom
Add a Firewall Rule
- Select User/network rule
Create a Rule Group
- The firewall will most likely give an error unless you already have rule groups established, if not go ahead and go to the Rule Group drop-down and select "Create New"
- Then a pop-up window should appear to create a new Rule Group
- Group Name: Cytracom
- Group Description: Cytracom VoIP services
- Rule Type: Any
- Source Zone: Any
- Destination Zone: Any
- Select Add when done
Create an Outbound Rule
- VoIP Guarantee for Traffic Shaping Policy
- The guarantee should be at least 90kbps per device and the limitation, if set, is recommended to be at least 25% of available bandwidth download/upload respectively.
- The guarantee should be at least 90kbps per device and the limitation, if set, is recommended to be at least 25% of available bandwidth download/upload respectively.
Disable SIP ALG & Increase UDP timeout
- Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.
- Choose option 4. Device Console.
- Execute the following command(s):
- To disable SIP ALG service
- To show if the service is still active and running if the phones are still showing SIP ALG:
- To show the current UDP timeout use the command below:
- To set the UDP timeout to the desired time of at least 180 seconds use the command below: (Sophos recommends 1700)
- To disable backend SIP intrusion Service
Enabling ICMP or WAN ping to allow network monitors
- Scroll down to System in the side Menu Bar
- Select Administration and then the Device Access Tab
- Check the Box for Ping/Ping6 on the WAN column