Sophos XG

For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Create a Cytracom IP/Host Group + Hosts

  1. Go to System -> Hosts and Services
  2. Under IP Group select Add a group
    • Name: Cytracom
    • Then click Save at the bottom

mceclip1.png

  1. Under IP Host select Add a host
    • Name: Cytracom_Dal
    • IP Version: IPv4
    • Type: IP Range
    • 209.105.249.194 - 209.105.249.252
    • IP host group: Cytracom
    • Then click Save at the bottom
  2. Under IP Host select Add a host
    • Name: Cytracom_Ken
    • IP Version: IPv4
    • Type: IP Range
    • 184.175.130.161 - 184.175.130.186
    • IP host group: Cytracom
    • Then click Save at the bottom
  3. Under IP Host select Add a host
    • Name: Cytracom_AWS
    • IP Version: IPv4
    • Type: IP Range
    • 3.208.72.128 - 3.208.72.158
    • IP host group: Cytracom
    • Then click Save at the bottom

mceclip2.png

Add a Firewall Rule

  1. Select User/network rule

add_firewall_rule.PNG

Create a Rule Group

  1. The firewall will most likely give an error unless you already have rule groups established, if not go ahead and go to the Rule Group drop-down and select "Create New"

    create_rule_group.PNG

  2. Then a pop-up window should appear to create a new Rule Group
    • Group Name: Cytracom
    • Group Description: Cytracom VoIP services
    • Rule Type: Any
    • Source Zone: Any
    • Destination Zone: Any
  3. Select Add when done

Cytracom_firewall_group.PNG

Create an Outbound Rule

outbound_rule.png

outbound_rule_part2.PNG

outbound_rule_part3.PNG

  • VoIP Guarantee for Traffic Shaping Policy
    1. The guarantee should be at least 90kbps per device and the limitation, if set, is recommended to be at least 25% of available bandwidth download/upload respectively.voip_guarantee.PNG

Create an Inbound Rule

inbound_rule_part1.PNG

inbound_rule_part2.PNG

inbound_rule_part3.PNG

final.PNG

Disable SIP ALG & Increase UDP timeout

  1. Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.

    console.PNG

  2. Choose option 4. Device Console.
  3. Execute the following command(s):
  • To disable SIP ALG service

Screen_Shot_2020-05-18_at_12.20.35_PM.png

  • To show if the service is still active and running if the phones are still showing SIP ALG:

Screen_Shot_2020-05-18_at_12.20.11_PM.png

  • To show the current UDP timeout use the command below:

Screen_Shot_2020-05-18_at_12.20.55_PM.png

  • To set the UDP timeout to the desired time of at least 180 seconds use the command below: (Sophos recommends 1700)

Screen_Shot_2020-05-18_at_12.21.28_PM.png

  • To disable backend SIP intrusion Service

Screen_Shot_2020-05-18_at_12.24.37_PM.png

Enabling ICMP or WAN ping to allow network monitors

  1. Scroll down to System in the side Menu Bar
  2. Select Administration and then the Device Access Tab
  3. Check the Box for Ping/Ping6 on the WAN column

enable_ICMP.png

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request