FlexPBX - Sophos UTM - 9 and Sophos XG Configuration

Known Issues

1. This appliance is a Linux based firewall. Without a correct configuration, they will cause intermittent SIP registration and call quality issues for VoIP based services.
2. This appliance does have The SIP Module (also known as SIP ALG) enabled by default. Follow the steps described below to disable SIP ALG. 
3. This appliance have a UDP timeout of 60 seconds by default. See below for steps to modify it.

Configuration

• Login to the firewall
• Click on Network Protection > Firewall
• Add the following two rules, please note, these are not designed to adversely impact any rules that have already been created for your organization.
• Click on the button New Rule.
• From the Group selection list, select New group
• Name this group: VoiceServicesIn
• Position: This will be determined based upon any rules already in place. At this time, there are not any known issues with the particular numbering order of these rules.
• Sources:
  • You will need to create address objects that pertain to the FlexPBX VoIP product being used. Please contact Summit to obtain the IPs that need to be whitelisted.
    
• Services:
  • You will need to create service objects for IP ports that pertain to the FlexPBX VoIP product being used. Please contact Summit to obtain the necessary Port ranges that need to be added as Service Objects to your firewall.
• Destination
  • Click on the folder icon at the top of the destination box to load the predefined variables.
    • From the list of pre-defined variables, drag the following option the destination box:
      • LAN1 (Network)
  • Click Save after completing this rule.
    

Note: after creating the above rule, the above variables will be saved in the Pre-configured list and the outbound rule will be a drag-and-drop process, so the particular ranges and variables will not be specified. If you are unsure, reference the rule parameters above.

Note: Within the Sophos UI search function, search for NTP, and it will pop in as a preset service. From here you can drag and drop the service object into the active services window. Be sure to then attach this service object to the service group as well. This will cause the date and time to synchronize properly on the phones.

• Create the second rule by clicking on the New Rule button:
• From the Group selection list, select New group
• Name this group: VoiceServicesOut
• Position: again, this will be based on any rules already configured.
• Sources: Click on the folder and load the pre-configured variables.
  • Drag the option: LAN1 (Network)
• Services: Click on the folder and load the pre-configured variables.
  • Drag the options for the address objects for IPs created earlier.
• Destination: Click on the folder and load the pre-configured variables.
  • Drag the options for the service objects for ports created earlier.
• Click Save after completing this rule.
• Within Network Protection top menu, switch from Firewall to NAT
  • This part may or may not be required. If your Sophos appliance was already passing traffic to/from the internet, then this step can be disregarded.
    • Click on the New Masquerading Rule
      • Network:
        • Click on the folder button to load the pre-configured options.
        • Drag the Any option over.
      • Position: 1
      • Interface: WAN
      • Save.
• This appliance is QoS capable and this will have to be evaluated based upon your available ISP bandwidth.
  • The primary recommendation is to set this based upon the WAN interface.
    1. Interface and Routing > Quality of Service (QoS)
       1. Click Edit for the WAN interface
       2. Set the Downlink and Uplink utilizing the following speedtest here.
       3. Check the box for Upload optimizer.
       4. Click Save.
• The final step is to set the DNS Forwarders
  • Network Services > DNS
    1. Select the Forwarders tab
       1. In the dialog box, click on the green + button
       2. Add two forwarders
          1. Name: Google1
             1. IPv4 Address: 8.8.8.8
             2. Save
          2. Name: Google2
             1. IPv4 Address: 8.8.4.4.
             2. Save
    2. Uncheck the box: Use forwarders assigned by ISP

How to disable SIP ALG

SIP ALG (also known as SIP module) can be disabled by following the steps below:

1. Log in to the Command Line Console (CLI) using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner
2. Choose option 4. Device Console.
3. Execute the following command: console> system system_modules sip unload

How to increase UDP timeout

Sophos XG Firewall has a default UDP time-out of 60 seconds which is usually low for reliable VoIP communication.

1. Log in to the Command Line Console (CLI) using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner
2. Choose option 4. Device Console.

3. To verify the current UDP time-out value run the following command: show advanced-firewall
   

   

   
   

4. To modify the UDP time-out value to 300 seconds, run the following command: set advanced-firewall udp-timeout-stream 300