Configuring a WatchGuard XTM with 3CX

Introduction

WatchGuard XTM

This document describes the configuration of WatchGuard XTM devices for use with 3CX. This manual is based on Fireware XTM > v12.9.2 and should be compatible with any device running this Firmware. Please note that we cannot assist you in the configuration of your firewall

Step 1: Create a Static NAT (SNAT)

First, the Static NAT must be configured in order to forward the incoming traffic from the Static Public IP, to the local IP of the PBX:

  1. Navigate under Firebox® UI → Firewall SNAT
  2. Click the lock icon which will allow you to make changes and then click Add


  1. Enter the name 3CX_SNAT into the SNAT Policy.
  2. Select Static NAT as the type.
  3. Under SNAT MEMBERS click Add.


WatchGuard XTM Configuration Steps

  1. Select the IP address/interface under the drop down menu. The external IP of the device should be used to NAT inbound traffic to the 3CX.
  2. Enter the Internal/Private IP address of 3CX and click OK.


WatchGuard XTM Configuration - Add Member

  1. Click Save and the SNAT Policy is now active.


WatchGuard XTM Configuration - SNAT policy

Step 2: Create Firewall Policy

After setting up the static NAT, a Firewall Policy must be configured:

  1. Navigate under Firebox® → Firewall Firewall Policies and click “Add Policy”.


Firewall → Firewall Policies and click <b>“Add Policy”</b>

  1. As a “Policy Type” select “Custom” and click “Add”.  


Policy type > Custom > Add

  1. Fill in “3CX_Ports” as the Name for the Policy Template.
  2. Use the “Add” button below “PROTOCOLS” to add a custom list of ports which shall be allowed to connect to 3CX. When all ports have been added, click “Save”.


Add Policy Template

  1. Click ADD POLICY
  2. Fill in “3CX_Services” as the Policy Name.

  1. Remove the “From” and “To” objects.

  1. Under the “From” section click “Add.”
  2. Under the drop down menu select “Any-External” and “OK.”


  1. Under “To” click “Add.”
  2. Under the drop down menu for Member type select “Static NAT”.
  3. The  previously created SNAT will be listed (in this example “3CX_SNAT”). Select the SNAT and “OK.”


  1. The Firewall policy should look like the screenshot below:

  1. Save the Firewall Policy and the policy is now active.

Step 3: NAT Loopback (Hairpin)

If you do not have an internal DNS server to use for Split DNS you can use NAT loopback to access your FQDN that resolves to your public IP from the internal network.

To do this you need to create another Firewall rule by following the steps in Step 2: Create Firewall Policy, with the following changes:

  1. In Step 2.2 instead of adding a new custom policy, you should select the one already created, named 3CX_Ports


NAT Loopback (Hairpin)

  1. In Step 2.6 Use 3CX_Services_Hairpin as a name
  2. In Step 2.7 do not remove the “FROM” object. Keep the Any-Trusted and/or add any other internal networks you want the NAT loopback (Hairpin) to apply to.

Step 4: Validating Your Setup

  1. Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX. More information about the Firewall Checker can be found here.
  2. Navigate under Firebox® UI → Firewall → SNAT to confirm you have a SNAT Policy so traffic can reach the 3CX server.


Firebox® UI → Firewall → SNAT

  1. Navigate under Firebox® → Firewall → Firewall Policies to see the overview of your configuration.  Click on the 3cx policy name (i.e. “3CX_Ports”) to confirm all of the specific configurations are in place.

Last Updated

This document was last updated on 07 July 2023

https://www.3cx.com/docs/watchguard-xtm-firewall/ 

Discuss this article