Guide on How to Configure a WatchGuard XTM Device for Use With 3CX Phone System


This document describes the configuration of WatchGuard XTM devices for the use with 3CX Phone System. This manual is based on Fireware XTM > v11.3 and should be compatible with any device running this Firmware. This guide is based upon the Fireware XTM Policy Manager, but the instructions should also work on the Web GUI.


In general Watchguard firewalls are know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connection.

The status of this type of firewall is “Supported”.


Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configure NAT

Start the WatchGuard System Manager and from there start the Fireware XTM Policy Manager.

1. The screenshot below is from a default installation. In this setup there is no need for an outbound policy for the 3CX Phone System because of the Any/Any rule at the bottom.

2. Create a new policy by pressing the + sign to “Add Policy”.

3. Select “Custom” and press “New…”. A new dialog opens where a set of ports can be assigned to the “New Policy Template”.

4. Add all port needed to connect from the outside to the 3CX Phone System (NAT ports). To determine the ports needed, for the setup which should be archived, check this link “”, as the ports may depend on the version you are using.


5. The custom policy is now ready to use, expand “Custom”, select “3CX Phone System” and then “New..” to create a new rule based on the created port set.

6. In the “New Policy Properties”, tab “Policy” configure the name of the rule: 3CX-Inbound

a. Under From: remove “Any-Trusted” and replace it with “Any-External”.
Note: If all external peer’s IP addresses are static and know, replace “Any-External” with detailed IP addresses/range given by remote clients or VoIP provider to increase the security aspect.
b. Under To: remove “Any-External” and click “Add”. The “Add Address” screen displays and must be used to add a SNAT rule.
c. Give the SNAT-rule a name, for example: SNAT-3CX-Server and an optional description. Leave the type at Static NAT.
d. Click Add to add the SNAT Members.From the drop down choose either External or another external IP if you have multiple configured on your External interface. Set the Internal IP Address to the IP of the 3CX server ( in this example) and OK

e. The SNAT rule is now added to the Add Address screen. Click “OK”.


Run the 3CX Firewall Checker to validate the setup from the 3CX Phone System Management Console “Settings” > “Firewall Checker”. All tested ports must return green / working.

Liked this article?

Get notified of new articles
or share
You might also be interested in:
  1. Craig

    We currently have a 1-to-1 outbound nat in place from our phone server to the public IP. Is this not necessary?
    Also our SNAT is not from Any External but from our Public IP Address to the Private 3cx address.
    Shoild I change it to Any External?

    April 14, 2014 at 3:05 pm
  2. @Craig – We use a WatchGuard XTM-330 running under Fireware 11.6.5. On older versions of XTM we used a 1 to 1 outbound nat. Currently we do not however you can. The more secure way to use SNAT is either setting it to Any External or the external IP from your SIP provider. Regardless of the configuration, 3CX PBX and WatchGuard XTM wok perfect together!

    April 15, 2014 at 2:37 pm