This document describes the configuration of WatchGuard XTM devices for the use with 3CX. This manual is based on Fireware XTM > v11.11 and should be compatible with any device running this Firmware.
Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the Firebox®. 3CX is not liable for any misguidance may made in this guide.
The guide must be used as an example and not as guidelines, for step by step configuration, since the UI may vary (based on the model and firmware version) and/or the described steps might need to be adjusted to fit the existing Firebox® configuration.
Step 1: Create a “Static NAT (SNAT)”
First, the Static NAT must be configured in order to forward the incoming traffic from the Static Public IP, to the local IP of the PBX:
- Navigate under Firebox® UI > Firewall > SNAT and click “Add.”
- In this example the name “3CX_SNAT” is given to the SNAT Policy.
- Select Static NAT.
- Under SNAT Members click “Add.”
- Select the “External Static IP” under the drop down menu. In this example the external IP of the device is 192.168.3.5 which should be used to NAT inbound traffic to the 3CX.
- Enter the Internal/Private IP address of 3CX and click “OK” (in this example the internal/private IP of 3CX is 192.168.4.4).
- Click “Save” and the SNAT Policy is now active.
Step 2: Create Firewall Policy
After setting up the static NAT, a Firewall Policy must be configured:
- Navigate under Firebox® > Firewall > Firewall Policies and click “Add Policy.”
- In this example the name “3CX_Services” is given to the Policy Name.
- As a “Policy Type” select “Custom” and click “Add.”
- In this example the name “3CX_Ports” is given to the “Policy Template.”
- Use the “Add” button below the “Protocols” to add a custom list of ports which shall be allowed to connect to the 3CX. All ports and port ranges which needs to be added into this list can be found here: https://www.3cx.com/docs/3cx-phone-system-v14-ports.
Port 5015 must be opened before the installation process IF the remote, web-based installer is used to install the system.
- “Single Port” or “Port Range” can be selected. When all ports are set, click “Save.”
8. Remove the “From” and “To” objects.
9. Under “From” click “Add.”
10. Under the drop down menu select “Any-External” and “OK.”
11. Under “To” click “Add.”
12. Under the drop down menu select “Static NAT.”
13. The SNAT created previously, will be listed (in this example “3CX_SNAT”). Select the SNAT and “OK.”
14. The Firewall policy should look like the screenshot below:
- 1 - “Allow.”
- 2 - Ports used from 3CX Phone System and must be forwarded to the Local/Private IP of the 3CX Phone System.
- 3 - Source* of the incoming packet.
- 4 - Destination of the incoming packet.
Note - Source*
In this example, “Any-External” is used, therefore any host can establish a connection on the public IP Address of the PBX. In case the source of the incoming traffic must be limited you can create a group of allowed IPs to be allowed under “From.”
- Save the Firewall Policy and the policy is now active.