3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
Zero Admin
With the new Dashboard
Bulletproof Security
With SSL certs and NGINX
Install on $200 Appliance
Intel MiniPC architecture
New, Intuitive Windows Client
More themes, more UC
More CRM Integrations
Scripting Interface to add your own
Improved Integrated Web Conferencing
iOS and Android apps included
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

How to Configure a WatchGuard XTM Device for 3CX

WatchGuard XTM


This document describes the configuration of WatchGuard XTM devices for the use with 3CX. This manual is based on Fireware XTM > v11.11 and should be compatible with any device running this Firmware.


Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the Firebox®. 3CX is not liable for any misguidance may made in this guide.

The guide must be used as an example and not as guidelines, for step by step configuration, since the UI may vary (based on the model and firmware version) and/or the described steps might need to be adjusted to fit the existing Firebox® configuration.

WatchGuard XTM



Step 1: Create a “Static NAT (SNAT)”

Step 2: Create Firewall Policy

Step 1: Create a “Static NAT (SNAT)”

First, the Static NAT must be configured in order to forward the incoming traffic from the Static Public IP, to the local IP of the PBX:

  1. Navigate under Firebox® UI > Firewall > SNAT and click Add.

  1. In this example the name 3CX_SNAT is given to the SNAT Policy.
  2. Select Static NAT.
  3. Under SNAT Members click Add.

  1. Select the External Static IP under the drop down menu. In this example the external IP of the device is which should be used to NAT inbound traffic to the 3CX.

  1. Enter the Internal/Private IP address of 3CX and click OK (in this example the internal/private IP of 3CX is

  1. Click Save and the SNAT Policy is now active.

Step 2: Create Firewall Policy

After setting up the static NAT, a Firewall Policy must be configured:

  1. Navigate under Firebox® > Firewall > Firewall Policies and click Add Policy.

  1. In this example the name 3CX_Services” is given to the Policy Name.
  2. As a Policy Type select Custom and click Add.  
  3. In this example the name 3CX_Ports” is given to the Policy Template.”

  1. Use the Add button below the Protocols to add a custom list of ports which shall be allowed to connect to the 3CX. All ports and port ranges which needs to be added into this list can be found here: https://www.3cx.com/docs/3cx-phone-system-v14-ports.


Port 5015 must be opened before the installation process IF the remote, web-based installer is used to install the system.


  1. Single Port or Port Range can be selected. When all ports are set, click Save.

8. Remove the From and To objects.

9. Under From click Add.

10. Under the drop down menu select Any-External and OK.

11. Under To click Add.

12. Under the drop down menu select Static NAT.”

13. The SNAT created previously, will be listed (in this example 3CX_SNAT). Select the SNAT and OK.

14. The Firewall policy should look like the screenshot below:

  • 1 -  “Allow.”
  • 2 - Ports used from 3CX Phone System and must be forwarded to the Local/Private IP of the 3CX Phone System.
  • 3 - Source* of the incoming packet.
  • 4 - Destination of the incoming packet.

Note - Source*

In this example, Any-External is used, therefore any host can establish a connection on the public IP Address of the PBX. In case the source of the incoming traffic must be limited you can create a group of allowed IPs to be allowed under From.

  1. Save the Firewall Policy and the policy is now active.

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud