Configuring Sophos XG Firewall for 8x8 Services

Updated: 04/20/2024

Objective

Configuring Sophos XG to work with 8x8 services.

Applies To

  • Sophos XG 85

Procedure

The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used. 

Keep in mind different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
  1. Log in to the firewall using any SSH client. In this example, we used Putty.
    2018-12-10_11h06_55.png
  2. Once you are in Device Console mode, enter "show advanced-firewall" to view the current firewall status.
    2018-12-10_11h08_51.png

Load SIP Module

Sophos Firewalls are one of the few devices that require SIP ALG to be enabled as of writing this article. This may change with new firmware versions.
  1. To view the current status of the SIP module, enter "system system_modules show."
    2018-12-10_11h26_38.png
  2. If you see "sip" "unloaded" enter the following command to load SIP.
    • system system_modules sip load
      2018-12-10_11h28_07.png
  3. To make sure the SIP modeule is loaded, run "system system_modules show."

Set UDP Timeout

  1. To show the advanced firewall, run the command "show advanced-firewall."
    2018-12-10_11h29_35.png
  2. Set the UDP timeout by running the command "set advanced-firewall udp-timeout-stream 660."

Turn off Strict Policy

  • Run command "set advanced-firewall strict-policy off" to turn off strict policy.

Add 8x8 Subnets to QoS and Firewall

  1. Navigate to the Firewall.
  2. Enter a rule name and set the rule position to Top.
    2018-12-10_11h33_31.png
  3. Set source zone to LAN.
  4. Set destination zones to WAN.
  5. For subnets, see X Series Technical Requirements.

Additional Information

Known issues with incorrectly configured Sophos:
  • Call Misrouting
  • Call drops
  • Call transfers failing
  • Device connectivity and registration issues 
Sophos devices require the SIP Module to be enabled for SIP traffic to pass correctly on the network. While testing the XG 85, it was discovered that with the SIP Module disabled, the phones would experience issues with: