Configuring a WatchGuard XTM


This document describes the configuration of WatchGuard XTM devices for the use with ECLOUD. This manual is based on Fireware XTM > v11.11 and should be compatible with any device running this Firmware. Please note that we cannot assist you in the configuration of your firewall.

Step 1: Create a Static NAT (SNAT)

First, the Static NAT must be configured in order to forward the incoming traffic from the Static Public IP, to the local IP of the PBX:

  1. Navigate under Firebox® UI → Firewall → SNAT and click “Add”.
  2. Enter the name “ECLOUD_SNAT” into the SNAT Policy.
  3. Select Static NAT.
  4. Under SNAT Members click “Add”.
  5. Select the “External Static IP” under the drop down menu. The external IP of the device should be used to NAT inbound traffic to the ECLOUD.
  6. Enter the Internal/Private IP address of ECLOUD and click “OK”.
  7. Click “Save” and the SNAT Policy is now active.

Step 2: Create Firewall Policy

After setting up the static NAT, a Firewall Policy must be configured:

  1. Navigate under Firebox® → Firewall → Firewall Policies and click “Add Policy”.
  2. Fill in “ECLOUD_Services” as the Policy Name.
  3. As a “Policy Type” select “Custom” and click “Add”.
  4. Fill in “ECLOUD_Ports” asn the Name for the “Policy Template”.
  5. Use the “Add” button below the “Protocols” to add a custom list of ports which shall be allowed to connect to ECLOUD. All ports and port ranges which needs to be added into this list can be found here. When all ports have been added, click “Save”.
  6. Remove the “From” and “To” objects.
  7. Under the “From” section click “Add.”
  8. Under the drop down menu select “Any-External” and “OK.”
  9. Under “To” click “Add.”
  10. Under the drop down menu for Member type select “Static NAT”.
  11. The  previously created SNAT, will be listed (in this example “ECLOUD_SNAT”). Select the SNAT and “OK.”
  12. The Firewall policy should look like the screenshot below:
  • 1 –  “Allowed”
  • 2 – Ports used from ECLOUD Phone System and must be forwarded to the Local/Private IP of the ECLLOUD Phone System.
  • 3 – Source of the incoming packet.
  • 4 – Destination of the incoming packet.
  1. Save the Firewall Policy and the policy is now active.

Step 3: Validating Your Setup

  1. Log into your ECLOLUD Management Console → Dashboard → Firewall and run the ECLOUD Firewall Checker. This will validate if your firewall is correctly configured for use with ECLOUD.
  2. Navigate under Firebox® UI → Firewall → SNAT to confirm you have a SNAT Policy so traffic can reach the ECLOUD server.
  3. Navigate under Firebox® → Firewall → Firewall Policies to see the overview of your configuration.  Click on the ECLOUD policy name (i.e. “ECLOUD_Ports”) to confirm all of the specific configurations are in place.