Skip to main content

 

 
8x8 Support

Configuring a Palo Alto Networks Firewall with Firmware Lower than 8.0

Important-Icon.png The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used. 

Keep in mind different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Important-Icon.png

For Palo Alto firewalls on firmware lower than 8.0. For configuring a Palo Alto Networks Firewall with firmware 8.0 and higher, refer here.

Objective

Configuring a Palo Alto Networks Firewall for 8x8 services.

Note-Icon.png Note: Guidance on Palo Alto Networks firewalls is publicly available within Palo Alto Networks device documentation.

Applies To

  • Palo Alto Networks Firewalls

PA-5060_Left.png

Procedure

Administrative Information

  1. Make sure your firewall is powered on and connected to your network.
  2. Connect the RJ-45 Ethernet cable from the RJ-45 port on your computer to the MGT port on the firewall.
  3. Change the IP address on your computer to an address in the 192.168.1.0/24 range (e.g., 192.168.1.3).
  4. In a browser on a computer on the same network as the Palo Alto Networks firewall, navigate to https://192.168.1.4
  5. Log in (default credentials shown below).
    • Username: admin
    • Password: admin
Note-Icon.png Note: If you are not able to connect to the web interface, consult the quick start guide for your particular device model for additional options.
Important-Icon.png Adding or editing 8x8 subnets is recommended when available. Click here to review the X Series and ZTP documentation.

Configuring 8x8 Voice Services on Palo Alto Networks Firewalls

Disable SIP ALG

  1. Go to Objects > Applications.
  2. Search for and select SIP.
    PAN01.png
  3. In the SIP Application window, under Options, to the right of ALG, click Customize.
    PAN02.png
  4. Check the box to Disable ALG.
    PAN03.png
  5. Click OK, then Close the SIP Application window.

Import the 8x8 Application XML into the PAN System

  1. Right-click this link and select "save link as" to download the file to your computer.
  2. Go to Objects > Applications.
  3. Click Import.
    PANXML.png
  4. Import the downloaded 8x8_Palo_Alto_Networks_XML file.

Add 8x8 Public IP Subnets

  1. Go to ObjectsAddresses.
  2. Click Add.
    PAN05.png
  3. Click here to add the complete list of 8x8 subnets. See the Traffic Shaping and Specific Subnet/Port Configuration.

Create an Address Group for 8x8 Public IP Subnets

  1. Go to Objects > Address Groups.
  2. Add all entries you created in the previous screen. (The Name can be whatever you prefer.)
    PAN06.png

Create an Application Override Rule for UDP

  1. Go to Policies > Application Override.
  2. Click Add.
    PAN07.png
  3. On the General tab, name the rule and add a description.
    PAN08.png
  4. On the Source tab, set Source Address or Source Zone (this is any subnet or zone that will have 8x8 phones or 8x8 8x8 Work Desktop or Mobile running on it).
    PAN09.png
  5. On the Destination tab, set the Destination Address by adding the Destination Address group you created earlier.
  6. Untrust the zone for your network.
    PAN10.png
  7. On the Protocol/Application tab, select UDP.
  8. Copy and paste all of the following UDP ports into the Port field: 5060,5061,5196-5199,5299,5399,5301,5401,5443
  9. For Application, select 8x8 App.
    PAN11.png
  10. Click OK.

Create a Security Rule on PAN System

  1. Go to Policies > Security.
  2. Click Add.
    PAN12.png
  3. On the General tab, name the Security Rule and add a Description as desired.
    PAN13.png
  4. On the Source tab, set Source Address or Source Zone (this is any subnet or zone that will have 8x8 phones or 8x8 8x8 Work Desktop or Mobile running on it).
    PAN14.png
  5. Leave the User tab blank.
  6. On the Destination tab, set the Destination Address by adding the Destination Address group you created earlier.
  7. Untrust the zone for your network.
    PAN15.png
  8. On the Application tab, click + add and add 8x8 App.
    PAN16.png
  9. Leave Service/URL Category tab blank (or as set by default).
  10. On the Actions tab, set Action Setting to Allow.
    PAN18.png
  11. Click OK.
  12. Move the newly created security rule to the top of rule list to avoid rule conflicts.
     
  13. Commit Changes.

Additional Information

The phones require a minimum UDP and TCP time out of 660 seconds or 11 minutes. Depending on the network setup, these settings may need to be modified on the PAN.

  • Was this article helpful?