Skip to main content

 

 
8x8 Support

Configure a Palo Alto Networks (PAN) Firewall with Firmware 8.0 and Up

  1. Last updated
  2. Save as PDF
Important-Icon.png The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used. 

Keep in mind different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Important-Icon.png

For Palo Alto Firewalls on firmware 8.0 and above. For configuring a Palo Alto Networks Firewall with firmware lower than 8.0, refer here.

Objective

Configuring a Palo Alto Networks Firewall for 8x8 services.

Note-Icon.png Note: Guidance on Palo Alto Networks firewalls is publicly available within Palo Alto Networks device documentation.

Applies To

  • Palo Alto Networks Firewalls

Image result for palo alto firewall PA 220

Procedure

Administrative Information

  1. Make sure your firewall is powered on and connected to your network.
  2. Connect the RJ-45 Ethernet cable from the RJ-45 port on your computer to the MGT port on the firewall.
  3. If necessary, change the IP address on your computer to an address in the 192.168.1.0/24 range (e.g., 192.168.1.3).
  4. In a browser on a computer on the same network as the Palo Alto Networks firewall, navigate to https://192.168.1.1
  5. Log in (default credentials shown below).
    • Username: admin
    • Password: admin
Note-Icon.png Note: If you are not able to connect to the web interface, consult the quick start guide for your particular device model for additional options.
Important-Icon.png Adding/editing 8x8 subnets is recommended when available. Click here to review the X Series and ZTP documentation.

Configuring 8x8 Voice Services on Palo Alto Networks Firewalls

Add 8x8 Public IP Subnets

  1. Go to ObjectsAddresses.
  2. Click Add.
  3. Tags can be added only if they've been manually created under the Tags field, if not then leave it blank. (Example bePAN05.png
  4. Click here to add the complete list of 8x8 subnets

Create an Address Group for 8x8 Public IP Subnets

  1. Go to Objects > Address Groups.
  2. Add all entries you created in the previous screen. (The Name can be whatever you prefer.)
    PAN06.png

Create a Security Rule on PAN System

  1. Go to Policies > Security.
  2. Click Add.PAN12.png
  3. On the General tab, name the Security Rule and add a Description as desired.
  4. On the Source tab, set Source Address or Source Zone (this is any subnet or zone that will have 8x8 phones or 8x8 8x8 Work Desktop or Mobile running on it).PAN14.png
  5. Leave the User tab blank.
  6. On the Destination tab, set the Destination Address by adding the Destination Address group you created earlier
  7. Untrust (WAN/Internet) the zone for your network.PAN15.png
  8. On the Application tab, click + add and add the following applications:
    • 8x8 
    • web-browsing
    • vidyo
    • stun
    • ssl
    • sip-application
    • sip
    • rtp
    • rtp-base
    • rtmpt
    • rtmp
    • rtcp
    • jabber
  9. Set the Service/URL Category to ANY
    service-url-any.png
  10. On the Actions tab, set Action Setting to Allow.
  11. Click OK.
  12. Move the newly created security rule to the top of rule list to avoid rule conflicts.

Create an Application Override Rule for UDP

  1. Go to Policies > Application Override.
  2. Click Add.
    PAN07.png
  3. On the General tab, name the rule and add a description.(Example below)
    PAN08.png
  4. On the Source tab, set Source Address or Source Zone (this is any subnet or zone that will have 8x8 phones or 8x8 8x8 Work Desktop or Mobile running on it).
    PAN09.png
  5. On the Destination tab, set the Destination Address by adding the Destination Address group you created earlier.
  6. Untrust the zone for your network.PAN10.png
  7. On the Protocol/Application tab, select UDP PAN_udpportcfg_03242021.png
  8. Add the following UDP ports into the Port field as indicated in picture below: 
    • 16150
    • 26384
    • 28591-28597
    • 28693
    • 5060
    • 5061
    • 5196-5199
    • 5299
    • 5399
    • 5301
    • 5401
    • 5443

(please see our X Series Tech Requirements document for more information on port ranges and services)

  1. For Application, select 8x8 App.  PAN_app_03242021.png
  2. Click OK.
  3. Commit Changes

Additional Information 

The phones require a minimum UDP and TCP time out of 660 seconds or 11 minutes, depending on the network setup these settings may need to be modified on the PAN

Caution-Icon.png

Known Issues 

  • Specifically Fax services don't work reliably with the higher resolution codecs.

Additional Configuration

If needed, the 8x8 XML file can be uploaded to your Palo Alto Firewall. Follow the steps below if you would like to import the XML file to the PAN firewall.

  1. Right-click this link and select "save link as" to download the file to your computer.
  2. Go to Objects > Applications.
  3. Click Import.
    PANXML.png
  4. Import the downloaded 8x8_Palo_Alto_Networks_XML file.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Confidence
    Validated
    Flagged
    Not Flagged
    Governance
    Experience
    KCS Enabled
    Yes
    Visibility
    Public
  2. Tags
    This page has no tags.