Skip to main content

Required Configuration for SonicWALL

This guide details required configurations for SonicWALL routers. There are four critical settings to check in order to confirm that the SonicWALL is configured for Weave Phones.

  1. The SonicWALL is receiving an internet routable (public) IP address on its WAN interface.

  2. In the VoIP section, Enable Consistent NAT has been enabled

  3. In the Security Services section, under the Intrusion Prevention tab, the Prevent ALL box for low priority attacks is not enabled.

  4. Ensure that your SonicWall has sufficient resources to perform DPI or disable DPI entirely.

Below are detailed steps to configure the SonicWAll. s


Checking for a public IP address on the WAN Interface

  1. On the sidebar, locate and click the tab labeled Network

  2. From the drop down menu, select Interfaces

  3. Verify that the WAN interface is receiving a public IP address. If the IP address begins in 192.168.X.X, 10.X.X.X or 172.16.X.X-172.31.X.X then the SonicWALL is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode.


Enabling Consistent NAT

  1. On the sidebar, click on the VoIP tab

  2. At the top of the VoIP configuration page, check the box labeled Enable Consistent NAT

  3. Ensure all other boxes on the VoIP page are not checked


Configuring Intrusion Prevention and Deep Packet Inspection

Low priority attack prevention can cause signaling issues if it is enabled. By default, SonicWALL does not enable prevention for low priority attacks. You can verify this setting by doing the following:

  1. On the sidebar, click the Security Services tab

  2. In the drop down menu, select Intrusion Prevention

  3. Make sure the box in the Prevent All column for Low Priority Attacks is unchecked

It is possible to enable the low priority attacks setting if the Weave IP addresses are added to the IPS exclusion list; however, Weave does not recommend using this method as Weave's public IP addresses are subject to change.


Disabling RTSP Transformations and Considering Deep Packet Inspection

  1. Navigate to the Advanced section of the Firewall Settings tab

  2. Under the Dynamic Ports heading, uncheck the box labeled Enable RTSP Transformations

  3. For troubleshooting purposes only: Under the Connections heading, you can check the box labeled Maximum SPI Connections (DPI services disabled)

Accept the settings to apply the changes

Additional information on deep packet inspection (DPI): 
DPI is related to general firewall functionality on the Sonicwall devices. This feature requires significant processing power, and when adding Weave or other VOIP phones to your network, you may find that your existing Sonicwall device cannot handle the additional load with DPI enabled, which can lead to poor voice quality during calls. If you experience issues - especially with a TZ 100, 105, or SOHO model - we recommend toggling off DPI as a testing measure. If you see improvement, you may need to obtain a higher end SonicWall device in order to provide sufficient data throughput. Bear in mind that a variety of parameters must be considered when calculating minimum DPI throughput so there is no "one size fits all" recommendation for a specific model.


Create an Outbound Policy specifically for Weave Traffic

To create an address object for the Weave Communication Servers:

  1. Log in to the web interface of your SonicWall device and expand the Firewall area
  2. Click Address Objects
  3. Click Add and a new window will pop up
  4. Name this object, this can be anything you choose
  5. The Zone assignment should be WAN
  6. The Type is FQDN
  7. Please reach out to your onboarding contact for the list of IP addresses you need to allow.
  8. Click Add
Screen Shot 2021-01-27 at 8.39.18 PM.png


Create the Firewall Policy

  1. Expand the Firewall menu

  2. Click the Matrix radio button and on the menu that pops up, select the Lan to Wan option - this will speed up the process by auto filling some of the information in the next step

  3. Click the Add button and a new window will pop up

  4. Set the Service to Any

  5. Set the Source to Any

  6. In the Destination field select the address object you created in the previous step

  7. Click on the Advanced tab

  8. Set the TCP Connection Inactivity Timeout (minutes) to 60

  9. Set the UDP Connection Inactivity Timeout (seconds) to 300, click OK on the warning that pops up

  10. Click Add

Access_rule_Add 3.png
Screen Shot 2021-01-27 at 8.39.18 PM.png
lan-wan_adjust_TCP-UDP 4.png


Verify the Policy has been created

You should now see your Weave outbound policy in the list of Lan → Wan policies. If it is not at the top of the list, move it to the top by dragging and dropping it.

Screen Shot 2021-01-27 at 8.39.59 PM.png

Most of the time an outbound policy is not required and the Weave Phones will work with the default policy allowing traffic out. The purpose for adding this specific rule is to ensure that traffic is flowing to/from the Weave servers, and also to facilitate the setup of Bandwidth management if that is required. Go to SonicWall Bandwidth Management (BWM) to see steps on how to enable Bandwidth Management (BWM) for Weave traffic.

Was this article helpful?