Required Configuration for Watchguard Fireware Web UI

Note: We have had frequent issues with the Watchguard OS. This device is not one of our recommended network firewalls. 

Make sure that the Watchguard firewall has the latest firmware version applied to it. Some older firmware versions do not have the ability to add the FQDN aliases without it we are unable to optimize the device for Weave traffic.

Please, be sure to use the WatchGuard sizing tool (available here) when installing Weave for an office. We have seen many cases were the firewall is not sized correctly and causes call quality issues and dropped calls.

Fireware Web UI Instructions

1. Add alias

  • In the Fireware Web UI, click on Firewall > Aliases in the left-hand menu
  • Click the Add button

2. Add alias continued

  • Enter Weave IPs in the Name box

  • Click the Add button in the Alias Members section

wg_web_namealias.png

3.  Select FQDN in the Member type dropdown box and enter allow.us1.weavephone.net in the box below (as shown), click OK

Screen Shot 2021-01-27 at 8.12.30 PM.png

4.  Confirm that the Alias Members section now contains the FQDN (allow.us1.weavephone.net), click the Save button

Screen Shot 2021-01-27 at 8.13.00 PM.png

5.  Add policy

  • In the Fireware Web UI, click on Firewall > Firewall Policies in the left-hand menu

  • Click the Add Policy button

6.  Select Weave Packet Filter

  • In the Select a policy type section, select Any in the Packet Filter dropdown

  • Change the text in the Policy Name box at the top of the page from Any to Weave Traffic

  • Click the Add Policy button at the bottom of the page

7.  Modify From and To fields

  • Enter Traffic to Weave in the Name box at the top of the page

  • Modify the From section to only show the value Any using the ADD/REMOVE buttons below the FROM section

  • Modify the TO section to only show the value Weave IPs using the ADD/REMOVE buttons below the TO section

  • Click the Save button at the bottom of the page

8. Click the Add Policy button again

9. Modify From and To fields - continued

  • Enter Traffic from Weave in the Name box at the top of the page

  • Modify the From section to only show the value Weave IPs using the ADD/REMOVE buttons below the FROM section

  • Modify the TO section to only show the value Any using the ADD/REMOVE buttons below the TO section

  • Click the Save button at the bottom of the page

wg_fw_policy_from_config.png

10. Sequence policy order

  • Check the checkbox next to the Traffic to Weave policy and then click the MOVE UP button at the bottom of the page until the Traffic to Weave is in position #1 at the top of the list. Uncheck the checkbox next to the Traffic to Weave policy

  • Check the checkbox next to the Traffic from Weave policy and then click the MOVE UP button at the bottom of the page until the Traffic from Weave is in position #2 on the list. Uncheck the checkbox next to the Traffic from Weave policy

  • Click the Save Policy Order button near the bottom of the page

***Important Note: If the button at the bottom of the screen says, "Disable Policy Auto-Order Mode", you must first click this button to enable manual ordering.

11. Configure Dangerous Activities settings

  • In the Fireware Web UI, click on Firewall > Default Packet Handling in the left-hand menu

  • Uncheck the checkbox labeled either Block Port Space Probes or Block Port Scan

  • Uncheck the checkbox labeled either Block Address Space Probes or Block IP Scan

  • Click the Save button at the bottom of the page

12. Configure Global Networking settings

  • In the Fireware Web UI, click on System > Global Settings in the left-hand menu

  • Uncheck ALL SIX checkboxes in the ICMP Error Handling section

  • Uncheck the checkboxes labeled Enable TCP SYN packet and connection state verification under the TCP Settings section

  • Select No Adjustment in the section labeled TCP maximum segment size control

  • Click the Save button at the bottom of the page

13. Reboot the system

  • In the Fireware Web UI, click on Dashboard > Front Panel in the left-hand menu

  • Click the Reboot button on the right side of the page

    Was this article helpful?
    0 out of 0 found this helpful