Required Configuration for Watchguard System Manager (WSI) Firewalls

Note: We have had frequent issues with the Watchguard OS. This device is not one of our recommended network firewalls. 

Make sure that the Watchguard firewall has the latest firmware version applied to it. Some older firmware versions do not have the ability to add the FQDN aliases without it we are unable to optimize the device for Weave traffic.

Please, be sure to use the WatchGuard sizing tool (available here)when installing Weave for an office. We have seen many cases were the firewall is not sized correctly and causes call quality issues and dropped calls.

Watchguard System Manager (WSM) Instructions

1. In the WSM, click on Tools > Policy Manager from the menu at the top

2.  In the newly opened Policy Manager, click Setup > Aliases

3. Add aliases

  • Click the Add button on the right of the Aliases box

  • Click the Add button to the right of the Alias Members box

  • Select FQDN in the Choose Type drop down box

  • Enter allow.us1.weavephone.net in the Value field

  • Press OK three times to return to the main Policy Manager Window

Screen Shot 2021-01-27 at 8.13.35 PM.png

4. Add policy properties

  • Click the plus icon (+) in the tool bar at the top of the Policy Manager

  • Click the plus symbol (+) next to Packet Filters in the Add Policy window in order to expand the packet filter options

  • Select the Any option from the packet filter list

  • Click the Add button at the bottom of the Add Policies window

  • Change the text in the Name box from Any to Traffic to Weave in the New Policy Properties window

  • Modify the From section to only show the value Any using the ADD/EDIT/REMOVE buttons below the FROM section

  • Modify the TO section to only show the value Weave IPs using the ADD/EDIT/REMOVE buttons below the TO section

  • Click the OK button at the bottom of the New Policy Properties window

5. Add policies continued:

  • Again, select the Any option from the packet filter list

  • Again, click the Add button at the bottom of the Add Policies window

  • Change the text in the Name box from Any to Traffic from Weave in the New Policy Properties window

  • Modify the From section to only show the value Weave IPs using the ADD/EDIT/REMOVE buttons below the FROM section

  • Modify the TO section to only show the value Any using the ADD/EDIT/REMOVE buttons below the TO section

  • Click the OK button at the bottom of the New Policy Properties window

  • Click the Close button at the bottom of the Add Policies window

Note: "Any" and "Weave IPs" are reversed from the "Traffic to Weave" rule

6. In the Policy Manager, click View Auto-Order Mode

7. Click Yes when prompted

8. Sequence To and From policies

  • Click and drag the Traffic to Weave policy to the top of the list
  • Click and drag the Traffic from Weave policy to #2 on the list

9. In the Policy Manager, click Setup > Default Threat Protection > Default Packet Handling

10. Verify Default Packet Handling settings

  • Uncheck the checkbox labeled either Block Port Space Probes or Block Port Scan

  • Uncheck the checkbox labeled either Block Address Space Probes or Black IP Scan

  • Click the OK button on the top right of the window

11. In Policy Manager, click Setup > Global Settings

12. Verify Networking Settings

  • Uncheck ALL SIX checkboxes in the ICMP Error Handling section

  • Uncheck the checkboxes labeled Enable TCP SYN packet and connection state verification under the TCP Settings section

  • Select No Adjustment in the section labeled TCP maximum segment size control

  • Click the OK button at the bottom of the page

13. Save to Firebox

  • In Policy Manager, click File > Save > To Firebox

  • Enter your password and click OK when prompted (note: you may also be prompted to save the config to a file)

14. Close out of the Policy Manager using the X in the upper right-hand corner and return to the WSM window

15. In WSM, click Tools > Firebox System Manager

16. In the newly opened Firebox System Manager (FSM), click File > Reboot

Was this article helpful?
0 out of 1 found this helpful