-
Configuration for Watchguard System Manager (WSI) Firewalls
Note: We have had frequent issues with the Watchguard OS. This device is not one of our recommended network firewalls.
Use these resources to get started:
Recommended Configuration Changes
- Add an explicit alias and firewall rule set (TO & FROM) for Weave with the IP Addresses or FQDN that we will provide during onboarding. Allow Any traffic from Weave IPs to ensure proper bidirectional communication
- We highly recommend moving the Weave Firewall policy you created to the top of your Sequence policy order.
- Set up Traffic Shaping/QoS (we use DSCP 26(SIP) & 46 (Real-Time Media)) to prioritize voice traffic
- Configure Default Packet Handling settings and uncheck the following configurations
- Block Port Space Probes or Block Port Scan
- Block Address Space Probes or Block IP Scan
- Configure Global Networking settings
- System > Global Settings > Uncheck all SIX checkboxes in the ICMP Error Handling section
- Uncheck the checkboxes labeled Enable TCP SYN Packed and connection state verification
- Select No Adjustment for TCP Max segment size control
- Finish setup with a File > Reboot to restart network devices with newly added settings/configurations
-
Configuration for Sophos Firewalls
Weave phones work well with Sophos firewalls. This guide details the necessary changes for Sophos firewalls. There are several important settings to verify that the Sophos is configured correctly.
Use these resources to get started:
Recommended Configuration Changes
- Disable SIP ALG
- Create a New Network Definition and Explicit Firewall rule with our Weave FQDN/IP Addresses that will be provided during onboarding
- Go to Advanced Threat Protection and ensure you select our Weave IPs to ensure we can bidirectionally pass traffic without issue
- Set up Traffic Shaping/QoS (we use DSCP 26(SIP) & 46 (Real-Time Media)) to prioritize voice traffic
-
Configuration for Watchguard Fireware Web UI
Note: We have had frequent issues with the Watchguard OS. This device is not one of our recommended network firewalls.
Use these resources to get started:
Recommended Configuration Changes
- Add an explicit alias and firewall rule set (TO & FROM) for Weave with the IP Addresses or FQDN that we will provide during onboarding. Allow Any traffic from Weave IPs to ensure proper bidirectional communication
- We highly recommend moving the Weave Firewall policy you created to the top of your Sequence policy order.
- Set up Traffic Shaping/QoS (we use DSCP 26(SIP) & 46 (Real-Time Media)) to prioritize voice traffic
- Configure Dangerous Activities settings and uncheck the following configurations
- Block Port Space Probes or Block Port Scan
- Block Address Space Probes or Block IP Scan
- Configure Global Networking settings
- System > Global Settings > Uncheck all SIX checkboxes in the ICMP Error Handling section
- Uncheck the checkboxes labeled Enable TCP SYN Packed and connection state verification
- Select No Adjustment for TCP Max segment size control
-
Configuration for D-Link DIR Series
Weave phones work well with D-Link DIR series routers as long as the following configuration options are set.
Recommended Configuration Changes
- Ensure the latest firmware update is installed
- In the NAT Endpoint Filtering section, change the following:
- Change UDP Endpoint Filtering to Endpoint Independent
- Change TCP Endpoint Filtering to Endpoint Independent
- In the Application Level Gateway (ALG) Configuration section, change the following:
- Uncheck the checkbox labeled SIP
- Uncheck the checkbox labeled RTSP
-
Configuration for Netgear ProSafe Routers
Weave phones work well with Netgear ProSafe Routers. Follow the guide below to configure the Netgear to allow Weave traffic to flow correctly.
Traffic Shaping/QoS for VolP
Go to Advanced > QoS Engine. This will bring up your QoS settings (bandwidth management). Here is our information needed to configure:
Weave's FQDN: allow.us1.weavephone.net/
If the router doesn't support FQDN, you will need to add all of these Weave IP Addresses to your router/firewall (A list).
If you'd like to create rule sets based on specific ports, here are the ones we use:
Signaling
443 (TCP) - Weave Software and Phone Configuration/Provisioning
5060/5061 (TCP/UDP) - SIP
5222 (TCP/UDP) - SIP Signaling
7000 (UDP/TCP - SIP Signaling
RTP Ports
16384-40000 (UDP) - Real Time Voice
Recommended Configuration Changes
- Ensure SIP ALG is disabled (Netgear Portal > Advanced > WAN Setup)
-
Configuration for SonicWALL
This guide details the configuration for SonicWALL routers.
Use these resources to get started:
Recommended Configuration Changes
- Verify that WAN Interface is receiving a public IP Address
- In the VolP Section > Settings > General Settings > Check the box for Enable Consistent NAT
- Ensure the SonicWall has enough resources to perform Deep Packet Inspection if you are going to use it, or disable DPI for voice traffic
- Disable SIP ALG
- In the Security Service Section > Intrusion Prevention tab > uncheck the Prevent ALL checkbox for low priority attacks (known to cause voice quality issues)
- You will need to build an Outbound firewall rule for Weave Traffic using our FQDN that will be provided during onboarding