This guide details required configurations for SonicWALL routers
There are four critical settings to check in order to confirm that the SonicWALL is configured for Weave Phones.
The SonicWALL is receiving an internet routable (public) IP address on its WAN interface.
In the VoIP section, "Enable Consistent NAT" has been ENABLED
In the Security Services section, under the Intrusion Prevention tab, the "Prevent ALL" box for low priority attacks is NOT enabled.
Ensure that your SonicWall has sufficient resources to perform DPI or disable DPI entirely
Below are detailed steps to configure the SonicWAll.
1. Checking for a public IP address on the WAN Interface
On the sidebar, locate and click the tab labeled Network
From the drop down menu, select Interfaces
Verify that the WAN interface is receiving a public IP address. If the IP address begins in "192.168.X.X" "10.X.X.X" or "172.16.X.X-172.31.X.X" then the SonicWALL is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode.
2. Enabling Consistent NAT
On the sidebar, click on the VoIP tab
At the top of the VoIP configuration page, check the box labeled "Enable Consistent NAT"
Ensure all other boxes on the VoIP page are NOT CHECKED
3. Configuring Intrusion Prevention and Deep Packet Inspection
Low priority attack prevention can cause signaling issues if it is enabled. By default, SonicWALL does not enable prevention for low priority attacks. You can verify this setting by doing the following:
On the sidebar, click the Security Services tab
In the drop down menu, select "Intrusion Prevention"
Make sure the box in the "Prevent All" column for "Low Priority Attacks" is UNCHECKED
It is possible to enable the low priority attacks setting if the Weave IP addresses are added to the IPS exclusion list; however, Weave does not recommend using this method as Weave's public IP addresses are subject to change.
4. Disabling RTSP Transformations and Considering Deep Packet Inspection
Navigate to the Advanced section of the Firewall Settings tab
Under the Dynamic Ports heading, uncheck the box labeled "Enable RTSP Transformations"
For troubleshooting purposes only*: Under the Connections heading, you can check the box labeled "Maximum SPI Connections" (DPI services disabled)*
Accept the settings to apply the changes
*Additional information on deep packet inspection (DPI):
DPI is related to general firewall functionality on the Sonicwall devices. This feature requires significant processing power, and when adding Weave or other VOIP phones to your network, you may find that your existing Sonicwall device cannot handle the additional load with DPI enabled, which can lead to poor voice quality during calls. If you experience issues - especially with a TZ 100, 105, or SOHO model - we recommend toggling off DPI as a testing measure. If you see improvement, you may need to obtain a higher end SonicWall device in order to provide sufficient data throughput. Bear in mind that a variety of parameters must be considered when calculating minimum DPI throughput so there is no "one size fits all" recommendation for a specific model.
Create an Outbound Policy specifically for Weave Traffic
Create an address object for the Weave Communication Servers
Log in to the web interface of your SonicWall device and expand the "Firewall" area
Click "Address Objects"
Click "Add". A new window will pop up.
Name this object. This can be anything you choose.
The Zone assignment should be WAN
The Type is FQDN
The FQDN Hostname is whitelist.getweave.io
Create the Firewall Policy
Expand the 'Firewall' menu
Click the 'Matrix' radio button. and on the menu that pops up, select the Lan to Wan option. This will speed up the process by auto filling some of the information in the next step.
Click the 'Add' button. A new window will pop up.
Set the 'Service' to 'Any'
Set the 'Source' to 'Any'
In the 'Destination' field select the address object you created in the previous step.
Click on the 'Advanced' tab
Set the 'TCP Connection Inactivity Timeout (minutes) to 60
Set the 'UDP Connection Inactivity Timeout (seconds) to 300, click 'OK' on the warning that pops up.
Verify the Policy has been created
You should now see your Weave outbound policy in the list of Lan → Wan policies. If it is not at the top of the list, move it to the top by dragging and dropping it.
Most of the time an outbound policy is not required and the Weave Phones will work with the default policy allowing traffic out. The purpose for adding this specific rule is to ensure that traffic is flowing to/from the Weave servers, and also to facilitate the setup of Bandwidth management if that is required. You can see steps on how to enable Bandwidth Management (BWM) for Weave traffic by clicking here.