This guide details required configurations for SonicWALL routers
There are four critical settings to check in order to confirm that the SonicWALL is configured for Weave Phones.
- The SonicWALL is receiving an internet routable (public) IP address on its WAN interface.
- In the VoIP section, "Enable Consistent NAT" has been ENABLED
- In the Security Services section, under the Intrusion Prevention tab, the "Prevent ALL" box for low priority attacks is NOT enabled.
- Ensure that your SonicWall has sufficient resources to perform DPI or disable DPI entirely
Below are detailed steps to configure the SonicWAll.
1. Checking for a public IP address on the WAN Interface
- On the sidebar, locate and click the tab labeled Network
- From the drop down menu, select Interfaces
- Verify that the WAN interface is receiving a public IP address. If the IP address begins in "192.168.X.X" "10.X.X.X" or "172.16.X.X-172.31.X.X" then the SonicWALL is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode.
2. Enabling Consistent NAT
- On the sidebar, click on the VoIP tab
- At the top of the VoIP configuration page, check the box labeled "Enable Consistent NAT"
- Ensure all other boxes on the VoIP page are NOT CHECKED
3. Configuring Intrusion Prevention and Deep Packet Inspection
Low priority attack prevention can cause signaling issues if it is enabled. By default, SonicWALL does not enable prevention for low priority attacks. You can verify this setting by doing the following:
- On the sidebar, click the Security Services tab
- In the drop down menu, select "Intrusion Prevention"
- Make sure the box in the "Prevent All" column for "Low Priority Attacks" is UNCHECKED
It is possible to enable the low priority attacks setting if the Weave IP addresses are added to the IPS exclusion list; however, Weave does not recommend using this method as Weave's public IP addresses are subject to change.
4. Disabling RTSP Transformations and Considering Deep Packet Inspection
- Navigate to the Advanced section of the Firewall Settings tab
- Under the Dynamic Ports heading, uncheck the box labeled "Enable RTSP Transformations"
- Under the Connections heading, check the box labeled "Maximum SPI Connections" (DPI services disabled)*
- Accept the settings to apply the changes
*Additional information on deep packet inspection (DPI): DPI will always delay data delivery and in some cases can cause a severe data bottleneck resulting in poor voice quality during phone calls. DPI requires significant processing power that lower end SonicWalls may not provide. If DPI must be performed, you may need to obtain a higher end TZ series SonicWall in order to provide sufficient data throughput. Bear in mind that a variety of parameters must be considered when calculating minimum DPI throughput so there is no "one size fits all" recommendation (though we can say that the 100 series will almost always be insufficient.)
Create an Outbound Policy specifically for Weave Traffic
Create an address object for the Weave Communication Servers
- Log in to the web interface of your SonicWall device and expand the "Firewall" area
- Click "Address Objects"
- Click "Add". A new window will pop up.
- Name this object. This can be anything you choose.
- The Zone assignment should be WAN
- The Type is FQDN
- The FQDN Hostname is whitelist.getweave.io
- Click 'Add'
Create the Firewall Policy
- Expand the 'Firewall' menu
- Click the 'Matrix' radio button. and on the menu that pops up, select the Lan to Wan option. This will speed up the process by auto filling some of the information in the next step.
- Click the 'Add' button. A new window will pop up.
- Set the 'Service' to 'Any'
- Set the 'Source' to 'Any'
- In the 'Destination' field select the address object you created in the previous step.
- Click on the 'Advanced' tab
- Set the 'TCP Connection Inactivity Timeout (minutes) to 60
- Set the 'UDP Connection Inactivity Timeout (seconds) to 300, click 'OK' on the warning that pops up.
- Click 'Add'
Verify the Policy has been created
- You should now see your Weave outbound policy in the list of Lan → Wan policies. If it is not at the top of the list, move it to the top by dragging and dropping it.
Most of the time an outbound policy is not required and the Weave Phones will work with the default policy allowing traffic out. The purpose for adding this specific rule is to ensure that traffic is flowing to/from the Weave servers, and also to facilitate the setup of Bandwidth management if that is required. You can see steps on how to enable Bandwidth Management (BWM) for Weave traffic by clicking here.