Below are the steps to configure your Watchguard Network appliance for Weave phones and service.

*Note - We have had frequent issues with the Watchguard OS. This device is not one of our recommended network firewalls. 

Make sure that the Watchguard firewall has the latest firmware version applied to it. Some older firmware versions do not have the ability to add the FQDN aliases without it we are unable to optimize the device for Weave traffic.

              Fireware Web UI Instructions

            Fireware Web UI Instructions

       Watchguard System Manager (WSM)                            Instructions

     Watchguard System Manager (WSM)                            Instructions


1.

  • In the Fireware Web UI, click on Firewall >> Aliases in the left-hand menu, then click the Add button

 

 

 

 

 

 

 

 

 

 

wg_web_namealias.png

2.

  • Enter "Weave IPs" in the Name box
  • Click the Add button in the Alias Members section

 

 

 

 

 

 

 

   

3.  

  • Select FQDN in the Member type dropdown box and enter whitelist.getweave.io the box below (as shown) and click OK

 

 

 

 

4.  

  • Confirm that the Alias Members  section now contains the FQDN (whitelist.getweave.io) and click the Save button

 

 

 

 

 

 

 

 

5.  

  • In the Fireware Web UI, click on Firewall >> Firewall Policies in the left-hand menu, then click the Add Policy button

 

 

 

 

 

6.  

  • In the Select a policy type section, select "Any" in the Packet Filter dropdown
  • Change the text in the Policy Name box at the top of the page from "Any" to "Weave Traffic"
  • Click the Add Policy button at the bottom of the page

 

 

 

 

7.  

  • Enter "Traffic to Weave" in the Name box at the top of the page
  • Modify the From section to only show the value "Any" using the ADD/REMOVE buttons below the FROM section
  • Modify the TO section to only show the value "Weave IPs" using the ADD/REMOVE buttons below the TO section
  • Click the Save button at the bottom of the page

 

 

 

 

 

 

8.

  • Click the Add Policy button again
wg_fw_policy_from_config.png

9.

  • Enter "Traffic from Weave" in the Name box at the top of the page
  • Modify the From section to only show the value "Weave IPs" using the ADD/REMOVE buttons below the FROM section
  • Modify the TO section to only show the value "Any" using the ADD/REMOVE buttons below the TO section
  • Click the Save button at the bottom of the page

 

 

 

 

 

 

 ***Important Note: If the button at the bottom of the screen says, "Disable Policy Auto-Order Mode", you must first click this button to enable manual ordering.

***Important Note: If the button at the bottom of the screen says, "Disable Policy Auto-Order Mode", you must first click this button to enable manual ordering.

10.

  • Check the checkbox next to the Traffic to Weave policy and then click the MOVE UP button at the bottom of the page until the Traffic to Weave is in position #1 at the top of the list. Uncheck the checkbox next to the Traffic to Weave policy
  • Check the checkbox next to the Traffic from Weave policy and then click the MOVE UP button at the bottom of the page until the Traffic from Weave is in position #2 on the list. Uncheck the checkbox next to the Traffic from Weave policy
  • Click the Save Policy Order button near the bottom of the page

   

11.

  • In the Fireware Web UI, click on Firewall >> Default Packet Handling in the left-hand menu
  • Uncheck the checkbox labeled either Block Port Space Probes or Block Port Scan
  • Uncheck the checkbox labeled either Block Address Space Probes or Block IP Scan
  • Click the Save button at the bottom of the page

 

 

 

 

 

 

 

   

12.

  • In the Fireware Web UI, click on System >> Global Settings in the left-hand menu
  • Uncheck ALL SIX checkboxes in the ICMP Error Handling section
  • Uncheck the checkboxes labeled Enable TCP SYN packet and connection state verification under the TCP Settings section
  • Select No Adjustment in the section labeled TCP maximum segment size control
  • Click the Save button at the bottom of the page

 

 

13.

  • In the Fireware Web UI, click on Dashboard >> Front Panel in the left-hand menu
  • Click the Reboot button on the right side of the page

 

 

 

 


1.  

  • In the WSM, click on Tools >> Policy Manager from the menu at the top

 

 

 

 

 

 

 

 

2.  

  • In the newly opened Policy Manager, click Setup >> Aliases

 

 

 

 

 

   

   

3.  

  • Click the Add button on the right of the Aliases box
  • Click the Add button to the right of the Alias Members box
  • Select FQDN in the Choose Type drop down box
  • Enter whitelist.getweave.io in the Value field
  • Press OK three times to return to the main Policy Manager Window

 

 

 

 

4.

  • Click the plus icon (+) in the tool bar at the top of the Policy Manager
  • Click the plus symbol (+) next to Packet Filters in the Add Policy window in order to expand the packet filter options
  • Select the Any option from the packet filter list
  • Click the Add button at the bottom of the Add Policies window
  • Change the text in the Name box from "Any" to "Traffic to Weave" in the New Policy Properties window
  • Modify the From section to only show the value "Any" using the ADD/EDIT/REMOVE buttons below the FROM section
  • Modify the TO section to only show the value "Weave IPs" using the ADD/EDIT/REMOVE buttons below the TO section
  • Click the OK button at the bottom of the New Policy Properties window

 

  Note: "Any" and "Weave IPs" are reversed from the "Traffic to Weave" rule

Note: "Any" and "Weave IPs" are reversed from the "Traffic to Weave" rule

5.

  • Again, select the Any option from the packet filter list
  • Again, click the Add button at the bottom of the Add Policies window
  • Change the text in the Name box from "Any" to "Traffic from Weave" in the New Policy Properties window
  • Modify the From section to only show the value "Weave IPs" using the ADD/EDIT/REMOVE buttons below the FROM section
  • Modify the TO section to only show the value Any" using the ADD/EDIT/REMOVE buttons below the TO section
  • Click the OK button at the bottom of the New Policy Properties window
  • Click the Close button at the bottom of the Add Policies window

6.

  • In the Policy Manager, click View >> Auto-Order Mode

 

 

 

 

 

 

 

7.

  • Click Yes when prompted

 

 

 

 

 

 

8.

  • Click and drag the Traffic to Weave policy to the top of the list
  • Click and drag the Traffic from Weave policy to #2 on the list

 

 

 

9.

  • In the Policy Manager, click Setup >> Default Threat Protection >> Default Packet Handling

 

 

 

 

 

 

 

   

10.

  • Uncheck the checkbox labeled either Block Port Space Probes or Block Port Scan
  • Uncheck the checkbox labeled either Block Address Space Probes or Black IP Scan
  • Click the OK button on the top right of the window

 

 

 

 

 

 

11.

  • In Policy Manager, click Setup >> Global Settings

 

 

 

 

 

 

 

 

12.

  • Uncheck ALL SIX checkboxes in the ICMP Error Handling section
  • Uncheck the checkboxes labeled Enable TCP SYN packet and connection state verification under the TCP Settings section
  • Select No Adjustment in the section labeled TCP maximum segment size control
  • Click the OK button at the bottom of the page

    

 

 

 

 

13.

  • In Policy Manager, click File >> Save >> To Firebox
  • Enter your password and click OK when prompted (note: you may also be prompted to save the config to a file)

 

 

 

 

  

14.

  • Close out of the Policy Manager using the X in the upper right-hand corner and return to the WSM window

15.

  • In WSM, click Tools >> Firebox System Manager

 

 

 

 

 

 

 

 

16.

  • In the newly opened Firebox System Manager (FSM), click File >> Reboot