Configure WatchGuard Firewall for Verizon VoIP Phone Provisioning

draft · telecom voipwatchguardfirewallyealinkverizon

Generated by docuprocessor (prompt article/v3) · 2026-04-22 15:08

Source thread

thread_id: spaces/AAAA05BdS6s/threads/1o5gXkl4tVU · 6 msgs · first 2025-01-17 · participants: Tech ATech BTech CTech D

Tech A 2025-01-17 15:24

@all Hey guys, for Ocean parkway oms, there is a verizon guy on site, putting some new phones these are yealink phones. the office currently has phones through them, but is dial up, these new ones are voip, they are providing the service as well. but apparently is not working / provisioning when they put them on the network for the office (which runs of a WG firewall) they are saying they usually have these issues with firewalls and it works fine usually if they plug it into their router instead. does anyone knows if WG somehow would block or not allow a voip phone from working at all?

Tech A 2025-01-17 15:25

currently there is just an ONT at the basement that runs a wire to the WG at the office, what they can do they say is just to leave the phones ready outside of the office network for us to make them work, but we will have to go onsite for that

Tech B 2025-01-17 15:28

Maybe we have to create a rule for that range of IPs? https://support.yealink.com/en/portal/knowledge/show?id=64995b636a27da76bd07181b&title=SIP%20Port%20and%20TLS%20Port

Tech C 2025-01-17 15:48

WGs (as well as any decent firewall) are not VoIP friendly and have to be configured.

Tech A 2025-01-17 15:51

yeah, like we do with weave, or mango right? I asked if there was anything we could configure/whitelist but he had no idea, his only idea was to bypass the wg, but that wasn't an option

Tech D 2025-01-17 15:59

https://businessdigitalvoice.verizon.com/start-here-firewall-requirements/#2 based on this article, it mentions to 2 ip address to whitelist for NY. so maybe you can use weave guide to allow that traffic in and out for those ips and then uncheck the rest of the stuff we usually do "Add an explicit alias and firewall rule set (TO & FROM) for Weave with the IP Addresses or FQDN that we will provide during onboarding. Allow Any traffic from Weave IPs to ensure proper bidirectional communication We highly recommend moving the Weave Firewall policy you created to the top of your Sequence policy order. Configure Dangerous Activities settings and uncheck the following configurations Block Port Space Probes or Block Port Scan Block Address Space Probes or Block IP Scan Configure Global Networking settings System > Global Settings > Uncheck all SIX checkboxes in the ICMP Error Handling section Uncheck the checkboxes labeled Enable TCP SYN Packed and connection state verification Select No Adjustment for TCP Max segment size control"

---
title: "Configure WatchGuard Firewall for Verizon VoIP Phone Provisioning"
category: telecom
tags: ["voip", "watchguard", "firewall", "yealink", "verizon"]
source_thread_id: "spaces/AAAA05BdS6s/threads/1o5gXkl4tVU"
source_space: "spaces/AAAA05BdS6s"
generated_at: "2026-04-22T15:08:30"
participants: ["Tech A", "Tech B", "Tech C", "Tech D"]
---

# Configure WatchGuard Firewall for Verizon VoIP Phone Provisioning

## Problem
Yealink VoIP phones provided by Verizon failed to provision when connected to the office network running through a WatchGuard firewall. The Verizon technician reported that the phones work when plugged directly into their router but not when connected through the office's WatchGuard firewall. The technician indicated this is a common issue with firewalls and suggested bypassing the WatchGuard entirely, which was not acceptable.

## Resolution
1. Create firewall rules for the Verizon Business Digital Voice IP addresses specific to your region (for NY locations, use the IPs listed in Verizon's firewall requirements documentation)
2. Add explicit alias and firewall rule sets (TO & FROM) for the Verizon VoIP service with the provided IP addresses
3. Allow any traffic from the Verizon IPs to ensure proper bidirectional communication
4. Move the VoIP firewall policy to the top of your sequence policy order
5. Configure Dangerous Activities settings and uncheck:
   - Block Port Space Probes or Block Port Scan
   - Block Address Space Probes or Block IP Scan
6. Configure Global Networking settings under System > Global Settings:
   - Uncheck all six checkboxes in the ICMP Error Handling section
   - Uncheck "Enable TCP SYN Packed and connection state verification"
   - Select "No Adjustment" for TCP Max segment size control

Follow the same configuration approach used for Weave VoIP systems, adapting the IP ranges and settings for Verizon's requirements.

## References
- Source discussion: `spaces/AAAA05BdS6s/threads/1o5gXkl4tVU`
- Yealink SIP Port documentation: https://support.yealink.com/en/portal/knowledge/show?id=64995b636a27da76bd07181b&title=SIP%20Port%20and%20TLS%20Port
- Verizon Business Digital Voice firewall requirements: https://businessdigitalvoice.verizon.com/start-here-firewall-requirements/#2

Generated article

draft