How to Configure a WatchGuard Firewall for VoIP
Configuring a WatchGuard firewall for VoIP trips up even experienced MSPs because the Firebox handles SIP traffic differently than almost every other enterprise firewall. The SIP-ALG is not enabled by default — it is an opt-in proxy policy — and the right approach for most cloud VoIP deployments is a clean packet filter, not an ALG at all. This guide walks through each step: baseline verification, VLAN segmentation, firewall policy construction, 1-to-1 NAT for proper RTP handling, QoS configuration for both locally-managed and cloud-managed Fireboxes, and a symptom-based troubleshooting runbook. If you are deploying or supporting hosted VoIP behind a WatchGuard Firebox, this is the configuration baseline that keeps calls stable across every client site.
