Watchguard Firewall SIP configuration

Watchguard SIP and VoIP setup
Step 1: Create a “Static NAT (SNAT)”

First, the Static NAT must be configured in order to forward the incoming traffic from the Static
Public IP, to the local IP of the PBX:

  1. Navigate under Firebox® UI > Firewall > SNAT and click “Add”
  2. In this example the name “VOICEHOST_SNAT” is given to the SNAT Policy.
  3. Select Static NAT.
  4. Under SNAT Members click “Add”
  5. Select the “External Static IP” under the drop down menu. In this example the external IP of the device is which should be used to NAT inbound traffic to the PBX.
  6. Enter the Internal/Private IP address of the PBX and click “ OK ” (in this example the internal/private IP of PBX is
  7. Click “Save” and the SNAT Policy is now active.
Step 2: Create Firewall Policy

After setting up the static NAT, a Firewall Policy must be configured:

  1. Navigate under Firebox® > Firewall > Firewall Policies and click “Add Policy”
  2. In this example the name “VOICEHOST_Services” is given to the Policy Name.
  3. As a “Policy Type” select “Custom” and click “Add. ”
  4. In this example the name “VOICEHOST_Ports” is given to the “Policy Template”
  5. Use the “Add” button below the “ Protocols ” to add a custom list of ports which shall be allowed to connect to the PBX. (All ports and port ranges which needs to be added into this list can be found here:
  6. “Single Port” or “Port Range” can be selected. When all ports are set, click “Save”
  7. Remove the “From” and “To” objects.
  8. Under “From” click “Add”
  9. Under the drop down menu select “Any External” and “OK”
  10. Under “To” click “Add”
  11. Under the drop down menu select “Static NAT”
  12. The SNAT created previously, will be listed (in this example “ VOICEHOST_SNAT”). Select the SNAT and “OK”
  13. The Firewall policy should look like the screenshot below:

In this example, “Any External” is used, therefore any host can establish a connection on the public IP Address of the PBX. In case the source of the incoming traffic must be limited you can create a group of allowed IPs to be allowed under “From.”


Call Encryption - TLS/SRTP walkthrough
Embedded thumbnail for Call Encryption - TLS/SRTP walkthrough
Hosted Directory LDAP - Lightweight Directory Access Protocol
Embedded thumbnail for Hosted Directory LDAP - Lightweight Directory Access Protocol
Cloud PBX Explainer
Embedded thumbnail for Cloud PBX Explainer
Zoiper Softphone Configuration
Embedded thumbnail for Zoiper Softphone Configuration
Call Conferencing
Embedded thumbnail for Call Conferencing
Receptionist Console
Embedded thumbnail for Receptionist Console

Search Help Portal

Get in touch

VoiceHost Limited
Norfolk Tower
Surrey Street

UK Freephone 0800 2 545454

International +44 1603904090

support [at]

Connect With Us

Download the iOS App from the Apple App Store

Get the Android app from the Google Play store