VoIP News OnSIP News Developer News

Quick Overview of the Watchguard Fireware XTM 2 (v 11.4.1)

by Eric Phipps

The OnSIP NOC team tests the Watchguard Fireware XTM 2 gateway device for compatibility with our service.

Published: July 13, 2011

One of the jobs of the Junction Networks NOC is to test equipment to ascertain if a device will function properly with our service or not. We run through a lot of phones which are mostly successful and a lot of Gateway devices with SIP ALGs which are less successful.

The New York team puts a hurting on our gateway devices. We have expanded from 4 to 13 people in our office with SIP phones, laptops, tablets, ATAs, cell phones, development environments, and even a fully functional phone lab with new end points and routing needs added weekly.

If a device is rated for twenty users, it typically doesn't mean twenty of us.

We put a hurt on gateway devices, but we are the perfect testing environment because we can spot issues with devices and communicate them to our client base as soon as we spot them. Hardware related advice can be found in our knowledgebase.

Our current gateway is the Juniper SSG5, which aside from the non-functional SIP ALG has been a fine device, but we've frankly outgrown it, so we have been looking for additional routers or firewalls to test in its place.

The most recent test has been the Watchguard Fireware XTM 2 (software version 11.4.1). We selected it because more of our users have been going with Watchguard.

The Watchguard XTM 2 is a small branch office firewall appliance giving full service protection and packet inspection in a very easy to use GUI environment. It's designed for small or branch offices offering a suite of proprietary routing and security options.

The XTM 2 was really quite easy to get set up and running, even with our complex clutch of various networks, and has what is probably the best looking monitoring interface we've yet seen.

Unfortunately, the SIP ALG is non-functional due to an acknowledged bug in how it transforms SIP invites.

When the SIP ALG is turned on, the invitation packets find their contact field stripped if the contact field mentions a domain.

The OnSIP domain contact addresses mention gateway information which originates from our Proxies and a typical call looks like this:

Contact: < sip:gw@gw0.pstn.jnctn.net;gr=gw0.pstn >

Due to the bug in the XTM SIP ALG, the contact field comes through like this:

Contact: < >

This is a known and outstanding issue with the SIP ALG for Watchguard who are currently tracking it here.

Information about the Contact header can be found in sections, 20.10 of RFC3261, where it states:

"While an FQDN is preferred, many end systems do not have registered domain names, so IP addresses are permitted."

At this time, we cannot recommend the Watchguard XTM series SIP ALG for use with Junction Networks. As the SIP ALG is disabled by default, it should be fine for use as is.

Though this admittedly crucial functionality was missing, the device was well designed enough that we look forward to the bug being fixed so that we may test the XTM in the future.

The Junction Networks NOC is always on the look out for the next gateway/routing device to test. As we can't know everything, we'd love to see what you, the users have or would like for us to look at. Please feel free to leave suggestions below.