1. Home
  2. WhatsApp Business Integration for vTiger
  3. WhatsApp Business API – Network & Firewall Configuration Guidelines
Searching...

WhatsApp Business API – Network & Firewall Configuration Guidelines

For Customers Using On-Premise Servers or FirewallsWhen using the WhatsApp Business API (WABA) behind a firewall, or when CRM
systems are hosted on-premise, it is important to configure network rules according to Meta’s official
requirements. Meta uses dynamic CDN networks and does not provide a fixed IP list, so the firewall must be
configured in a way that allows WhatsApp services to work reliably.
This document provides simplified guidance for IT teams and network
administrators.
1. Why Firewall Rules Are Needed

The WhatsApp Business API must connect to Meta’s systems to:

  • Send & receive messages
  • Upload and download media (images, files, voice notes)
  • Access the Graph API
  • Retrieve webhook events

If your server blocks Meta CDN or Graph API calls, the WhatsApp features will not work.2. Meta Uses Dynamic IP Addresses2. Meta
Uses Dynamic IP Addresses

  • lookaside.fbsbx.com
  • *.cdn.whatsapp.net
  • media-*.cdn.whatsapp.net
  • graph.facebook.com
  • graph.whatsapp.com

Because IPs change frequently, whitelisting static IPs is NOT recommended unless your firewall cannot use
FQDN-based rules.
3. Recommended Approach (Option A – Preferred)Allow by FQDN
(Hostname-Based Whitelisting)If your firewall supports FQDN rules (Palo Alto, FortiGate, Sophos, Cisco ASA
etc.), allow the following hostnames:
Required Hostnames

  • *.cdn.whatsapp.net
  • g.whatsapp.net
  • graph.facebook.com
  • graph.whatsapp.com/li>
  • media-*.cdn.whatsapp.net
  • media-*.fna.whatsapp.net
  • mmg.whatsapp.net
  • pps.whatsapp.net
  • static.whatsapp.net
  • v.whatsapp.net
  • lookaside.fbsbx.com

Ports Required
443 (HTTPS)
This is the least maintenance and fully compatible method.
4. Alternative Approach (Option B – IP Whitelisting)If your firewall cannot whitelist hostnames, you may need to whitelist Meta’s IP ranges, but note:

  • These IPs change often
  • You must refresh them regularly (daily/weekly recommended)
  • This method is more complex and less reliable

Examples of Meta/Facebook IPs (subject to change):

  • 3.33.221.48/32
  • 3.33.252.61/32
  • 15.197.206.217/32
  • 15.197.210.208/32
  • 31.13.64.60/31
  • 31.13.65.49/32
  • 31.13.65.50/32
  • (and many more)

Important: These IPs are not stable. You must automatically refresh DNS using scripts like:
dig +short lookaside.fbsbx.com
dig +short graph.facebook.com
This should update your firewall’s IP allowlist.
5. Option C – Use a Proxy (If strict firewall rules exist)You can host a
public proxy or intermediate server that:

  • Receives uploads from your CRM
  • Sends them to WhatsApp/Meta
  • Avoids exposing your internal server to Meta’s fetch requests

This is useful when:

  • Your CRM is completely blocked from external internet
  • Your security policies restrict inbound connections
  • You don’t want Meta CDN hitting your internal origin server

6. Meta’s Official Network Requirements

Your server must have uninterrupted access to Meta’s required hostnames to ensure smooth WhatsApp Business API
operations.
This access is required for:

  • Message Delivery
  • Media Sending & Receiving (Images, PDFs, Voice, Videos)
  • Template Message Submission
  • Webhook Events
  • API Authentication & Token Validation


Any network interruption, firewall block, or DNS resolution failure can directly impact WhatsApp message flow and
delivery.

7. Summary (Simple Guidance for Customers)

  • If possible, configure FQDN whitelisting
    → Easiest method and fully aligned with Meta’s recommended design.
  • If your firewall can only whitelist IPs
    → Add Meta IPs and schedule daily DNS refresh to avoid service disruption.
  • If your environment is highly restricted
    → Use a proxy server for controlled and secure external communication.

8. Recommended by CRMTiger

For all CRM On-Premises customers or firewall-restricted servers, CRMTiger strongly recommends:
Use FQDN Whitelist (Option A) – Best Practice
By following this approach, you can avoid issues such as:

  • Media files not downloading
  • API calls failing
  • Template message rejections
  • Message delivery delays
  • Webhook events not being received

9. Conclusion

Meta uses large, dynamic, global CDN networks. Due to this architecture, static IP-based firewall rules are
unreliable.
To ensure your WhatsApp Business API works without interruption, your network must be configured according to the
guidelines above.
If your IT team needs assistance, CRMTiger can help with:

  • Firewall rule setup
  • Endpoint testing
  • Network troubleshooting
  • WhatsApp Business API configuration

 

Updated on December 31, 2025

Was this article helpful?

Yes No

Related Articles