Solved

identifying open ports

Posted on 2010-09-23
8
1,201 Views
Last Modified: 2012-05-10
I'm not a user of sonicwall devices, but have to learn. So, be gentle with me.
I have a moneris(credit card machine) terminal behind a sonicwall.  Suddenly it stopped working?  
Nobody knows how or even has access to the sonicwall.  So, moneris support says its a firewall issue?
Naturally nobody knows how anything suddenly changed after years. Regardsless, I have one simple task
I don't know how to do.  

Disable the firewall.  It sounds like I need to move a rule up the prioity that allows ALL traffic in and out.
What I'm looking for are details on how to accomplish that to either rule out, or validate that the sonicwall is blocking
ports 443 and or 8031.

If anyone can direct this novice I'd be thankfull.  Generally, I'm not familiar with the security type language and have
troubles understanding without a good "hello world" example.

Regards,
C
0
Comment
Question by:iMonkey69
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 33751671
Is anything working?  If nothing behind the Sonic Wall is working, connect ahead of it to make sure you have a connection to work with.
0
 
LVL 9

Expert Comment

by:x3man
ID: 33752054
If you have physical access to the firewall can you try circumventing it temporarily to prove that the problem lies with the firewall? I.e. Remove the connection to the firewall and connect the terminal "directly" to the network.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33754103
I'm in agreeance with x3man.  before making any changes to the sonicwall, best bet is to bypass the sonicwall, put the CC machine directly on the internet and test.  if it fails, then you know it's the CC machine.  if it passes, then you know it's the sonicwall.the ports you mentioned, 443/8031, do via these ports need to be allowed through the sonicwall to the CC machine?  Also, do you have an Exchange server internally?  if so, then port 443 will already be mapped to it through the sonicwall.  perhaps you have more than one public IP address?
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 33765243
Aside from taking the sonicwall off and testing directly to the device in question you can also:

obtain the external wan IP of your network and run a telnet command to port 443 and 8031 from the outside. You can do http://whatismyip.com from internet explorer from any machine on your network. Then go to a command prompt and type telnet x.x.x.x 443 and see if you get blocked or your screen refreshes/responds (meaning open connection). Preferably run that telnet command from a PC outside of your network.

If the sonicwall is blocking do this:

On the sonicwall add 2 services (there's a "service" tab). Call one moneris and assign it tcp 443. Call another moneris2 and assign it tcp 8031. Now you can either run the public server wizard twice OR add 2 WAN to LAN rules. If you run the public server wizard you just tell the sonicwall to allow service 'moneris' to forward to the lan address of your moneris device. Then you'd repeat with the moneris2 service. OR to do this manually, you'd go to firewall settings and make 2 new rules. WAN to LAN, allow all incoming traffic on 443 and pass it to IP of the moneris device. Then repeat for port 8031 (moneris2).

I use sonicwall A LOT.  You didn't say which model you have which can make the solution vary a little.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:iMonkey69
ID: 33772686
Thanks for all this. There were a couple things I was thinking may work, but haven't tried yet.  From my understanding, depending on the ScreeOS being run you can move the priority of the Access rules. So, effectively I should be able to open an ANY/ANY access rule and elevate it to the top priority and that "should" be a valid sort of simulation to removing the firewall.  At least I theorize that?  Other than that I WILL replace it with a temp firewall to test.  I'll also do the Telnet thing, although I don't know if port 8031 has a responder to accept the connection.  Which was why I wanted to know if there was any way to easily identify "open" ports.  Seems like the easiest way is ALL open, test, back to original config, test.  Then at least I'm down to a firewall issue.

Having said all that, I'm looking at two separate Sonicwall's and one has an easy way to adjust priority, the other, I still don't know how to?  

YES, it's time to sit down with one of these;-)  

I'm going to roll with ZabagaR's educational remarks.  I can do all that as you've tipped me off with this Wizard thingy.  I don't have access, but will get the model later I hope.

Thanks for all the input.  Really;-)

Regards,
C
0
 
LVL 33

Expert Comment

by:digitap
ID: 33773030
I never recommend disabling the firewall capabilities of any firewall and you do so at your own risk.  It's one thing to take a firewall down and expose a singe host, but quite another to modify the existing firewall and expose your entire network.

Further, we're not talking about JUST the firewall access rules.  Firewall's also perform network address translation (NAT), which can be the largest headache.  It's easy to simply open the firewall for specific traffic, it's another to try and map the public to the private.  The Public Server Wizard eluded to by ZabagaR would create all the address object, firewall rules and nat policies.  However, as I pointed out, port 443 is a common port for SSL and may already be used so you'll need to watch out for that.

Can you provide feedback to my questions here, http:#a33754103?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 33780221
Yes, port 443 is already a remote management port for the sonicwall. If you are already allowed to https to the sonicwall from the outside/wan then you'd probably want to change that management port to something else. There's a section from the administration tab where you tell the sonicwall if you want to allow management by HHTP and HTTPS then you can also change the default ports right there too.
0
 

Author Closing Comment

by:iMonkey69
ID: 33891385
I think the question was answered enough, but I think my wording didn't give enough to get the exact response I needed.  Regardless, I took their tips and used them to figure the rest of the pieces out.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now