Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


identifying open ports

Posted on 2010-09-23
Medium Priority
Last Modified: 2012-05-10
I'm not a user of sonicwall devices, but have to learn. So, be gentle with me.
I have a moneris(credit card machine) terminal behind a sonicwall.  Suddenly it stopped working?  
Nobody knows how or even has access to the sonicwall.  So, moneris support says its a firewall issue?
Naturally nobody knows how anything suddenly changed after years. Regardsless, I have one simple task
I don't know how to do.  

Disable the firewall.  It sounds like I need to move a rule up the prioity that allows ALL traffic in and out.
What I'm looking for are details on how to accomplish that to either rule out, or validate that the sonicwall is blocking
ports 443 and or 8031.

If anyone can direct this novice I'd be thankfull.  Generally, I'm not familiar with the security type language and have
troubles understanding without a good "hello world" example.

Question by:iMonkey69
  • 2
  • 2
  • 2
  • +2
LVL 84

Expert Comment

by:Dave Baldwin
ID: 33751671
Is anything working?  If nothing behind the Sonic Wall is working, connect ahead of it to make sure you have a connection to work with.

Expert Comment

ID: 33752054
If you have physical access to the firewall can you try circumventing it temporarily to prove that the problem lies with the firewall? I.e. Remove the connection to the firewall and connect the terminal "directly" to the network.
LVL 33

Expert Comment

ID: 33754103
I'm in agreeance with x3man.  before making any changes to the sonicwall, best bet is to bypass the sonicwall, put the CC machine directly on the internet and test.  if it fails, then you know it's the CC machine.  if it passes, then you know it's the sonicwall.the ports you mentioned, 443/8031, do via these ports need to be allowed through the sonicwall to the CC machine?  Also, do you have an Exchange server internally?  if so, then port 443 will already be mapped to it through the sonicwall.  perhaps you have more than one public IP address?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

LVL 15

Accepted Solution

ZabagaR earned 1500 total points
ID: 33765243
Aside from taking the sonicwall off and testing directly to the device in question you can also:

obtain the external wan IP of your network and run a telnet command to port 443 and 8031 from the outside. You can do http://whatismyip.com from internet explorer from any machine on your network. Then go to a command prompt and type telnet x.x.x.x 443 and see if you get blocked or your screen refreshes/responds (meaning open connection). Preferably run that telnet command from a PC outside of your network.

If the sonicwall is blocking do this:

On the sonicwall add 2 services (there's a "service" tab). Call one moneris and assign it tcp 443. Call another moneris2 and assign it tcp 8031. Now you can either run the public server wizard twice OR add 2 WAN to LAN rules. If you run the public server wizard you just tell the sonicwall to allow service 'moneris' to forward to the lan address of your moneris device. Then you'd repeat with the moneris2 service. OR to do this manually, you'd go to firewall settings and make 2 new rules. WAN to LAN, allow all incoming traffic on 443 and pass it to IP of the moneris device. Then repeat for port 8031 (moneris2).

I use sonicwall A LOT.  You didn't say which model you have which can make the solution vary a little.

Author Comment

ID: 33772686
Thanks for all this. There were a couple things I was thinking may work, but haven't tried yet.  From my understanding, depending on the ScreeOS being run you can move the priority of the Access rules. So, effectively I should be able to open an ANY/ANY access rule and elevate it to the top priority and that "should" be a valid sort of simulation to removing the firewall.  At least I theorize that?  Other than that I WILL replace it with a temp firewall to test.  I'll also do the Telnet thing, although I don't know if port 8031 has a responder to accept the connection.  Which was why I wanted to know if there was any way to easily identify "open" ports.  Seems like the easiest way is ALL open, test, back to original config, test.  Then at least I'm down to a firewall issue.

Having said all that, I'm looking at two separate Sonicwall's and one has an easy way to adjust priority, the other, I still don't know how to?  

YES, it's time to sit down with one of these;-)  

I'm going to roll with ZabagaR's educational remarks.  I can do all that as you've tipped me off with this Wizard thingy.  I don't have access, but will get the model later I hope.

Thanks for all the input.  Really;-)

LVL 33

Expert Comment

ID: 33773030
I never recommend disabling the firewall capabilities of any firewall and you do so at your own risk.  It's one thing to take a firewall down and expose a singe host, but quite another to modify the existing firewall and expose your entire network.

Further, we're not talking about JUST the firewall access rules.  Firewall's also perform network address translation (NAT), which can be the largest headache.  It's easy to simply open the firewall for specific traffic, it's another to try and map the public to the private.  The Public Server Wizard eluded to by ZabagaR would create all the address object, firewall rules and nat policies.  However, as I pointed out, port 443 is a common port for SSL and may already be used so you'll need to watch out for that.

Can you provide feedback to my questions here, http:#a33754103?
LVL 15

Expert Comment

ID: 33780221
Yes, port 443 is already a remote management port for the sonicwall. If you are already allowed to https to the sonicwall from the outside/wan then you'd probably want to change that management port to something else. There's a section from the administration tab where you tell the sonicwall if you want to allow management by HHTP and HTTPS then you can also change the default ports right there too.

Author Closing Comment

ID: 33891385
I think the question was answered enough, but I think my wording didn't give enough to get the exact response I needed.  Regardless, I took their tips and used them to figure the rest of the pieces out.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question