identifying open ports

Posted on 2010-09-23
Last Modified: 2012-05-10
I'm not a user of sonicwall devices, but have to learn. So, be gentle with me.
I have a moneris(credit card machine) terminal behind a sonicwall.  Suddenly it stopped working?  
Nobody knows how or even has access to the sonicwall.  So, moneris support says its a firewall issue?
Naturally nobody knows how anything suddenly changed after years. Regardsless, I have one simple task
I don't know how to do.  

Disable the firewall.  It sounds like I need to move a rule up the prioity that allows ALL traffic in and out.
What I'm looking for are details on how to accomplish that to either rule out, or validate that the sonicwall is blocking
ports 443 and or 8031.

If anyone can direct this novice I'd be thankfull.  Generally, I'm not familiar with the security type language and have
troubles understanding without a good "hello world" example.

Question by:iMonkey69
  • 2
  • 2
  • 2
  • +2
LVL 83

Expert Comment

by:Dave Baldwin
ID: 33751671
Is anything working?  If nothing behind the Sonic Wall is working, connect ahead of it to make sure you have a connection to work with.

Expert Comment

ID: 33752054
If you have physical access to the firewall can you try circumventing it temporarily to prove that the problem lies with the firewall? I.e. Remove the connection to the firewall and connect the terminal "directly" to the network.
LVL 33

Expert Comment

ID: 33754103
I'm in agreeance with x3man.  before making any changes to the sonicwall, best bet is to bypass the sonicwall, put the CC machine directly on the internet and test.  if it fails, then you know it's the CC machine.  if it passes, then you know it's the sonicwall.the ports you mentioned, 443/8031, do via these ports need to be allowed through the sonicwall to the CC machine?  Also, do you have an Exchange server internally?  if so, then port 443 will already be mapped to it through the sonicwall.  perhaps you have more than one public IP address?
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 15

Accepted Solution

ZabagaR earned 500 total points
ID: 33765243
Aside from taking the sonicwall off and testing directly to the device in question you can also:

obtain the external wan IP of your network and run a telnet command to port 443 and 8031 from the outside. You can do from internet explorer from any machine on your network. Then go to a command prompt and type telnet x.x.x.x 443 and see if you get blocked or your screen refreshes/responds (meaning open connection). Preferably run that telnet command from a PC outside of your network.

If the sonicwall is blocking do this:

On the sonicwall add 2 services (there's a "service" tab). Call one moneris and assign it tcp 443. Call another moneris2 and assign it tcp 8031. Now you can either run the public server wizard twice OR add 2 WAN to LAN rules. If you run the public server wizard you just tell the sonicwall to allow service 'moneris' to forward to the lan address of your moneris device. Then you'd repeat with the moneris2 service. OR to do this manually, you'd go to firewall settings and make 2 new rules. WAN to LAN, allow all incoming traffic on 443 and pass it to IP of the moneris device. Then repeat for port 8031 (moneris2).

I use sonicwall A LOT.  You didn't say which model you have which can make the solution vary a little.

Author Comment

ID: 33772686
Thanks for all this. There were a couple things I was thinking may work, but haven't tried yet.  From my understanding, depending on the ScreeOS being run you can move the priority of the Access rules. So, effectively I should be able to open an ANY/ANY access rule and elevate it to the top priority and that "should" be a valid sort of simulation to removing the firewall.  At least I theorize that?  Other than that I WILL replace it with a temp firewall to test.  I'll also do the Telnet thing, although I don't know if port 8031 has a responder to accept the connection.  Which was why I wanted to know if there was any way to easily identify "open" ports.  Seems like the easiest way is ALL open, test, back to original config, test.  Then at least I'm down to a firewall issue.

Having said all that, I'm looking at two separate Sonicwall's and one has an easy way to adjust priority, the other, I still don't know how to?  

YES, it's time to sit down with one of these;-)  

I'm going to roll with ZabagaR's educational remarks.  I can do all that as you've tipped me off with this Wizard thingy.  I don't have access, but will get the model later I hope.

Thanks for all the input.  Really;-)

LVL 33

Expert Comment

ID: 33773030
I never recommend disabling the firewall capabilities of any firewall and you do so at your own risk.  It's one thing to take a firewall down and expose a singe host, but quite another to modify the existing firewall and expose your entire network.

Further, we're not talking about JUST the firewall access rules.  Firewall's also perform network address translation (NAT), which can be the largest headache.  It's easy to simply open the firewall for specific traffic, it's another to try and map the public to the private.  The Public Server Wizard eluded to by ZabagaR would create all the address object, firewall rules and nat policies.  However, as I pointed out, port 443 is a common port for SSL and may already be used so you'll need to watch out for that.

Can you provide feedback to my questions here, http:#a33754103?
LVL 15

Expert Comment

ID: 33780221
Yes, port 443 is already a remote management port for the sonicwall. If you are already allowed to https to the sonicwall from the outside/wan then you'd probably want to change that management port to something else. There's a section from the administration tab where you tell the sonicwall if you want to allow management by HHTP and HTTPS then you can also change the default ports right there too.

Author Closing Comment

ID: 33891385
I think the question was answered enough, but I think my wording didn't give enough to get the exact response I needed.  Regardless, I took their tips and used them to figure the rest of the pieces out.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CISCO ASA 5500 DDNS 4 66
Defaulting a Branch Juniper SRX240 5 46
SRX240 SYSLOG Setting 6 120
ASA5510 Blocking a Wanted Website/Host 9 26
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
In a recent question ( here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question