identifying open ports

I'm not a user of sonicwall devices, but have to learn. So, be gentle with me.
I have a moneris(credit card machine) terminal behind a sonicwall.  Suddenly it stopped working?  
Nobody knows how or even has access to the sonicwall.  So, moneris support says its a firewall issue?
Naturally nobody knows how anything suddenly changed after years. Regardsless, I have one simple task
I don't know how to do.  

Disable the firewall.  It sounds like I need to move a rule up the prioity that allows ALL traffic in and out.
What I'm looking for are details on how to accomplish that to either rule out, or validate that the sonicwall is blocking
ports 443 and or 8031.

If anyone can direct this novice I'd be thankfull.  Generally, I'm not familiar with the security type language and have
troubles understanding without a good "hello world" example.

Regards,
C
iMonkey69Asked:
Who is Participating?
 
ZabagaRConnect With a Mentor Commented:
Aside from taking the sonicwall off and testing directly to the device in question you can also:

obtain the external wan IP of your network and run a telnet command to port 443 and 8031 from the outside. You can do http://whatismyip.com from internet explorer from any machine on your network. Then go to a command prompt and type telnet x.x.x.x 443 and see if you get blocked or your screen refreshes/responds (meaning open connection). Preferably run that telnet command from a PC outside of your network.

If the sonicwall is blocking do this:

On the sonicwall add 2 services (there's a "service" tab). Call one moneris and assign it tcp 443. Call another moneris2 and assign it tcp 8031. Now you can either run the public server wizard twice OR add 2 WAN to LAN rules. If you run the public server wizard you just tell the sonicwall to allow service 'moneris' to forward to the lan address of your moneris device. Then you'd repeat with the moneris2 service. OR to do this manually, you'd go to firewall settings and make 2 new rules. WAN to LAN, allow all incoming traffic on 443 and pass it to IP of the moneris device. Then repeat for port 8031 (moneris2).

I use sonicwall A LOT.  You didn't say which model you have which can make the solution vary a little.
0
 
Dave BaldwinFixer of ProblemsCommented:
Is anything working?  If nothing behind the Sonic Wall is working, connect ahead of it to make sure you have a connection to work with.
0
 
x3manCommented:
If you have physical access to the firewall can you try circumventing it temporarily to prove that the problem lies with the firewall? I.e. Remove the connection to the firewall and connect the terminal "directly" to the network.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
digitapCommented:
I'm in agreeance with x3man.  before making any changes to the sonicwall, best bet is to bypass the sonicwall, put the CC machine directly on the internet and test.  if it fails, then you know it's the CC machine.  if it passes, then you know it's the sonicwall.the ports you mentioned, 443/8031, do via these ports need to be allowed through the sonicwall to the CC machine?  Also, do you have an Exchange server internally?  if so, then port 443 will already be mapped to it through the sonicwall.  perhaps you have more than one public IP address?
0
 
iMonkey69Author Commented:
Thanks for all this. There were a couple things I was thinking may work, but haven't tried yet.  From my understanding, depending on the ScreeOS being run you can move the priority of the Access rules. So, effectively I should be able to open an ANY/ANY access rule and elevate it to the top priority and that "should" be a valid sort of simulation to removing the firewall.  At least I theorize that?  Other than that I WILL replace it with a temp firewall to test.  I'll also do the Telnet thing, although I don't know if port 8031 has a responder to accept the connection.  Which was why I wanted to know if there was any way to easily identify "open" ports.  Seems like the easiest way is ALL open, test, back to original config, test.  Then at least I'm down to a firewall issue.

Having said all that, I'm looking at two separate Sonicwall's and one has an easy way to adjust priority, the other, I still don't know how to?  

YES, it's time to sit down with one of these;-)  

I'm going to roll with ZabagaR's educational remarks.  I can do all that as you've tipped me off with this Wizard thingy.  I don't have access, but will get the model later I hope.

Thanks for all the input.  Really;-)

Regards,
C
0
 
digitapCommented:
I never recommend disabling the firewall capabilities of any firewall and you do so at your own risk.  It's one thing to take a firewall down and expose a singe host, but quite another to modify the existing firewall and expose your entire network.

Further, we're not talking about JUST the firewall access rules.  Firewall's also perform network address translation (NAT), which can be the largest headache.  It's easy to simply open the firewall for specific traffic, it's another to try and map the public to the private.  The Public Server Wizard eluded to by ZabagaR would create all the address object, firewall rules and nat policies.  However, as I pointed out, port 443 is a common port for SSL and may already be used so you'll need to watch out for that.

Can you provide feedback to my questions here, http:#a33754103?
0
 
ZabagaRCommented:
Yes, port 443 is already a remote management port for the sonicwall. If you are already allowed to https to the sonicwall from the outside/wan then you'd probably want to change that management port to something else. There's a section from the administration tab where you tell the sonicwall if you want to allow management by HHTP and HTTPS then you can also change the default ports right there too.
0
 
iMonkey69Author Commented:
I think the question was answered enough, but I think my wording didn't give enough to get the exact response I needed.  Regardless, I took their tips and used them to figure the rest of the pieces out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.