Go Premium for a chance to win a PS4. Enter to Win


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have an ASA 5506 with software version 9.5(2)10
I need to allow some new ports through. I have configured the following NAT policy and Access List:

access-list Outside_Access_In extended permit udp any object PAT-RemoteVoice eq 50794
access-group Outside_Access_In in interface outside

object network PAT-RemoteVoice
 nat (inside,Outside) static interface service tcp 50794 50794

I can't seem to connect on port 50794 however.
Any assistance would be appreciated.
New feature and membership benefit!
LVL 11
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

I have a setup with 2 Checkpoint gateways (appliances) in a cluster and a virtual management. I have tried the below both with R77.30 and after upgrading to R80.10 with the same result.

I want to enable the https inspection blad. I have licenses and everything. My computers trusts an internal PKI root CA certificate and I have issued an issuing certificate to the gateways without any issues.

When I activate the https blade everything around https on the clients start to behave strange. It is very confusing. The moment I turn the blade off again everything works as a charm.

I am fully aware that https inspection takes a lot of fine tuning but I haven´t come to that stage yet. Right now, even when I have created a https decryption policy that bypasses *everything* the clients have issues.

In an earlier stage I created a decryption policy only to decrypt traffic from one test-client but the users started to scream instantly. And now I am at a stage where the configuration looks like no https should ever be touched but enabling the blade still breaks user traffic.

As I said above, this is tried both on R77.30 and R80.10.

One thing I have noticed is that the trusted root cert list seems a bit old. The newest trusted root cert is issued 2010! However, the dialogue below the cert list where an automatic update of certs should take place is empty. There never shows up any new trusted root certificates.

At one place in the gui there is a dialoge with three …
In WatchGuard XTM SMTP Proxy definitions, it implies you can set up a rule for "masquerading".  However, how do you set up the replacement string?   For instance, if I want person@contoso.com to be redirected to person@contoso.org, it is easy enough to match the string and replace it.  But, if I want everyone @contoso.com to be redirected to their same name @contoso.org, how do you set up the replacement string?  You can use a wildcard on the string match but what syntax do they use for the replacement string to attach the portion before @contoso.com.   Seems that this should be a simple process for creating masquerading.
When I look at Splunk - where I send my Cisco ACS 5.4 syslog output - I see a record of actions I've done on ACS. But I'm not seeing the TACACS records when I log into various network devices. I can see the tacacs records if I go to Monitoring and Reports section of ACS. How can I view in syslog?
Dear Experts, we need to setup VPN site-to-site connection between Router Cisco 3925 and Firewall Sophos XG210, does anyone have experience? Can you suggest how to and some reference links?
[Webinar] Cloud Killed the Firewall
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk the cloud can bring to company infrastructure. The more cloud applications we add, the greater the number of vulnerable entrypoints. Most basic firewalls can't keep up.

In this webinar, Skyport Systems explains how legacy DMZ architectures cannot accommodate this highly agile, cloud-connected enterprise, and how companies can create new security policies to adapt to this shift. View the video to learn how to make your enterprise "cloud ready."
It should satisfy the following conditions:
1. Capable of 75Mbs bandwidth
2. Up to 25 users
3. Its VPN client must flawlessly work on all client machines including Linux and all modern Windows versions.
4. Costs less that $500

Currently we use a Sonicwall TZ170, its maximum bandwidth is just 25Mbs

I have a Comcast business gateway, IP Block is:

 ip:  xx.xxx.177.232
gw: xx.xxx.176.1

If I set the gw to bridge mode, will I just have to basically set the WAN IP of the SW to xx.xxx.176.1 and it should work?
We were trying into set up a SSL VPN on a TZ215 Sonicwall - which we have done before for other customers but we keep getting Server is not reachable on this one.  We setup HTTPS on user login on Sonicwall; turned on WAN on SSL-VPN, using port 4433; using ten IP's not used on network; used Default DNS settings; added two users, assigned to SSL VPN and Local Subnets.  We are using the latest version of Netextender - checked the server IP by doing a Whatismyip and then used that with :4433 and LocalDomain but keep getting the server is not reachable - have rechecked settings - not sure what else to look at.
I have installed a new RV340W router and have no problem connecting outside routers with VPNs except for one router, It is a FVS318v3 and it will establish Phase 1 but says Phase 2 is idle and wont cnnect or transmit any data? Any help is appreciated. Thank you.
The Evil-ution of Network Security Threats
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Set-up issues

I will preface this by saying I had a UTM120 for three years with the UTM9 OS and right now thinking boy I miss those days.  I was told that my appliance was nearing end-of-life so to renew licensing I went with the XG115.  I had configured UTM9 on my own and generated help desk cases if issues arose.  This appliance is quite a bit different.  Firmware XG115 (SFOS 17.0.0 GA) so on the latest firmware.

What I am trying to resolve right now is that any type of web surfing is extremely painful.  I have an on-premise Exchange server so port 443 is being forwarded to it but I also have the default network rule of WAN to LAN all ports and all services are open.  I have a similar network rule that WAN to LAN port 443 is open thinking of other workstations that initiate SSL traffic it will find its way back to the device that initiated the traffic.  Let's face it.  Most web sites are https.  I am constantly being warned that the certificate cannot be verified and I have to click to still access the site or create an exception for the site depending on the browser.  I cannot log in using an account to any web site.  Some sites I can't even create the exception in Firefox.  I can't use the StartPage search engine.  Amazon looks like crap.  No pictures and just a bunch of links.

A little bit on the network.  Uverse gateway goes to a Cisco ASA appliance that I consider my perimeter (and why not have another layer of defense !).  The XG is in bridge mode.  For a …
Hi All

I have a couple of clients with SonicWALL TZ 300 routers, and am considering having them purchase SonicWALL’s Capture Advanced Threat Protection because it seems like a damn good idea! As I understand it, it's cloud based sandbox system.

Would appreciate hearing everyone's thoughts, concerns or experiences with the product or similar products.

Thank you!

I have not been able to verify that logs are being received on the centos 7 server using rsyslog

firewall has udp 514 open and listening same set on the cisco asa

cannot see why it is not working, I do sh logging and it shows how many TX are being sent via the trigger but cannot find on rsyslog server.
Given all the posts here and elsewhere this seems to be a common problem.
I have a TZ215 running SonicOS 5.9.  I'm able to get connected with NetExtender, but cannot gain access to the LAN subnet.

Have an IP pool setup for addresses which are on the same subnet as the primary subnet (X0).  These addresses are specifically for VPN users and are not otherwise used (no conflicts).   Tried pinging from both sides with no response (VPN client to LAN subnet and Office LAN subnet to address assigned to VPN client).

Here are some of the settings:
SSL VPN -- Client Settings -- Client Route tab - is set to Lan Primary Subnet.
Users -- Local Groups -- SSLVPN Services -- VPN Access -- is set to Lan Primary Subnet.
Firewall -- Access Rules -- SSLVPN --> LAN is enabled for any service (Checked from LAN --> SSLVPN and that is setup correctly as well).
Users are setup with proper SSLVPN Services group.

Have setup newer units without much effort, but they have a different configuration parameters.

Would appreciate any help!
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.

We've just found out our 2011 SBS Server has been sending out spam emails by their thousands.  I've checked that there is no open relay in Exchange 2010 (and there isn't) and turned off all PC's on the network but the spam emails keep coming so pretty sure they are coming from the server.  Have virus scanned the server and it seems clean.  I've found that all the spam emails are all coming from the same external IP address.

The network is protected by a Watchguard XTM25 firewall.  My question is can someone please talk a newcomer to Watchguards how to set up a way of blocking these emails coming in from that IP address on port 25?  

Many thanks

I'd like to test connectivity between a host in my DMZ and and a host on my inside network using the packet tracer function. However, although I can specify the source interface, I don't see any way to specify the destination interface.  Running the trace defaults to using the outside interface as the destination.  Can a destination interface be specified?
Dear All

I installed Fortigate 60 E and its blocking all the videos and Audios. Also its blocking all the social media sites.
do you know a tool to block rdp atacks which no need controlPanel/Windows Firewall to be activated ??
Concerto Cloud for Software Providers & ISVs
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

What are the differences between Sophos XG and Sophos UTM? Do we have an iso file of Sophos XG? Many thanks!
Hi Guys,

I had to switch our two WAN Interfaces on SonicWALL, (Thus X1 & X2)

1.  I switched the public IP configuration under Interface Settings
2.  and changed all the NAT policies, switching X1 & X2 for all rules

My questions,

a.  Is there any other rule(s) that need to be changed to switch primary internet access for LAN users between X1 & X2?

b.  I've noticed that some NAT rules refer to an "address object" rather than the interface (X1/X2) directly.  
These I did not change as the object's public address was still correct.  Is there a difference in referring to the interface (X1/X2) directly, or using an object instead?  
In my case, where I had to switch X1 & X2 ... the rules with objects made things a bit easier as it stayed the same.  Is this the only difference using an object or referencing to the interface directly?
In the example blow - Juniper firewall has heard from two WAN routers of a default route via OSPF.
It seems basically happenchance that is the preferred default route. What could I do on the juniper to make to always and purposely be chosen over the .62?

myjuniper> show route          *[OSPF/150] 1w6d 16:05:01, metric 26, tag 0
                      to via reth0.0
                    > to via reth0.0
I have 2 buildings each with their own ISP.  They both have ASA 5506Xs.  The switches are L2 only and there is no router on site.  Both buildings are connected via Fiber and each building is on a separate VLAN.  

Currently there is a VPN tunnel between the 2 LANs.  I have been asked to attempt to use the ASA to route between the VLANS.  There is a great instruction for this in another post and I have the ASA routing traffic between the VLANS (same-security inter and intra interface and the NAT exempt statements)

The problem is that the ASA seems to be blocking replies where it was not aware of the request.  For instance an Echo request is allowed through ASA 1 ( from to sends the reply to its default gatewy (ASA 2 []) who is unaware of the echo request and therefore seems to be blocking the echo reply.

My question is first if my assumption is correct as to the cause for the traffic being blocked and second, how to exempt the traffic between VLANS from SPI or otherwise solve this problem.
Goal: Allow a user to connect to his desktop computer with RDP  ONLY after connecting vpn.

Environment:   OPNsense/Pfsense firewall
53,25,80,443 allow through firewall-
Currently can successfully rdp  with or without VPN with port forwarding - suspect traffic is hitting the fw on public int/public static  and not the desired private Ip a range allocated VPN connection.

User successfully connects to vpn, receives ip, but cant access local resources.
The client side vpn registers an IP address, the FW sees the connection- Just doesn't seem to allow traffic from vpn to local network

The IP range assigned to vpn  connections 10.  the local ip range is 192.

I have a PIX 5515 running 8.2 software that will not allow me to access websites that use non-standard SSL ports (4443 in this case)  Is there some sort of configuration workaround I could implement that would allow me to access sites like these?

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.