Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a Cisco ASA 5512x which I use as my router with Cisco switches and AP's.  I have configured one of the interfaces for our Guest Wi-Fi which it was working.  However I recently got new AP's and switches from Ubiquity  and now that Guest Wi-Fi does not work.  I want to know if it is just a configuration issue or is there just a flat out incompatibility between the 2 vendors?

Bootstrap 4: Exploring New Features
LVL 12
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Regulator recommended to turn on Netflow: guess this was obtained from
CIS' Critical Security Controls V6.1 for effective Cyber defense, item 12.9 :
 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity

However, my network colleague's understanding is Netflow can only be turned on for
Layer 3 interfaces

Is this true or L2 Cisco switches can also enable Netflow?  If so, can share a link on
how this is done?

One pair of routers belong to Telco (not ours) which is beyond our jurisdiction so we're
leaving this out.
However, can Gaia firewall enable  Netflow equiv (aka Source Data, Flow Cache)?
Links below seems to indicate so or I read it wrongly?
Seems like Gaia has it:
  https://www.cpug.org/forums/showthread.php/21480-Checkpoint-and-Netflow-collector  :

“can configure Gaia OS as an Exporter of NetFlow records for all the traffic that is accelerated by SecureXL (SecureXL must be enabled for NetFlow to operate properly) …“

To enable SecureXL:
[Expert@HostName]# fwaccel on

Juniper firewall has JFlow but we plan to tech refresh our Gaia to Fortinet: does Forti
has equiv of Netflow?
I have a Watch guard XCS appliance. I upgraded to the latest version of 10.2 from 10.0. After the upgrade my login credentials don't work. I am doing this remotely through web ui.
I get prompted but it will not accept my credentials.Support is no longer available for this EOL product. Any thoughts?
Being a network administrator, among other things, I'm often asked by users to open ports in a firewall.
Usually the users don't know much about what they're asking for so they can't answer any questions - just forward what their technical people have provided.

Here is a typical example for a VOIP system:

The full network information for the VoIP system is:
Port Range (Audio): 35000-65000 UDP
Port Range (SIP): 5060 UDP, 5061 TLS
Port Range (Configuration Servers): 1024-65536 TCP source port, TCP Destination ports: 80, 443, 1443, 2443, 6716,
Port Range (Presence Servers): TCP Destination ports: 5222 and 5280.
I guess that's all well and good if you understand the context but that's where I'm not the expert.

I can set up firewall rules but, being conservative, I don't want to open incoming ports just willy-nilly in order to assure that the requestor gets what he/she wants.
If I ask them: "Are these incoming ports or outgoing ports?" they have no idea.
In some cases, I'm sure that some are outgoing.....
What I'm used to, for the most part, is that all outgoing will be allowed and all incoming will be blocked unless initiated by outgoing traffic.
Given this limited view, I would want to set up to allow incoming traffic to certain ports and leave things at that.
But, which ones?

I know this is likely a naive question.
So, in my context of understanding, how would you interpret the specification above?
And, in the details, I've never set …

I have a Cisco SG200 Switch and a Sonicwall TZ400.  I need to isolate 9 networks from each other. Each network has its own DHCP.

Here's my config:


Sonicwall interfaces
Sonicwall DHCP
 I've read and followed the instructions on setting up VLAN on the CG200 but maybe I'm missing something or maybe I'm missing that magical matching combination of correct settings and a router/switch reboot at the right time.  I've checked with Sonicwall and they say that I have everything configured right on the TZ400.  They say that my SG200 is not properly tagging the traffic going to the Sonicwall is not seeing the tag so it's not going to the proper VLAN.  Here's a screenshot of my Port VLAN Membership:

cg200 port vlan membership
I've spent hours trying to get this figured out and it feels like I've hit a wall now.  Any help is greatly appreciated!

I am trying to build cluster for two NGFW 4110. Any document that can help me to do that?

I am using a PA 3020.  
We have an ISP1 which is our main corp internet.
We have an ISP2 which is also our active Guest network.  

I'm trying to configure ISP1 virtual router with Path Monitoring so that if fails pinging a group of IP's it fails over to ISP2 virtual router.  

Well I have configured Path Monitoring and can trigger it accordingly by monitoring a dead IP.
However I cannot get to the internet after this kicks in.

From monitor tab I check my test laptop and the From Zone is till the same, and To Zone has changed. But everything says "aged-out" in the "Session End Reason" column.
 Any ideas if there is another issue I need to check?
In Palo Alto Networks LAN to LAN tunnels I have seen some tunnels configured with Proxy-IDs and some without. The ones with Proxy-IDs appear to equate to the concept of the "encryption domain" in the Cisco IOS or ASA IPSec tunneling configuration. But how does phase 2 IPSec negotiate on tunnels which have no Proxy-IDs configured?
I have firewall that blocks some IP's from accessing the Internet that works fine. When an user comes in from the VPN they are able to access any devices except the devices that are being blocked from Internet access. I would like help troubleshooting or creating a policy that will keep the network devices from access the internet but when an user logs into the vpn they are able to access the devices.
I inherited a client that had a loose security environment and that turned into a ransomware attack.  Things have been weird ever since.  One of the weird situations is us finding ports 443 and 80 open and forwarded to our jump box.  We deleted those ports or so we thought because they popped up again.  We chalked it up to maybe not applying the setting.  So maybe it didnt get saved.  However, the client reported internet issues that felt like someone did a loopback in the network.  Then i looked at the router and found these ports open again w a loop back comment.  We changed the password of the router last time.  We are really at a loss as to why we are being haunted by this issue.  Any thoughts?   Two factor authentication does not come out for sonicwall until later in the year.   We are setting up LDAP tomorrow and VLAN segmentation on the 20th for some additional protection but we are still unclear how this individual is lurking.


OWASP: Threats Fundamentals
LVL 12
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.


Please, I am not an expert and I need help. I am planning to buy core switch and I have questions. Can Cisco C6807-XL be stacked? Do I need to buy stack power and data cable only? or I have to buy modular to achieve stack? if yes what modular I need to buy?

These are the specifications that I have for the core switch

C6807-XL      Catalyst 6807-XL 7-slot chassis, 10RU
CON-SNT-C6807XLC      SNTC-8X5XNBD Catalyst 6807-XL 7-s
C6800-OTHER      Catalyst 6800 Other PIN; For Tracking Only
C6807-XL-FAN      Catalyst  6807-XL Chassis Fan Tray
C6800-XL-CVR      Catalyst 6807-XL line card slot cover
C6800-PS-CVR      Catalyst 6800 power supply blank cover
VS-S2T-10G      Cat 6500 Sup 2T with 2 x 10GbE and 3 x 1GbE with MSFC5 PFC4
VS-F6K-PFC4      Cat 6k 80G Sys Daughter Board Sup2T PFC4
MEM-C6K-INTFL1GB      Internal 1G Compact Flash
MEM-SUP2T-2GB      Catalyst 6500 2GB memory for Sup2T and Sup2TXL
VS-SUP2T-10G      Catalyst 6500 Supervisor Engine 2T Baseboard
C6800-48P-TX-XL      C6k 48-port 10/100/1000 GE Mod: fabric enabled, RJ-45 DFC4XL
C6800-48P-TX-XL      C6k 48-port 10/100/1000 GE Mod: fabric enabled, RJ-45 DFC4XL
C6800-48P-SFP-XL      C6k 48-port 1GE Mod:fabric-enabled with DFC4XL
GLC-SX-MMD      1000BASE-SX SFP transceiver module, MMF, 850nm, DOM
C6800-48P-SFP-XL      C6k 48-port 1GE Mod:fabric-enabled with DFC4XL
VS-S2T-10G      Cat 6500 Sup 2T with 2 x 10GbE and 3 x 1GbE with MSFC5 PFC4
VS-F6K-PFC4      Cat 6k 80G Sys …
what is the difference between state full inspection and deep packet inspection ?

thanks !!!
How can I tell in the GUI or CLI if there is something connected to the WAN2 port of a fortigate 60d?
Howdy folks,

I have a question in regards the ASA 5505. I totally understand the concept from higher to lower level, but I noticed something interesting while I was doing something at work today. Traffic from my inside could see my web server located in my DMZ via local IP address. For example source local IP (MyPC was able to establish tcp session towards my Apache server addressed to  I thought once you've created level of security none of them interface should communicate unless you have an access-rule such as NAT or ACCESS-LIST in placed. Please let me know if im wrong.

 Also, I have no routing nor access-list, just basic simple configuration, I just noticed it after mistakenly typed an IP address.

DMZ 50

Thanks you!
I have a fortigate 60d.  Link monitoring is enabled on WAN1.  It is supposed to failover to WAN2.  

internet circuits all failed on our Load Balancer (WAN1).  The Fortigate did not failover to WAN2.  The firewall did not try to use the WAN2 because it still had a link to WAN 1 and didn't realize the upstream connections were offline.    Any ideas how to troubleshoot?
I'm looking to get on figuring out how/why our Palo Alto (PA-3020) didn't fail over from ISP to another ISP modem when the first ISP had an outage?
Internet was basically just out until the ISP that failed came back online.
Is anyone familiar with a PA-3020 as it was setup to allegedly have ISP fail over.
I can see configured ports on the interface where ISP 1 modem is connected,, and ISP 2 modem is connected.
Are there known logs I can check to see what (if anything) occurred during the known hours ISP1 went out?
I honestly don't even know where failover is configured (I think I do based on documentation but I still have my doubts)
I am looking to purchase Firewall. Anti-malware router.  It's for my small business of currently about: 30 people but will grow up to 100 units within the next 1-2 years.

The problem is we had a ransomware attack couple of days back and it's made us more aware.

The other thing to take note is: We don't have in house IT professionals, so we hire professionals from all over the world to work on our servers, they sometimes use RDP to login. or team viewer.

We use a VM ware, specifically promox, so we considering using: nakivo for back up also.

Our ISP guy recommended we used: Mikrotik RB/1100AHX2 Routerboard RouterOS Level 6 but he thinks we are small for it, and I think there's something better already.

I want to invest for the next 5years. I want to buy something that will take us to the next level, yet keep us funtional.

I don't know if we can also use it to block certain sites, manage bandwidth for users in the office, anything that'll generally keep security really up above board. Thank you.
I have a sonic-wall firewall . There are a lot of access roles such as rdp and http being forwarded to internal servers . I need to shot down all of them  for now . What is the easiest way . I just need outgoing traffic to work for now and vpn to work .
I'm looking for someone to help setup a new watchguard T15 and a BOVPN to an existing XTM25.  I know enough to be dangerous (maybe even that much).

I'd envision to have the person on the phone / remoted into my PC which would be on the LAN side of the T15 and I'd have team viewer connection to a PC on the LAN side of the XTM25 to set up the vpn (you are probably saying there's better ways to do the setup, but that's an indication of what I do and don't know).
Build an E-Commerce Site with Angular 5
LVL 12
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Recently we bought a new firewall fortinet 100D to secure our company network.Our network is

now our network is flat network and we would like to implement VLAN also.

we have one unit Cisco 3750 switch ,now we already configure. firewall LAN port using and connected to switch port directly and working without any issue.

1.If we configure create the subinterface 10(Management),20(Server),30(Users),40(Wifi) and 200(Voice)what should i need to configure for the switch port connected to firewall ?
*All the traffic must visible in our firewall.

2.Our DHCP server is running inside the hyper-v and now the switch port i configure LACP with switch port mode access to allow VLAN 1 only.Do i need to configure to trunk and native VLANs ?if native VLANs is require which VLANs should i configure ?

3.How to migrate all my server to VLANs 10 without downtime ?

4.What is the purpose of management VLANs  i put it there just research online many people are design in this way.

5.How to configure the switch port which is user connected ?now all the user arw connect thier PCs via Cisco IP Phone ?
Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
Dear All, I am having an issue getting all of my Branch Site to Site connected ASA's to be able to be able to utilise Main Site Radius Server for 2FA.  All of these Branch sites have been connected and operational for hundreds of days and everything still works fine, with exception of this issue.  The issue I have is trying to get the AAA server of to working at any of the branch site ASA's.  Now every server/PC on each of the Branch sites are able to ping and even web browse to the Radius server, but none of the ASA's themselves can communicate.  I naively assume this is something to do with it seeing this as data being treated as from the outside interface?

When I initiate the AAA test, this is the error from the log file. Routing failed to locate next hop for UDP from identity: to inside:
Basic topology
I have just recently setup a new ISPConfig mail server for a small company.  The mail server resides within the internal network managed by a SonicWall.  I have opened appropriate ports and allowed traffic through so the mail server is functioning fine.  The Roundcube interface works fine for the employees to login and check their mail, but some of the clients would like to have Outlook or Mozilla Thunderbird function outside of the network so I believe access through the firewall needs to be established on the SonicWall to accomodate this with appropriate settings placed in their device's Thunderbird or Outlook installation to reflect this.
Can i have a Draytek Vigor 2860 behind another firewall?
The reason I am asking is that the company are going to upgrade the firewall to a Sonicwall Next Gen firewall but the existing firewall (the Draytek) manages the wireless access points so i want to keep it on the the network if possible but just for that task rather than for its 'firewall abilities'.
Can this be done?

Dear Wizards, we are using Cisco Meraki MS425-16 as Core switch, can we use MX84 as Firewall?

Since MX84 has 1 Gb/s Fiber connection, MS425 has 10 Gb/s Fiber connection, so I'm not sure if they can be compatible?

Can you confirm please ? How can we achieve the speed of 1 Gb/s Fiber in those devices? Many thanks!

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.