Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

We've just installed a new next-gen firewall and I need some assistance getting some communication between two of the interfaces.
It's a Watchguard T35 and we have our WAN on Eth0, LAN1 on Eth1, and LAN2 on Eth2.
Our WAN has a static IP, but we have /27 block of public IP's routed (at the ISP level) to our WAN for use by public facing servers.

I have that part of it working OK.  Servers connected to the LAN2 all have their static IP assignment and IP checks on the internet show the correct IPs.  This interface in the Watchguard is set as "Optional".

LAN1, is our private LAN and is set as "Trust".  Internet traffic and NAT/port forwarding is all working OK, but I cannot seem to get access to LAN2 from LAN1 devices.

I've created a firewall policy with "ANY" for the packet filtering and have set both and 203.xx.xx.0/27 in both the To and From boxes.  The rule is set to allow and enabled.
But I cannot browse (using the IP or UNC name) or access any of the LAN2 resources from LAN1.  Nor can LAN2 access any of the LAN1 resources.

I'm new to Watchguard and thought I might ask here for any things I may have overlooked before lodging a support ticket with Watchguard support.
Become a CompTIA Certified Healthcare IT Tech
LVL 12
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Dear Experts,

I have a set of fortigate firewall policies which I need to duplicate on a cisco router.

I have done most of the point A to point B.

The issue I have now is the NAT and there is an IP Pool, is there a guide on how I can translate the rules from firewall to cisco router?

Any help is appreciated.
Hi guys

As part of the last question I asked about firewall rules, I am looking at our firewall right now and monitoring the traffic. I'm looking at the traffic between VPN connections from our stores to a main server. These stores are all using the same application to communicate with the server. However, I'm looking at the server and it is receiving connections from our various stores, but every single store is communicating via a different port. So one store will be coming through port 4274. The other one will send it via port 4288. My point is, are applications specifically written in this way to prevent security breaches from happening by constantly randomising their port sequences so that they can't be 'guessed' by a malicious attacker?

And if that is the case, surely going back to the answers being given previously, this does warrant the ability for the 'ANY' ports to be open from site A to site B via VPN.

Thank you
Hi Experts

I am looking for a router capable of delivering a DHCP range of  /19 or above, with DSL and ethernet WAN ports |(VDSL) for large applications.  On-board wifi is not required.  L7 firewall an advantage
Can you advise?  Many thanks in advance
Hi guys

I'm trying to lock down our VPN tunnels and firewall rules between sites. The one thing I am seeing in some places are that there are 'any' ports set up which is not explicit.

So one place that always creates problems is the Active Directory systems. We have PC's in remote locations that talk to remote AD servers.

In order for the systems to not get affected, I need to be absolute in every single port I set up as I will be killing the 'any' port.

This MS article covers ports domains and trusts: https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

But then for RPC, it has ports 1024-65535/TCP!!

Do you have a setup on your firewalls in the same way as MS has described? And what about the RPC port? Not over-exposed?!
Cisco ASA 5510 and Cisco 2921
Currently we have a Cisco 2921 ISR that we connect directly to the internet we have a 16 block of IPs routed to internal servers and use anyconnect to VPN into the office and have a office to office vpn with a remote office. We use ACL's to manage all the traffic. This is then connected to a 6509 and we have 4 vLans.
The throughput on the 2921 seems really slow for our remote users.

Im looking into a ASA 5510 to replace the 2921. Is this a good Idea or do I run them in line? Im looking for better performance on the VPN side. The 2921 is slow.
Or do I look at something else all together?
Vendor website sent an email regarding upcoming data center changes.  The email says " IT department will need to open port 443 to enable https to our new sites"

We use a fortigate 60d.  HTTPs seems to be already enabled for all sites, although I don't see any policy for this.    At this point I am not going to add this for our vendors new site.  

In any case, for my understanding Is there a place in the firewall where https is enabled for all by default?
i have a Cisco ASA 5520 and 500MB internet/bandwidth line, the problem is the throughput on the FW is low and it throttles the bandwidth. Execs don't want me to upgrade now so i was wondering is there some kind of add on i can use  

ASA 5520
1: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
2: Up to 2048MB RAM
3: Intel Celeron M Processor 450 2.0GHz
4: Cavium Nitrox Lite CN1010
Fortigate 200D in HA cluster

i have a problem (user "accidentaly started wizard" to change gateway)....

and fortinet stoped routing as expected, as it seems nothing has changed.
static routes are the same as before, route lookup hits the right route, traffic seems to hit the right policy.

Monitoring the traffic it says       "Accept: session timeout" for everything

i can ping port to internal network from CLI, i can ping something on Internet (WAN) from CLI

but nothing gets thru from external(WAN) to internal network (PORT1) or viceversa
I have a server, with a combined apache website and sql gaming server on same server.  I have the domain being routed to a different nameserver/proxy with ddos protection, and made a seperate subdomain there that goes directly to the game server because it is game traffic and cannot use the services.  Everything works fine, but I want to block the incoming subdomain from accessing anything but the game server port on the destination server.  

Question: On the game server firewall, how can I only allow the incoming subdomain traffic to use a specific port, and block all other ports?  I don't want it to impact the website traffic using the domain name and ports 80/443
Amazon Web Services
LVL 12
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.


I have an issue with a Cisco Anyconnect VPN setup.

ASA 9.8(1) and Anyconnect 3.1.14018

I am using Anyconnect V3 because I have that software and v4 requires a license. I hope this combination is compatible.

I ran the Anyconnect VPN wizard on the ASA and I installed a DigiCert certificate. All went without errors. The end result is I can connect but I can't access anything on the inside LAN.

Any ideas what could be wrong?

I've not done more than 20 minutes googling so far, been so busy, I am going to revisit this issue tomorrow morning.

Thanks in advance.

Alasdair Barclay
ASA 5525-X with ASA5525 VPN Premium license.  

When I log on via console I am not able to do basic functions like name an interface or assign an IP address.  Example from interface management 0/0:

host# conf t
host(config)# int management 0/0
host(config-if)# ?

Interface configuration commands:
  channel-group    Etherchannel/port bundling configuration
  default                 Set a command to its defaults
  description          Interface specific description
  duplex                  Configure duplex operation
  exit                       Exit from interface configuration mode
  flowcontrol         Configure flowcontrol operation
  help                      Interactive help for interface subcommands
  lacp                      LACP interface subcommands
  no                        Negate a command or set its defaults
  shutdown          Shutdown the selected interface
  speed                 Configure speed operation

Same options on all interfaces.

It feels like the thing is in transparent mode, but there is no firewall command in config mode.

Code version: 9.8(1)
Hi All,

I need some assistance setting up the below. I've got 3 "subnets" to set up internally. All must be able to reach the internet through the suppliers router.

The networks are 2x /26 and 1x /27. VLANS 601 & 603 are desktop pc's. VLAN 602 will be Cisco phones. 601 and 603 do not need any seperation, they're just to cover the seperate DHCP ranges. DHCP will be provided by an external source (hopefully) through a VPN setup on the ASA Firewall. I'm looking to setup outside interface, inside interface and access for all vlans.

Is anyone able to provide a sample config on how I could get this working?

Network Overview

After following steps to reset the Enable password on an ASA 5505, the firewall is now stuck in "ciscoasa" mode and won't allow changes to be written.

I did switch back to conf reg 0x00000041 and this shows in ROMMON when I boot in ROMMON mode. However I must have made some error during the process.

The Enable password is now blank after every reload and the configuration is wiped after every reload.

Is there any way I can recover this firewall and make it usable again?
Cisco ASA 5505 and I need to upgrade to latest IOS.  I upgraded it to 8.4(6) as several documents say is the interim step for anything later.  But I cannot find docs that reference the 5505 going further.  I see a lot of 5506-x references.  I see that htere is also a 8.4(7) as the latest in the 8.x series, but seem to remember putting 5505's at 9.1 and 9.2 in years past, but am not sure.  Can anyone tell me the latest version of IOS to put a 3 year old ASA 5505 at?
we use a sonicwall nsa 4500 at my company.  I recently purchased a sonicwall 4500 so I can learn more about it.  However, the firmware is not updated, am I able to download the correct, most updated firmware from my company and use it for my personal use with no issues?
Here's a weird one...

I have to install a Cisco 5506 ASA at a location that had a Cisco 5505 ASA.  The old 5505 will be moved to a branch site.  Both ASA's will be accepting remote access VPN connections and a site-to-site VPN between the ASA's.

Since I'm doing all this remotely, I had the new 5506 shipped to me.  I took a spare 5505 that I had and connected everything to a 3750 switch that I configured to act as the internet.  I got both ASA's configured so that I could establish remote access VPN sessions from "the outside" and access devices on the inside.  The site-to-site VPN came up fine as well.  

I boxed up the 5506 and shipped it to the main office where the existing 5505 was removed and the 5506 was installed in it's place.  Worked perfectly.

The 5505 was then given the new config that I created in the lab environment.  It was then installed in the branch site.  The 5505 came up fine, inside users have internet access, site-to-site VPN works fine and remote access VPN sessions can be established.  But... remote access VPN users can't access any inside devices.  And I can't establish an SSH session to the ASA.

I compared the running 5505 config with the one that works in the lab.  They are identical.  I then setup my spare 5505 on the lab environment with the exact same config.  I can establish a remote access VPN connection, access inside devices and get an SSH session to the ASA working.

The question is: why is it not working on the live site …
No one inside the office has internet access.

I'm working with a Cisco 1900 series router,  Cisco 5520 ASA(firewall) and Dell Powerconnect 6224 switches.

Service has been confirmed up to the router.  The line out of the router goes into the Cisco 5520 ASA (firewall).  The line out the firewall goes into one of the Powerconnect Switches which are stacked (configured as master/slave (unit 1 & 2).

I can ping and connect to the switch from the Domain Controller but when I ping the Cisco 5520 (firewall) the reply I get is "Destination Host is Unreachable".  I get the same reply from workstations.

When the problem began one of the PC 6224 switches would not come on so the cables plugged into it were moved to the other switch.  Shortly after the switch that wasn't working came back on.  The cables were then randomly moved back into the switch.  I'm not sure if certain cables were designated for certain ports.

How can I get things working again.

Any help would be greatly appreciated.

Thanks in advance
Is it possible to configure the SSL VPN on Sonicwall such that all traffic will route through Sonicwall, except the networking printing, where it should go to the client's network printing ?

Currently, a remote VPN client can't print to his network printer if "Tunnel all mode" is on. It can only work if the setting is off.

Can I setup a routing table in SSL VPN to tell Sonicwall how to route a client's network subnet back to the client ?

Challenges in Government Cyber Security
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

I need to factory default a Calyptix AE800.  I took over this network from an IT company who will not share the login information.  I can't find any information on line, and there is no reset button on it.  Anyone who can help would be appreciated!  Thanks!
Where can I find the "Product Part Number" for an EOL'ed Cisco ASA 5520?  We would like to purchase a replacement, and according to Cisco's site, there are different recommended models of Cisco ASA 5525 that may be suitable replacements but I would like to get the recommended replacement for what we have in use now.

I had attempted to look at the various stickers on the device itself, and went through the old Java based IDSM and running config, I am unable to locate the exact product part number.

Also, will the saved configuration file from the Cisco ASA 5520 be compatible with a Cisco ASA 5525?

Please let me know if you require the firmware version to answer any of the above questions
Can't ftp & sftp to external ftp server, want to check which parts block the port connection. How can I simply check it? How can I check it at router, internal firewall, internal proxy?
I need to create a hairpin (or U-turn) on an ASA running code 9.9.2.


I have a public web server on an internal network which needs to be reachable from the inside by its public address.  IP addresses are made up here, but it describes the situation:

Internal DMZ:
Internal user network:;;
External network:
PAT pool: -

Web server internal IP:
1:1 NAT:
ACL:  Allow ports 80 and 443 to

My internal users need to be able to reach the web server on, not on

How do I configure NAT to allow connects from the inside user network (192.168.[1-3].0/24) to
I looking for any free firewall software appliance. (Like the old version of sophos. The new version of Sophos provide only 30 days software appliance)
I don't know if there is any firewall which provide a software appliance free and without time restriction.
ASA Firewall vs Router Zone based Firewall

I would like to know what is the difference between ASA firewall and Zone based firewall configured on the router.
I mean if I have a router that support zone based firewall, then I do not need to have ASA firewall ?


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.