Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have a couple of servers that requires "outgoing" access to PlayStore & Appstore
from our Development as well as Production environmt.

As Appstore is a Class A subnet while Playstore is rather large as well (I don't know yet
what are its subnet ranges), what are the best ways to secure this?  Are the following
reasonable ways ?

I heard permitting too wide a range is risky.  Why?  Can appstore/playstore's IP addrs
range get spoofed or those 2 stores can get compromised or what's the reason?

1. Production has to go thru our proxy as our proxy resolves the URLs of appstore &

2. As our Development does not have its own proxy & has no connectivity to our
   Production proxy, permit only about ten Class C ranges for Development/testing
   purpose.  Ten Class C means 2540 IP addrs

3. Any other best practices to secure this?

4. Would placing these app servers behind WAF help?
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

I have 3 x different subnets allocated to my old firewall that I'm replacing with a FortiGate 200E.  Each subnet has its own gateway..  I only have port forwards from the last two subnets.. The first subnet's gateway is the default route..  Due to this will I have to use ARP Proxy?  Can someone lead me in the right direction to get this setup?
Hi Experts,

I am having a enormous amount of intrusion attempts on our cloud web and sql servers.  It's a different IP address all the time.  I am currently researching this further but not having much luck on how to close up the vunerability or stop it.

Any ideas how I can stop this?  My mailbox is flooded with these notifications and it's increasing.

We use Symantec Endpoint Security, A firewall, and the windows firewall

Thank you,

Setting up a site to site vpn with a partner.  We have overlapping networks so we need to setup NAT.  The partner does not want to pass private IP's over the VPN stating that it is best practice to not use private IP's.  Is this best practice?  We have created several vpn's and all have passed private IP's.  The problem we have is our end is on the AWS network and they do not allow NATing in their VPN connections.  Is passing private IP's really a bad thing?  We are limited on our end by AWS but if the partner wants to connect and pass public IP address what are our options?  Traffic will only be initiated one way....from partner to AWS network.  The partner needs to connect to a load balancing device at using port 6500.  If I can't NAT my IP subnet and the partner needs to NAT to a private IP, what are the options?
Can "any" be used in a security policy on junipers as in the to-zone in the line below? Entering a ? after to-zone shows the available zones but not keyword "any". I see some "to-zone any" in the idp section e.g "set security idp idp-policy Recommended rulebase-ips rule 2 match to-zone any". Does it work the same for security policies? Thank you.

set security policies from-zone foo-untrust to-zone any policy passgo match source-address friendly-1
I'm in the process of setting up SSO for users so we can control our internet access. We only want domain users to access internet and none domain users such (visitors) need to be blocked.

I have read a couple of articles but am still a little unsure which method to use, so here I am asking experts for guidance. I would also appreciate if someone can write step-by-step setup guide or an article that I can follow with some screen prints?

Please also point out any "gotcha"

This article says that "Event Log Monitor” has to be installed on all domain controllers, but later its talks about pushing out SSO client to machines which is also used for authentication, so am a bit confused if this is needed or not? Please clarify

and then this video also talks about "Exchange Monitor" for authentication.. do I need all of these options or will one suffice?

much appreciated!

Can I apply security profile (IPS, SSL) to tunnel mode connection simlar to those applied to interface connection ?

When should I use interface and tunnel mode respectively ? How can I simply convert a tunnel mode to interface mode on Fortigate 100D ?

I have a Smoothwall firewall running the latest edition of software, Kenilworth.  Students have been discovered using an https proxy bypass site to get around the firewall.  How do you determine the port the bypass site is using so you can block traffic to disable it?  The specific site is
I have a Cisco ASA 5506 going into a new location with a main internet connection and a secondary, failover internet connection. I'd like to do two or three ICMP checks to make sure the main internet connection is down (say one of your ICMP targets goes down for unrelated reasons) before failing over to the secondary.

I think I've found it with this forum post:

The answer part being the following:
 I’ve tried all of these options any haven’t gotten any of them to work.  But here is what I came up with that does seem to work really well.  You can ping two, four, or even more Internet hosts and only when all of them fail does the ASA failover to the backup ISP:

route outside <primary gateway> 1 track 100

route outside <primary gateway> 1 track 100

route outside <primary gateway> 2 track 101

route outside-failover <backup gateway> 254

track 100 rtr 100 reachability

track 101 rtr 101 reachability

sla monitor 100

  type echo protocol ipIcmpEcho interface outside

  num-packets 3

  frequency 10

sla monitor 101

  type echo protocol ipIcmpEcho interface outside

  num-packets 3

  frequency 9

sla monitor schedule 100 life forever start-time now

sla monitor schedule 101 life forever start-time now

   This way both (OpenDNS) and 

Open in new window

I am having an issue with my Sonicwall creating a NAT and using RDWeb.

  • Successfully created a NAT on Sonicwall for RDWeb and RDGateway
  • We are using a self-signed cert as we are purely in a proof of concept for some applications we have
  • I can successfully connect to RDWeb
  • We get a cert cannot cert error message but that is normal as it is self-signed
  • We now try to launch  the first published test app, calculator but then this cert error appears.
  • The cert is now trying to use a Sonicwall cert which it should not be.

I have posted some screenshots below.

Anyone run in to this?  We have been in contact with Sonicwall and they are suggesting a firmware upgrade but before I go that route I just wanted to double check to see if anyone else has seen this before.

  • This is the self-signed cert error
This is the self-signed cert error
  • Error when trying to launch published app
Error when trying to launch published app
  • This is the cert that should be appearing.  Please note this self-signed cert has been installed on the remote and local test computers.
Correct Cert
  • Sonicwall NAT Rule.  We are using port 444 as Sonicwall says we cannot use port 443.  It has been changed on the RDGW server.
Sonicwall NAT Rule
New feature and membership benefit!
LVL 10
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.


We use an RDP session through a VPN tunnel to connect to our hosted software out of state.

We constantly experience latency through all of our VPN tunnels.  I can run a constant ping from our hosted provider back to our environment to get a small picture how bad the response times of the pings are.

The ping times will be consistent for a little while hovering at 55ms - 67ms and then we will see "request timed out" multiple times and then ping times will rise.  It seems like the ping times fluctuate a lot  (I assume they would as the signal is traveling through multiple possible connections).

When ping times are at 55ms or less everything seems fine.  However, when it goes up from their end users report latency.

We are not hard lined to our ISP as everything is wireless.  Our internet pipe should be sufficient at all locations as we have spoken with our ISP and we do not hit the high water mark on our bandwidth - only rare spikes the main site.  

We are not hitting the high water mark on bandwidth usage at any of our other sites.  Is there a good piece of Enterprise level software that one could use to help get a clearer picture of where the issue occurs?

What kind of architectural questions should we be presenting to our ISP?   To our hosted provider?

1.  Is your VPN Server over-utilized?
I hope your the right person,  Here is an outline of my problem,  I have configured a Cisco 5510 ASA and would like to tighten the rulebase to make the firewall more secure.

Please can you help
I have a Cisco 5510 ASA and would like to tighten up the firewall rules.
I have a user that is abusing their privileges and would like to block services internally. A user wished to have the Dish Network application installed on their laptop to use while traveling. There has been reports that the use was using the application in the office while on the network. I wish to block services to this application while on the internal network. I currently have Palo Alto firewalls on the network. How do i block this service from my internal network?
Does anyone know how to lock down a local businesses free wifi connection from being able to do file-sharing? Thought there might be a software product or router setup technique to do it... thank  you!!
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard …
if a users has a VPN connection on my ASA device then potentially he can use those credentials to connect on any computer.  Whilst i can restrict the connection to certain IP addresses and ranges, can I restrict the connection to an individual computer NAT'd behind that public IP address or range.

The risk comes in that i may not  know the patch or AV state of a computer that connects to my internal network.
I have a Fortiwifi 90d and I'm wondering what command need to be enter to do a check-disc or something?
On Demand Webinar - Networking for the Cloud Era
LVL 10
On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button


I am trying to use the built in Wifi on a FortiWifi 60E. SSID is broadcasting and the user can connect but they have no Internet access.

I am pretty sure the Policy is correct, I am guessing there is something I may need to do in the CLI.

I have ticket open with Fortinet and they seem to think the setup is also good and they want me to collect debug logs which I cannot do until the users are in the office.

Has anyone come accross a similar problem?
Hi guys

So we have a slight issue. We are unable to get to two particular websites on HTTPS. Their Australian and New Zealand domains are what we can't get to from our internal network. We can get to the HTTP sites, just not their HTTPS.

However, if we use our guest-wifi we can get to the HTTPS. If we use our mobile phones we can get to it.

Our firewall is permitting the traffic out. So I took a snapshot and we get to a HTTP BAD REQUEST and at the bottom it says something about 'nginx', which proves we are hitting some sort of proxy/web server at their end. I assume they have some sort of load balancers or web proxy causing an issue?

Thanks for helping
I am new to PA firewalls and wonder what's other's opinions compare to Ciscos please.  I heard they are user-friendly but security guys hate them.  They can be very pricey as well.
Thanks in advance!

I have just configured a LAN > WAN  Static Route within a  Sonicwall TZ300 running firmware utilizing dual WAN connections pointing a specific Private IP Address to the X1 WAN Interface.

the issue is:
While I am able to run Windows Updates, a remote backup service (MozyPro), a remote log in service (Log Me In Rescue) on the Server with the static Private IP Address stipulated in the Route I am unable to browse the internet on this same Server.
I am able to PING,,,etc when the route is active but I cannot browse.
DNS configured on  this Server included in the Static Route is the LAN Gateway IP and

IF I disable the Static Route = all is good (the Server CAN browse the internet) but it is using the U0 Interface without the Static Route in place.

Config is as follows:
* Dual WAN:
"Basic" Failover / Load Balanced Enabled
Default LB Group Ordering:  1st= UO, 2nd= X1 probing turned off for both connections and both "always active".
By default this causes all LAN connected devices to point to and utilize the U0 WAN interface which is working with out a hitch.
* Static Route:
Single Server 2008 Private Static IP  configured for "Any" Destination, "HTTP" Service ("ANY" in this field did not allow any WAN connection), X1 Default Gateway and X1 Interface with a Metric of 10.

The inability to browse the web on this particular Server is not really an issue except when we need to browse to a software …
I am troubleshooting a connection issue for two sites connected over ipsec l2l tunnel. It's occasional. TCP traffic conversation ages out. Is there a way to see when the tunnel went down or up in the previous 24 hours?
I already have an Transparent FW up and running with 7 BVIs. Everything is working fine. I also have several core and external switches which I access via TACAS+. All cisco devices other than the Transparent FW can be authenticated with TACAS+ from our jump server. However, now I need to add the Transparent FW to TACAS+.

Cisco docs only show config examples of setting up TACAS+ using either the inside or outside access. But the thing is, we are not using the data plane. We are using a completely different management segment to access our Cisco devices.

Logically, the config should be set as follows;

aaa-server GROUP-TACACS protocol tacacs+
max-failed-attempts 3
reactivation-mode depletion deadtime 10
accounting-mode simultaneous

aaa-server GROUP-TACACS mgmt host (ip address)

key 7 (Private key)
server-port Tacas+ 49

ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 1 TACACS+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Question:  I replaced (inside) with our "mgmt" nameif segment. Do you think this will work?
aaa-server GROUP-TACACS mgmt host (ip address)

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.