[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post


We have a Sonicwall that we are trying to set a 1 to 1 NAT WAN > LAN for a specific device for FTPS access.

From what I can tell the configuration appears to be correct, it's probably something really straight forward that one of you wizards can pick up on..

I've attached a screenshot of both the NAT policy and Firewall Policy.

There is nothing in the Sonicwall logs to indicate the traffic is hitting the Sonicwall oddly.

Any ideas guys?

Windows firewall ports (990) have been opened on the server in question .

External port scan on the public IP shows port 990 closed still.
Challenges in Government Cyber Security
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!


I'm not familiar with F5 at all.  We use BIG-IP 4200.

If I need to know to which internal IP is NAT an external IP how can I check that in the interface?

Hi All

I have a firewall problem that I believe is switch related.  My Sonicwall is alerting on IP Spoof Dropped but all the IPs are from my network into my BOVPN link.  I think the spoof is that the firewall is seeing many IPs coming from the connecting network on the Dell 3024 switch.  It seems I am unable to turn the connection from switch to Firewall into a trunk, I thought having a list of IPs from the local network as Tunnels would solve this but it hasn't.   Can anyone give me any pointers on how to resolve this problem?


It’s about network- we are using SdWan Velo Cloud switch for all our satellite offices . We are connected through MPLS technologies. Wr have one centralized SW firewall control all traffics in cordination with Velo Cloud switch. Dhcp, vpn everything enabled on the Velo Cloud switch . My perception is that, one Hq s firewall is well sufficient to protect our all offices or suggest me if we need firewall for our all offices?
Hardware Firewalls
It’s about network- we are using SdWan Velo Cloud switch for all our satellite offices . We are connected through MPLS technologies. Wr have one centralized SW firewall control all traffics in cordination with Velo Cloud switch. Dhcp, vpn everything enabled on the Velo Cloud switch . My perception is that, one Hq s firewall is well sufficient to protect our all offices or suggest me if we need firewall for our all offices?
LVL 23

Administrative Comment

by:Andrew Leniart
Hi abcd ab01,

What you made here is a "Post" which is just a way of sharing information and discussing things with the EE community.

To get expert help with your question, please use the big blue Ask a Question button at the top of your browser.

I hope that's helpful.

Regards, Andrew
EE Topic Advisor

I want to use SSL certificate for VPN SSL or web management access, to my Fortigate 200D (version 5.6.3).
A SSL Domain certificate trusted bought to a CA, appears to been correctly uploaded in my Fortinet Firewall but is not shown in the menus such VPN/SSL-VPN Setting or in System/Settings/Administration Settings (Web UI). If I use the command line, that's the same problem. Certifcates are in the vpn list.
show vpn certificate local
get vpn certificate local details
But I can not select my domain certificate (by example, with "config vpn ssl settings" and "set servercert ....").

How did I proceed?
After generating and sending the CSR to the CA, I get instructions to create  two .csr files. I have uploaded the first (for the domain) as local certificate  (status was change from pending to OK), uploaded too the intermediate certificate of the CA. There are both in the certificate list. That looks fine, status is ok. But, there are not in the menus, when I want to select the domain certificate.
I've followed the official documentation
Other source
NB: sslsupportdesk is not my CA (Mine is a well known one).

The only thing, that's the documentation does not mention the password for the private key (certainly a bit too old). I have tried witch a 4096 bits …
Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Can you configure a SonicWall TZ300 via the Console port?   I want to configure it for a friend before I take it to their business.  I exported their settings from the TZ180 but when I try to import them it states "file corrupt".

I printed out all of the setting so I could input them.

Their setting are very basic.  In fact they are using the default
I need to configure a basic zone based firewall rule on a Cisco 4331 to block most common attacks from the internet.

The Problem:
I'm having some issues with latency and slow uploads after having attempted to configure a zone based firewall rule on a Cisco 4331 Router.  

Further Details
A customer has a 100/100Mbps Fibre link and when directly plugged into a laptop, it comes very close to those speeds. When going through the Cisco router (without a firewall rule), it is around 90Mbps down and 30Mbps up with a latency of around 30ms (so something is already not quite right on the Cisco in regards to the uploads). With the zone firewall rule configured in the config below, it is still around 80-90Mbps down, but the upload is significantly further degraded to now only 4Mbps, with a latency of close to 200ms!

Also to point out, the ISP requires shaping which is why there is a shaping rule configured below as well:  
shape average 100000000 98000000 0

Open in new window

I'm very new to configuring Cisco routers, so I need some help as to where the problem might be?

Thank you.

Here is part of my Config:

class-map type inspect match-any internet-traffic-class
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
class-map match-any CCP-Transactional-1
class-map match-any CCP-Voice-1
class-map match-any CCP-Routing-1

Open in new window


I was told we are joining a new company who has the same IP scheme as our present company.  How do we resolve this issue with the least amount of time?  Can you provide some documentation as to the process, maybe videos from youtube or some where?  I believe they are in a data center environment and was told they are the same IPs, but some how we need to connect them together with the same IP scheme?
Amazon Web Services
LVL 12
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

I wanted to know, within Palo Alto, how to connect a secondary address for fault tolerance regarding our ISP provider.  I'm new to PA and need this info quickly...not sure if I'm stating the question properly...

I basically need to make sure our PA devices how a second way to communicate to the outside world, just in case our primary ISP goes down.  

Can you also provide some documentation and maybe any videos as to the process.
Hi everyone. I have a series of devices on an old IP range which I need to communicate with our new network range. These are connected through a Cisco ASA 5516 firewall. The devices will eventually be moved to the new range, but they can't as of yet. So I have been asked if I can set up a nat for this range of devices. So two questions:
Does it make sense to use a nat, or is there a better way?
Is there a way to set this up as a range? The IP addresses are a continuous block. Otherwise do I have to make an individual Nat rule for each device?
A currently known issue with pfSense 2.4.4 when installing or updating.

I have a PFsense router at my location and there has been some malicious activity coming from a device on my network.  Our ISP has notified us that they think that it's a problem with port 23 and if I block it that should fix the problem.  I've blocked port 23 outbound and inbound on all of the interfaces.  The complaint to our ISP gave a reference to BitNinja to check on the malicious requests sent from our network.  Here's a copy of the last request:

    "PORT HIT": "98.#.#.#:21349->185.#.#.164:8899",
    "MESSAGES": "Array
                [01:36:54] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0

I see that on 11/2/18, the malicious activity was on port 23.  Now, today I see that it's going on port 5680.  And the latest request was 8899.  

I don't know what device is doing this.  I've scanned the network and don't see any unknown devices on the network.  Here's something strange that happened.  There was a car in our parking lot with dark tinted windows and ghetto rims.  He was always gone when I came by the office.  I was talking to someone in the office and they said that that strange car was back.  I asked if they saw the driver.  She said that he was sitting in the back seat.  I remoted onto a computer in the office and scanned the network.  An IP address showed up that shouldn't be there.  I pinged it but it didn't respond.  …
I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.

I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.

It reminded me - there's a watchguard firewall at the sbs 2011 location.  I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.

Anyone know where that is?  Could that be why they are failing the migration?

can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?

How do I get the default gateway to show as the first hop in tracert using a Dell SonicWall TZ400? Route print confirmed the default gateway is the first hop on the host I'm testing from.

I've read multiple articles stating "Login to DELL SONICWALL --> Firewall Settings -->Advanced there enable check against Decrement IP TTL for forwarded traffic under Detection Prevention and test"

When I enable the settings below the first hop shows 1   *    *    *    Request timed out, unchecked it doesn't show the default gateway, the 2nd hop is shown as the first and tracert starts this way, skipping the default gateway.

Have a smaller client that has been using a Cyberoam CR15ing for quite a with a Google Fiber connection and a LAN of about 15 endpoints. They recently moved, but the ISP is still Google Fiber. They had to leave the GF box, but we configured the new one identical to the original. So the only difference should be the public / external IP of the GF box - which is set with the CR15ing as the "DMZ" (all traffic passed through to this device). This is bridge-mode setting for the GF box, but the Cyberoam still gets an internal IP on its WAN side. Not sure any of this matters, as the exact same config worked for years at the previous location with same ISP, same hardware, act.

At the new location, the internet connection and outbound traffic seems fine, but the inbound is not working right. Some traffic is getting through, but it seems selective. The FTP virtual host / port-forward is not allowing a external connection, but I cannot figure out why.

The firewall logs are not showing anything hitting port 21.

Also, we keep getting a flood of Local ACL denied events in the firewall log.

See screens below. Please advise if you have any ideas.

I am trying to verify some AWS prerequisites for Server Migration.  Could someone help me with the following 3 prerequisites listed below.   specifically:

a) verify if the following prerequisite connections are allowed
b) if they are blocked, how to open the requested ports in the fortigate

1)  DNS—Allow the connector ( to initiate connections to port 53 for name resolution.

 2)  HTTPS on WinRM port 5986 on your SCVMM or standalone Hyper-V host

 3)  Inbound HTTPS on port 443 of the connector ( —Allow the connector to receive secure web connections on port 443 from Hyper-V hosts containing the VMs you intend to migrate.
Our time clocks communicate with several IP Address and I need our Cisco 501 Pix firewall to allow inbound/outbound (two way) traffic to and from this list: - - - - - -

All for HTTP (80), HTTPS (443), SMTP (25) ports
Attached is our Pix 501 config file.  It is not clear to me if the access-list acl_out properties are set up correctly and if I need to additional lines for fixup protocol.

Also, does the Windows DNS Server Firewall setting need to be modified or added to?

Become a CompTIA Certified Healthcare IT Tech
LVL 12
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.


We use Mitel 5212 IP Phones. we are trying to get them to work on a custom VLAN setup on a watchguard m500 firewall. We have created the custom vlan and the ip scope which works fine. I have mimicked the DHCP options from our windows based dhcp server, however this didn't work. On the DHCP windows based DHCP server the options are:

128 Mitel TFTP xxxx.xxxx.xxxx.xxxx
129 Mitel RTC xxxx.xxxx.xxxx.xxxx
130 Mitel IP Phone Identifier MITEL IP PHONE
132 VLAN for Mitel IP Phone 0x3
133 priority for Mitel IP Phone 0x6

On the firewall dhcp scop options 9All custom)
Code       Name                                 Type            Value
128         Mitel TFTP                           IP                  xxxxxx
129         Mitel RTC                            IP                    xxxxxx
130        Mitel IP Phone Identifier  Text              MITEL IP PHONE
132        VLAN for Mitel IP Phone   Hex              3
133        Priority for Mitel IP phone Hex             6

When the phone eventually boots it gets a crazy VLAN id. Any clues as to what I am issing, or a how to guide on getting the IP phones to work?

Need education on 5 WAN IP block (same subnet) and the MPOE running up a fiber connection to the office suite.    We walked into this situation illustrated below.  There is one circuit coming into the suite.   The internet service installed a 200 megabit fiber connection at the MPOE.  A couple businesses want their own separate public WAN IPs running off of this one circuit.   There is currently a couple TP Link routers that we like to replace.   What device (switch?  what kind of switch?  Any problems using one switch over another one?) do we use between the biscuit (one ethernet port) and the multiple WANs on the Sonicwall? Here's what we summed up the ultimate game plan below...

Use a Sonicwall Tz 500(a model with at least x8 interfaces) and configure 2 additional interfaces as WAN ports - this would then give us 3. Each of these we can configure with their own static IP accordingly. Next we would configure a LAN interface for each company. Then we would use Policy Based Routing to move traffic from example: LAN 1 "Company A" to WAN 2. Sonicwall also provides QoS I believe which will support VOIP traffic through the routing.

I have a server 2012 running hyper-v with guests.  It has two nics.  I also have two networks with 2 routers each with static IPs.

I want to use one nic for the guests and the other nic for the host OS.  I don't want the networks to see each other. Reason being, one network (hyper-v guests) will be public facing (website and game servers) while the other network (host) will be used for personal purposes in my home network.  

How can I do this?

Note: I know how to assign a guest to a specific nic but my concern is the host server being on both networks.  I know that the OS will default to the first nic it loads, but since the second nic still gets an IP, my worry is security from that second network, even if it is not activly using it.
Trying to get a simple port redirection working on an ASA 5506 (9.9.2):

1.  Only one IP on outside interface, so all internal hosts are using PAT for external connections.
2.  Need HostA ( to have requests to outside interface on port 80 forwarded to it.

Diagram shows what I mean.  Requests TO should be forwarded to  No other traffic needs to be handled inbound.  Outbound everything should continue to use the interface IP, which I have configured as:

nat (inside,outside) source dynamic any interface

I'm having trouble getting it to do the outbound translation.  I did a network object for the host and added the NAT argument in there:

object network host-10-0-0-10
      nat (inside,outside) static interface service tcp 80 80

Then I added an access list entry:

access-list outside_access_in line 1 extended permit tcp any object host-10-0-0-10 eq 80

I can see doing a show xlate that the hosts are making outbound connections on random ports, but I don't see an entry for on port 80 like I thought I should.

So the simple question is how do I get requests to to forward to
Hello - what (if any) are the options for shaping traffic on an X-series firewall?  I have a customer with a Gig handoff Internet circuit, currently provisioning 150-Mbps. This is terminated on an old ISR, which is shaping the traffic via "bandwidth 150000" command to prevent carrier policing. We need to move this connection off of the ISR onto a ASA 5525-X.

From what I've found so, it appears there's no way to handle traffic shaping on the X-series firewalls. (I haven't looked into the new FTD appliances yet, so would be interested in feedback on those as well.) The 5525 is currently running 9.2 code, and the 9.2 configuration guide (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-qos.html) indicates that traffic shaping is only supported on the 5505 (not the "multi-core models such as 5500-X"). I haven't checked newer release notes.

Is there a way to perform the same shaping function on an ASA 5525, with either the existing or newer code? If not, how are other customers handling sub-rated circuits to prevent policing and the potential resulting connection drops? Again, if the newer FTD appliances (2100's) can provide for this, that'd be helpful to know.

Thank you
Hello Experts,

I want a generate a utilization report from ASA outside interface, I do not see any tools as such except for cisco prime infrastructure. Can we generate Egress report ?

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.