We help IT Professionals succeed at work.

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

FORTINET Firewall 60c.


firitzbox--->Fortinet60c(port1 local)--->switch-->My laptop

I would like to configure VPN on FORTIGATE Firewall 60c. Can someone help me please?

I have a problem setting up a NAT Virtual Server on a Zyxel ZyWALL 110, I must be doing something stupid but I've stared at this for so long I just can't see it.

I'm simply trying to re-direct Wan1 > Internal IP as show in the attached.
Inherited SonicWall TZ100
Need to add external ip address for remote access to internal cameras, each with own separate internal ip address
we have the external block ready need helping setting up the external ip on the firewall
I run Untangle as a NGFW and have the OpenVPN component on it.  I also set up a client on it for my iPhone 7 and have OpenVPN on that as well.  
Downloaded the files from UT's OpenVPN to my laptop.  How do I get the files from there to the iPhone and configured?


How do I setup a user so they can connect using SSH to a firewall. I can do it but I don't know how to assign that person permissions.  The firewall is a Cisco ASA 5525.
Hi all can someone show me where I can confirm for sure how many concurrent licenses a Cyberoam CR25iNG - 10.6.6 MR-2 firewall can hold?  I found the licensing and it doesn't tell me squat.  If I click on system then maintenance and licensing it gives me the model CR25iNG (C06615145344-9YTFZU).  If I click synchronize it syncs however does not show how many licenses there are.   If I add a user to the VPN it lets me but doesn't tell me what the concurrent limit is at.   Any help is appreciated.
Dear Experts
We are implementing exchange server enterprise 2019 on-premise and for security and barracuda email security appliance (at DMZ)
Please help on which all the ports to be opened at firewall and as well between email security appliance and email servers, please help on following
1.      From firewall to Barracuda email security appliance and from email security appliance to firewall
2.      From barracuda email security on premise appliance to on premise email server
3.      From on premise email server to barracuda email security appliance
4.      From email server to internet
please help on the above, thanks in advance
Can any EErs help assist what Sonic OS is available in the SOHO 250? I've used the TZ 300 and 350 models and have a client that could use the SOHO 250. I need it to configure ports, NAT, device IP's, configure firewall rules. I've not been able to get this question answers from Dell and have not called Sonic yet.

Are the Sonic Os's the same on the SOHO 250 and TZ 350? If so I can use the SOHO 250 for my client on a smaller budget. If not I'll have to upgrade to the TZ serious.
If I wanted to just add a PAN firewall to a DMVPN spoke site with an ISR, would it be fine for the ISR to sit NATted behind the firewall?

{INTERNET}-----[public IP]{PAN}[private IP}------[private IP]{ISR DMVPN}{private site IPs}-----{switch}

Currently the ISR has the public IP at its outside interface. The idea would be to give the public IP to the PAN and NAT to a new private IP on the outside of the DMVPN router. Would DMVPN work in that scenario?

Or would I be better off to configure the PAN as a virtual wire and retain the public IP address at the router?
FortiOS v6.2.3  - I'm setting the log to "all" but I can't see any logs on "forward traffic log"
Screenshot_1.pngScreenshot_2.pngWhat am I missing? Is there another option I need to enable?
I'm behind a SonicWall TZ400 and I need to upload a document to an external FTP server ftps://ftp.xxx.xx:990 IP but I get a error that I'm unable to connect to the server. I think the firewall might be blocking access. What is the best way to open up for access to this site?


I am looking for help regarding settings on my NetScreen SSG5 firewall.  Two days ago I updated my internet from a legacy Time Warner plan to a new plan from Spectrum.  This involved swapping out my model.  The old Time Warner product was a combination modem/wifi router while with Spectrum I was given two devices - a modem and a separate wifi router. I have two networks in my home - one is for personal use and for our streaming TVs.  The other is a work network I use for my home office and my wife's PC.  When I made the switch the personal use network worked fine but nothing sitting behind the SSG5 could connect to the internet. Attempting to ping anything public, including google, resulted in timed out errors.  I suspect that either a port needs to be opened in the new wifi router or an IP setting(s) needs to be changed on the SSG5.

I called Spectrum tech support and logged into the SSG5 and looked at all of the settings.  It was correctly sensing the new public IP address.  There was a problem with respect to the DNS settings.  The IP address listed as the primary DNS address was actually the secondary address and the one listed for the secondary was incorrect.  I changed these to the correct values but the problem still remains.

I realize you probably need more info than this to figure the problem out.  Please let me know what you need.

One idea I had was to unplug the SSG5 for a minute and replug i in, to sort of reboot it.  I have not done any …
My client is a property management firm that manages two condo buildings that offer free wifi to the tenants, about two hundred per building.  

The client's ISP, Cox Communications, has sent notices that Cox has received complaints about illegal downloading and distributing of copyrighted materials.  I assume one or more people living in these buildings are running peer-to-peer file sharing clients, like BitTorrent.  What is the best on-premise solution to satisfy Cox that we're doing all we can to prevent this use of our Internet connection?
We have 2 units Fortigate 101 configure as HA Active-Passive ,both devices port 1 are connected to our one of the internal switch  but recently our switch is faulty and we will planning to buy 2 units stack the switch together to have redundancy.

Please advise to archive this i need to configure aggregation two port and configure POL in switch port ?Fortigate HA
I need help to establish a VPN connection from my home Linux box (Debian 10) to office's SonicWall TZ300 using strongswan ipsec.
Here is my config files:/etc/ipsec.conf
conn GroupVPN


# aggressive=yes disabled by default when auth by PSK. It's enabled by setting
# charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf
# see https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
# see https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

#include /var/lib/strongswan/ipsec.conf.inc

Open in new window

#include /var/lib/strongswan/ipsec.secrets.inc

@GroupVPN @<UniqueFirewallIdentifier> : PSK <SharedSecret>
<MyUserName> : XAUTH "<MyUserPassword>"

Open in new window

# ipsec statusall
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.19.75+, armv6l):
  uptime: 2 seconds, since Jan 28 19:02:33 2020
  malloc: sbrk 811008, mmap 0, used 468032, free 342976
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
    GroupVPN:  %any...<SW_IPaddress>  IKEv1 Aggressive
    GroupVPN:   local:  [GroupVPN] uses pre-shared key authentication
    GroupVPN:   local:  [GroupVPN] uses XAuth authentication: any with XAuth identity '<MyUserName>'
    GroupVPN:   remote: [<UniqueFirewallIdentifier>] uses pre-shared key authentication
    GroupVPN:   child: === TUNNEL
Security Associations (0 up, 0 connecting):

Open in new window

GroupVPN policy/AdvancedVPN/Advanced SettingsFrom SonicWall log (most recent at the top):

Open in new window

We are currently using a Fortigate 100F with firmware v6.2.2 build 6083.  We recently upgraded from an older 200B that is end-of-life soon. To geo-block countries in the past, we had added an Address object named "Country Block - Countryname" and set a type of geography to it.  We then added this address to an Address Group named Country Block that is contained in the existing IPV4 policy that blocks incoming traffic from the outside-zone.

With the latest build of 6.2.2, is there a more efficient way of doing this?  Also and perhaps more importantly, we are considering blocking everything but US sources and I am curious what the recommended course of action is to do this efficiently.  We don't have public-facing servers and I am just looking to harden intrusion prevention.  I realize this isn't a silver bullet but anything I can do to lessen exposure to risk is desired.
I know an ex-colleague has a way at command line (script or whatever) to automate
adding of IP to block malicious IP for Nokia Checkpoint : that's years ago.

My current network colleague says it's very tedious to add IP as he has to create
object, then go into another screen to add it to a group & we often get 100-700
IP from threat Intel (from a cyber regulator):  is there a way to automate to mass
block it for CheckPoint  Security Gateway 12600??     Isn't there a way to get to
SG12600's Unix command prompt & write a script to automate?

For sure Linux iptables, we can do it easily by Shell script.

Heard Palo Alto has an interface to add IP en masse but my network guy says
CheckPoint (& possibly Fortigate) don't.
I have Godaddy Standard UCC/SAN SSL Certificate
mail.mydomain.com - exchnage certificate
gp.mydomain.com - paloalto globalprotect vpn certificate

my certificate was expired at 26/12/19 so i renewed the cert install it on the exchange all fine
but how to install the new certificate to my PA-820 globalprotect vpn without renew or creating a new CSR?

I have been contacted by our wells fargo bank rep and they told us a URL has changed and we are to add it to our firewall rules for continued access.  I have a SonicWall applianace, so the first question I have is where can I find the model number?  The interface recently changed and I used to be able to find it quickly.  Second question, how to I add this url to the firewall so it does not get blocked?
I am a long time Sonicwall user/admin.

Does anyone else utilize bandwidth control on a Sonicwall with firmware 6.5 or greater?

I have been using it for years quite extensively but about 6 months ago I had to disable it completely due to a very odd issue. Sonicwall documentation on it only talks about how to create and such, not best practices or gotchas. I am not looking for howtos, I am looking for best practices and such for overall usage and performance.

Specifically, we are using a HA pair of NSA2600 with multiple WAN interfaces (for redundancy)
Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard …
Network access/routing issue.  The configuration that is place worked perfectly fine until the broadband ISP switch out their cable modem.  See attached diagram for clarification.
The issue at had is before the cable modem gateway was replaced, any workstation on the local LAN (192.168.1.x) was able to access the DVR/NVR camera system using it's address of  However, now that address is pingable from the 192.168.1.x network, but no other network access works (ie. the NVR software can't connect to it).  The NVR system is still accessible from offsite by using the public static ip of the ISP gateway which has port forwarding to the NVR device.  In an ideal world, I would have had the camera system installed behind the network firewall so all devices were on the same ip network.  So I am looking for some input on what might be going on here.  Why would the old ISP gateway allow the communication but the new gateway appears to not.  Is there something that we should communicate to the ISP to change in their gateway to fix this issue?

Any insight is appreciated.
I am looking for a solid, reliable VPN or terminal service solution.  Here is the scenario.  A web development company has access to several remote sites/servers located in customer data centers.  Those remote sites have the main office of the web developers building outgoing IP address white-listed so that they can access the servers that they need to.  The web development company has several employees that telecommute from all over the country.  Therefore, for these telecommuters to access those customer sites/servers, they need to be logging in from the main office and be seen as the white-listed IP address.  

What I am looking for is a good, reliable solution that will allow those users to do just that.  Currently we use FortiClient VPN since we have a FortiGate firewall, but it is flaky, unreliable and simply not working for what we need it to do.  So I am looking for a better VPN solution.  I've also entertained the idea of putting up a computer specifically for people to access at the main office, and then access the remote sites but I'm afraid that remotely connecting to a customer server, from a PC that the employee is already remoted into from their geographic location might be "over-remoting." :-)

Thanks in advance!
We are setting up a remote office with a FIOS internet connection.  Remote office users will connect to the main office using VPN.  Do you think I will need a firewall appliance at the remote office location?  I'm not sure it is necessary since users work from home and connect to the office using VPN and they do not have firewalls at home.  

I am trying to log sonicwall capture logs to an FTP server but it fails I have attached a pcap file of the failurefailed-ftp.pcapng

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.