Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

We currently have a Sonicwall NSA 2600.  We also have a Small Business Server 2011 running Exchange 2010.  The Sonicwall has NAT and firewall configured to pass the mail to the server.  That is working fine.

I have activated a 30 day trial of Sonicwall's Anti-Spam Service.  During the initial configuration I received the following pop up error: "Mail Server Auto-Detect Failed.  The system detects there are one or more NAT and/or Rule policies that use a service group of a service port range that includes SMTP and non-SMTPservice ports.  The system could not enable the Anti-Spam service using the current configuration.

The user guide for enabling Anti-Spam lists a step where you identify the mail server.  I am assuming I need to delete the current NAT and Firewall rules forwarding mail to the server and let the Anti-Spam setup configure them again.  Am I correct?

Any help is appreciated.
We Need Your Input!
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

I have a Windows SBS 2011 server hosting an application which gives access (with username and password) via http port 8086. I have a Vigor 2960 Dual-Wan Security Firewall which currently port redirects 8080 to the server.
How can I restrict access to the URL to certain people (field engineers) who use laptops, smartphones to access the site?
I have a sonicwall nsa2650 and i have an nvr with poe ports on the back that have an internal dhcp server controlling them on a 10.0.0.x subnet. I want to access those ports from my laptop when connected via global vpn client.  sonicwall has x1 and x2 as wan, x0 as lan on 10.10.30.x, and I have plugged one of the nvr ports into x3 on sonicwall.  I need help configuring sonicwall so that I can navigate to the 10.0.0.x subnet
A customer has recently had new phones installed that connect to a cloud based PBX.  They have a Draytek 2860 router.

They have sent me a document with the required entries in yellow (attached).

I presume they are asking that the firewall be opened up for those specific ports to the hostnames/ip addresses provided.

Can someone explain how I do this on th Draytek router
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
We can't seem to use ASDM to change the inside interface on new two Cisco ASA 5506x devices.

We have experience with ASDM before the bridged group config was added in V9.8. However, in these new devices, we can't seem to change the default config from the subnet to what we want to use them on. Using Step 4/12 in the startup wizard the Edit button when selecting GigabitEthernet1/2 does nothing? If I try to change the BVI1 bridged group IP ASDM will either return an ERROR when applying or hang?  

I have even dabbled with the cmd line to try to do this but always get an error.

I have spent two days trying to get either of these devices working properly to no avail. I need help, the cisco forums are rubbish imho and there seem to be very few 9.8+ links on how to do this. I am not sure where this is going wrong?
Hello Experts

I want some help with object naming Cisco ASA. What is the best method do you use for better management ?
For example I have below requirement hence what will be the efficient way to do it. /24	TCP	10.10000.136.33	               20,21,1234,5660,5900,9044,9903,443 /24	TCP	                               20,21,22,80,5660,9055,443 /24	TCP	                               80,3389,5900,443 /24	TCP	                               3389,5631,443 /24	TCP	                               22,443,8080 /24	TCP	                               22,5800,5900,443 /24	TCP	                               20,21,22,23,5660,9055,443 /24	TCP	                               22,5800,5900,443,8000 /24	TCP	                               443 /24	TCP	                               22,5900,443 /24	TCP	                              20,21,443 

Open in new window

Appreciating any help and suggestions
Using a Cisco ASA 5555 with AnyConnect SSL client and split-tunneling enabled, how do I force an inside tunneled route to a FQDN so that the AnyConnect client tunnels thru ASA and presents the egress IP of the ASA to the destination? I've read conflicting results when adding a FQDN to an ACL as a secured route. It would be easier if the host had a static single IP address but its behind aws load balancer so the IP's change. Am I even making sense? In a scale of 1-10 representing my knowledge of ASA's (where 1 = WTF is an ASA, 10 = I configure ASA's in my sleep) I'd say I'm at about a 4.
Two Firewalls in series, SonicWall on WAN side and ASUS behind the SonicWall.
I have the above setup where the Sonicwall provides a LAN address of 192.168.168.XXX to a ASUS  firewall provides my actual devices (PCs etc) with 10.0.0.XXX LAN
All works just the way I need and want it to, please do not offer any config changes
QUESTION  Since the 10.xxxxx LAN is essentially a Translated 192.xxxxx address CAN anyone tell me how to configure my SonicWall Packet Capture screen to see the translated PC IPs ?
Note:  I only see 192.168.x.x in a Global Packet Capture and suspect that it may be that the asus knows that is translating to  but I am not yet convinced.
We have a request to control wireless clients user based (not IP based) using Fortinet. Below is the scenario.
We have IMC  radius server. IMC is integrated with AD. I configured IMC in fortinet for authentication.
I can see all wired users info logged in fortinet but not wireless users.

How can I achieve this?

The 14th Annual Expert Award Winners
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Old SonicWall box, site works fine.
New SonicWall box, site returns error.
"No connection could be made because the target machine actively refused it. xxx.xxx.xxx.210:60004"
Put Old SonicWall back, site works fine.

I've compared firewall settings several times, but there is an age difference, so what is old and new do not exactly match.
Log does not flag anything.
Packet monitor log attached. (Filtered for port 60004)  It looks like 60004 is moving, but I'm not a Packet Monitor professional.
aaa.aaa.aaa.208 = External site
xxx.xxx.xxx.210 = SonicWall box
zzz.zzz.zzz.103 = Internal server
How Can I make secure connection (https) with Windows 10 to a router/firewall to not have an error " Code: INET_E_RESOURCE_NOT_FOUND" ?

It all started when I tried to install Sonic Wall TZ series SSLVPN , or (GVC) client for a windows 10 computers. I then noticed I only can use http:// <ip> to connect to sonicwall  TZ series and not HTTPS. If I can not run and connect https:\\<ip> to connect to the sonicwall TZ then I would not be able to install SSLVPN client either.

I even downloaded the SSLVPN client with windows 7 and take it to installed it on windows 10 and I got  up to the login prompt but then it fails and it does not connect.

To summarize my question; Windows 10 browsers seems (Any one, Edge, IE, Chrome, etc. )  not connect secure (port 443) to a device that has expired certificate.
I tried GVC version GVCSetup64_4.9.4.0306_EN.exe that someone recommended for windows 10 and after I typed user name and password it failed through authentication ,   it failed too and the log file showed this entry (An incoming ISAKMP packet from <IP> was ignored.)

Can anyone suggest a work around please?
Currently we have TMG as web proxy and websense as web filtering
We are going to replace TMG with Bluecoat SG Appliance.

Hence I need to know which design is considered as best in terms of secure and efficiency.

We have 1500 users.

Any help would be appreciated.
Hi Experts,

We currently have inherited a Cisco 891F router/firewall that we need to allow a certain group of inbound IPs over SMTP (port 25) into our mail server.  The router is currently configured for allowing the existing spam filter service to a certain IP range through an object group and is currently functional.

object-group network Spam-Filtering
 description Spam-Filtering

The object-group is later defined later in the config under the following command for allowing through the WAN IP address.

permit tcp object-group Spam-Filtering host 71.xx.xx.179 eq smtp

Trying to use the existing configured object group, I've tried adding the following command (in config mode), followed by each IP addresses needed to be added to the group.  Running the 'show run' command to confirm the host addresses have been added into the object-group.

object-group network Spam-Filtering

However, traffic was still not coming through from our spam filter provider.  Eventually, I've end trying to allow all inbound IPs to pass through by the following command.  But was still unable to get traffic to come through into our mail server.  Attempted to use 'telnet 71.xx.xx.179 25' to test but would not get a response externally.

permit tcp any host 71.xx.xx.179 eq smtp

Are there any steps or commands I may be applying incorrectly to allow the external IPs to pass through the router?    …
Sonicwall TZ215 Global VPN Client issue.  Have a current issue with just one user on a Windows 10 computer.  No problem making the connection, I am able to ping the Windows server however, cannot access shared resources using the hostname and/or IP.    It had worked just a week ago and nothing else has been loaded since then.

Shutdown AV and firewall, and reinstalled the VPN client.   Can login using the user's credentials on my computer and access shared resources just fine.
Don't see anything in event viewer or the VPN client logs.   The Sonicwall is currently running Enhanced OS version   Have about a half dozen users who connect everyday without any problems.

Wonder if it could be a problem with the user's home network (maybe Comcast).  Going to ask if she can hotspot her phone and try it.
Any troubleshooting thoughts would be appreciated
Hello Everyone,

I have a SoniWALL NSA 3500 that I am trying to configure to open port 8000 for a Network Video Recorder (Hikvision). I want to port forward.  I created an object for port 8000 and then for the internal IP address that the recorder is going to use. I then went through the Public Server Wizard and and entered the internal IP and then the wizard went ahead and added our WAN address and then created the inside, outside and loopback parameters.  For all intents and purposes this should have opened port 8000 once I went through the wizard.  

Issue is when I try accessing from outside (or even inside my LAN network) using our WAN IP and then adding the 8000 suffix (x.x.x.x:8000) it's not reachable.  I believe I should receive at least a SonicWALL test page, correct?  Even if the device is not plugged into the switch yet I should still get something from the SonicWALL I believe.

Can anyone tell me if there is anything else I can do to make sure that port is open?  Web tests still say the port is closed.

Any help would be most appreciated!

I setup a Barracuda firewall and IPSec VPN for iOS clients to connect via the VPN.  When connected to IPSec, we have did all of the normal tests with DNS, http, https.  The barracuda shows all traffic passing through it.  I don’t know what to do.  We have a packet dump from the barracuda that shows the traffic passing back to the iOS device, so the website should load, but its not.
We need to re-image a 5506 from Firepower Threat Defense to ASA IOS.

In ROMMON, how can I ensure that I have a stable connection between the ASA and the TFTP server to avoid packet loss?
WEBINAR: GDPR Implemented - Tips & Lessons Learned
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Somehow I mistakenly ordered a "Firepower" edition of the Cisco ASA 5506X. This version has no apparent command-line access and I can't figure out how to set up SSH, ASDM, nor IPSec VPN. I'm stuck in a bare-bones HTTPS interface.

Also I don't see any VPN option.

Does this unit support the features I need? Can I zap it and install normal IOS 9.7? Or do I have to ship it back to the vendor?
i have 1109 Mikrtoik > Fortigate 240d > HTTP WebSites
the https websites is domainA.com, DomainB.com
i 1009 is router all 443 to fortigate wan port.
the fortigate should have the domainA.com and DomainB.com ssl certificate on it and the http website will identry to website througe the host header.
can i do it ?
I have a Cisco ASA 5506 at a remote site connecting back to my home office firewall (ASA 5520) via EZ VPN site-to-site VPN. The tunnel is up, I can ssh into the 5506 fine, it can ping back across the tunnel to machines at my home office, however, I cannot ping the device plugged into the remote firewall from my home office. The remote firewall can ping into the device plugged into it fine.

I've double checked, the device has the correct gateway settings. I've attached a PC to the remote firewall with a different IP and I cannot ping that from home office either so it's not just the device. The packet tracer commands I've run show this should be allowed. What is blocking that device attached to my remote firewall from talking to my home network?

Configs and trace results below-

Home office config:
access-list <SITE B>_split extended permit ip object-group Internal_Networks object <SITE B>-remote_network 

group-policy <SITE B> internal
group-policy <SITE B> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <SITE B>_split
 nem enable

tunnel-group <SITE B> type remote-access
tunnel-group <SITE B> general-attributes
 default-group-policy <SITE B>
tunnel-group <SITE B> ipsec-attributes
 ikev1 pre-shared-key owezvpnP@55

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA

crypto map VPN 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map VPN interface outside

crypto ikev1 enable outside

Open in new window

NVR Config Cisco ASA 5505
9.24 (25) latest interim IOS)

I need to configure port fowarding on an NVR device ( inside to outside modem (

80, 443, 554, 8080

Inside network
Inside Interface

Outside Network
Outside Interface
Modem is
Dear Expert,

I will shut down my Checkpoint Firewall R77 and Hitachi San (model: HUS130) . Could you please provide a startup and shutdown procedure for Checkpoint and HItachi SAN manual. In addition, Will share your experience for shutdown /startup process. Thanks
Hello Everyone,

We are thinking about upgrading our Cisco 801.11n wifi  access point to Ubiquiti Unifi UAP-AC-HD Access point. We bought a test unit and very easy to setup and all in one central management robust unifi controller, we have 100m up/down internet from TWC. During our LAN speed test we are getting about 80 mb/s up and 90 down, which is normal. when we test it on the new Ubiquiti wireless access point , we are getting speed of 32-34 mbps and upload getting to 90mbps on a 5ghz band. on a 2.4ghz band we are getting about 16mbps down and 80-90mbps up. Our current network configurations example is attached. We have contacted Ubiquiti and support doesn't seem to know what went wrong still waiting for their engineer to reply. all switches are in full duplex speed. We are suspecting the firewall is filtering traffics by design, and if so, we would like to know if there is a way to fix this.

Any help in unraveling this issue would be greatly appreciated.

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.