Hardware Firewalls

24K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

Q1:
What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

Q2:
There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

Q4:
To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard …
0
Rowby Goren Makes an Impact on Screen and Online
LVL 19
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Hi All,

We are trying to help an external company who wish to publish their Juniper Firewall for remote management. We can ping the external address quite happily, however we cannot connect to the web ui over http. On the untrusted interface under management services / other services, ping and web ui are ticked. If we untick the ping we can see that external pings do drop off, so this works. I have confirmed with the ISP that there is nothing their end that would block the connection.

Any suggestions?

Thanks for your help.
Paul
0
I am looking for a solid, reliable VPN or terminal service solution.  Here is the scenario.  A web development company has access to several remote sites/servers located in customer data centers.  Those remote sites have the main office of the web developers building outgoing IP address white-listed so that they can access the servers that they need to.  The web development company has several employees that telecommute from all over the country.  Therefore, for these telecommuters to access those customer sites/servers, they need to be logging in from the main office and be seen as the white-listed IP address.  

What I am looking for is a good, reliable solution that will allow those users to do just that.  Currently we use FortiClient VPN since we have a FortiGate firewall, but it is flaky, unreliable and simply not working for what we need it to do.  So I am looking for a better VPN solution.  I've also entertained the idea of putting up a computer specifically for people to access at the main office, and then access the remote sites but I'm afraid that remotely connecting to a customer server, from a PC that the employee is already remoted into from their geographic location might be "over-remoting." :-)

Thanks in advance!
0
I'm using ASA5585-SSP-10 as a remote access concentrator. I have one client who is getting the message "Connection attempt has timed out. Please verify internet connectivity".

It doesn't even give him the opportunity to enter credentials for logging in. The logs look like this:

Dec 03 2019 09:46:13: %ASA-6-725001: Starting SSL handshake with client outside:68.67.156.199/13788 to 58.59.192.200/443 for TLS session
Dec 03 2019 09:46:13: %ASA-7-725008: SSL client outside:68.67.156.199/13788 to 58.59.192.200/443 proposes the following 65 cipher(s)
Dec 03 2019 09:46:13: %ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:68.67.156.199/13788 to 58.59.192.200/443
Dec 03 2019 09:46:13: %ASA-6-725016: Device selects trust-point ASDM_TrustPoint6 for client outside:68.67.156.199/13788 to 58.59.192.200/443
Dec 03 2019 09:46:13: %ASA-6-725002: Device completed SSL handshake with client outside:68.67.156.199/13788 to 58.59.192.200/443 for TLSv1.2 session
Dec 03 2019 09:46:44: %ASA-6-725007: SSL session with client outside:68.67.156.199/13788 to 58.59.192.200/443 terminated
Dec 03 2019 09:46:44: %ASA-7-609002: Teardown local-host outside:68.67.156.199 duration 0:00:30
Dec 03 2019 09:47:48: %ASA-7-609001: Built local-host outside:68.67.156.199

It should move on to authentication but it just fails. A good next logging would appear like:

Dec 04 2019 12:02:41: %ASA-7-734003: DAP: User usertmuser, Addr 22.166.67.84: Session …
0
I purchased a EdgeRouter X  so that I can take advantage a 200 MEG connection. When I plug directly into the cable modem I get about 175. When I plug the router in, I get about 10 mbps down and 13 up. This router is brand new, replacing and old Netgear ac1200.

I did upgrade to the latest firmware with no change.

ubnt@ubnt# show
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
1
Using cisco firewall asa 5545-x, can it provide vpn function for around 60 users?  If so, how to configure? Besides, what other corporate, best and common vpn solution (with  2nd factor authentication) recommend?
0
Hi,

We are looking for a wired firewall solution for our office.

High robustness is the most important requirement for our firewall solution.

There are features such as multiple VPN connections which are nice but not as important.

What would you recommend as a very good firewall solution for office with following requirements:

- Highly Robust solution
- For small office (less than 10 PCs)
- Secure remote connections to office PCs
- Secure Office 365 network connectivity
- Support our network internet speeds: last test got 37.7mb/s download, 38.4mb/s upload, 17ms latency

Thanks,
Robbie
0
Dear Experts,

Previously, with the forticlient, i am able to sslvpn to my office network.

Now when I try to connect after keying in the fortitoken, it says permission denied (-455)
0
I have a new Cisco firepower Manager ASA - I'm not too familiar with the functions.  There's a GUI.  I'm trying to add an IP to an existing Source Object but I can't find out how.  I didn't set this up a contractor did and now of course it's left to me to figure out how it works.  See attached.  I want to add to the group in the boxCFP.png
0
I am trying to modify security policies in a device group. When I try to do so I want to select a zone which was defined in a template which which these devices are associated. However nothing appears in the drop down box. Even more surprising, if I try to add an address or address group, if I click Add and select the drop down utility, it is likewise empty. The PANOS is 8.09. Has anyone seen this behavior? How to fix?
0
CompTIA Security+
LVL 19
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

I am putting in a Sonicwall TZ350 on a domain where the Domain Controller runs the DNS and DHCP.   I want the TZ350 Wireless to offer 50 IP's outside the scope of the domain controller.  The scope of the DC is 192.168.2.100 to !92.168.2.200.   I want the Sonciwall to have a scope of 192.168.2.50 to 192.168.2.99.   I thought I found the place to put this scope in but when I test teh wireless devices I still get a 172.16.xx.xxx.   I want the hard wired computers to see the wireless devices, but they are coming up with the two separate IP groups.   Can anyone guide me with this?
0
I would like to convert config from a Juniper SSG5 to a Juniper SRX110.  Anyone able to assist?
0
Hi,

We have some  voip software called unified communications UC. It suddenly stopped working for authentication back the the Service provider (but only doesnt work when on our LAN going via the ASA 9.0(2) . If hot spot by phone or any other method its fine.

Ive checked all ports to be open - in fact tried opening all outbound ports from my computer - same result. - If I do a wireshark ip.dt == to the Service provider SIP endpoint then try log in to the UC software I see totally nil  SIP traffic to that IP in fact nil sip traffic total. when i  run same wireshark when hotspotted to phone on same device I see the registration sip successful. ? all is fine

ive tried turning off and on sip inspection on ASA many times - doesnt fix. strangely however I did ONCE get a successful registration - and then never again!!! same failure to do anything even nothing in wireshark for sip. I cant see any denies on asa monitoring as well. ACL's all in place. Im a bit los from here service provider saying asa fault. please help
0
Dear Experts
We had to install Cisco FMC as VM appliance on VMware the engineer completed this task. But in the vmware web console in the status it is showing as “Warning” and also following event message
1.      The configured guest OS (Other 2.6.x Linux (64-bit)) for this virtual machine does not match the guest that is currently running (Other 3.x Linux (64-bit)). You should specify the correct guest OS to allow for guest-specific optimizations.      Warning
2.      Another issue is when we shutdown the FMC safely and again started due to server maintenance later now turned ON but it is more than 4 hours still it is showing up “System processes are starting, please wait. “ when accessed the FMC.
Please help on how to fix the above 1 and 2 , thanks in advance.
0
Hi,

I have three Edgerouter X running site-to-site VPN (site a, b and c) .  Everything was working fine until the devices were restarted.  I've gone through all of the available troubleshooting and can't see to figure out why Site A and Site C cannot ping anything on Site B.  I've checked and double checked all of the configs and everything matches up.  I know that there are some known issues with version 2.0.6 so I'm running 1.10.10.  Do you have any ideas I can try?  Thanks!
0
Sonicwall/Port 53 Vulnerabilities.

Following a vulnerability scan, our external WAN interfaces are showing up as having the following issues:

DNS Server Recursive Query Cache Poisoning Weakness
DNS Server Cache Snooping Remote Information Disclosure
DNS Server Spoofed Request Amplification DDoS

These seem present on both WAN interfaces on UDP port 53.

The sonicwall is on latest firmware, and seems to not have any DNS server services running. I'm wondering how we could tie this up?
0
Dear Experts
We have to restrict internal users to access internet but the requirement is they have to access G-suite email account  via email client software MS Outlook to send or receive emails, We have Cisco 1010 firewall and the same is integrated with Windows AD , please  help what ports to be opened or any url to be allowed at firewall so that users can access g-suite email account through email client software .
0
Hi - we have a wired/wireless network at a school, multiple VLANS, IP phone system, using a Sonicwall NSA2600. For the last 4 days, I received calls where the internet was "down" for the computers, yet the phones were working (both coming into the building and going out of the building). I was NOT able to access any computers that I have unattended access to, except for the computers that are on only 1 VLAN. So this 1 VLAN and the phone system, both still DHCP, were unaffected by this issue. A simple reboot of the firewall "fixes" the issue temporarily, so they're at least back up and running. The most puzzling part of troubleshooting this is, why this one VLAN isn't affected by the issue where every other one is. Initially I thought it may have been a router that a student setup (intentionally) creating a rogue DHCP server, or some type of broadcast storm. But still cant figure out why that one VLAN is unaffected. Anyone have a good way of tackling this one?
0
What options are available to implement content filtering, packet shaping ...etc with Cisco ASA 55xx ( ex : websense).

The goal is to make ASA more powerful.

Thanks
0
CompTIA Cloud+
LVL 19
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

We have been having an issue with specific websites being slow for almost a month now.  Certain sites (mymathlab, our library system, and various other sites you log into) have been slow when sending or recieving data.  You click a link and sometimes it spins and spins and spins.  We are working with our firewall vendor Sophos (it seems to have shown up after a firmware update) and we are very hesitant to downgrade because that often can cause issues in itself.  

Normal website browsing is fine, seems to be stuck to sites you log into that are hosted off campus.  Any thoughts?  We have 2 internet connections load balanced behind an ISP load balancing device. I am interested in all theories as this is causing significant hardship for our students and staff.  Thank you all very much for your insight!
0
Hi,

I have three Cisco firepower. Two of them are FPR2120-NGFW-K9 and the third one is FPR4110-NGFW-K9. I want to buy Cisco firepower management center. What type of License do I need? And what is the estimate price for it?

Thanks
0
I have 4 stati IPs from the ISP and want to use them with single ASA5516x firewall. How to configure all the IP in one firewall. (Currently only one IP is configured in the Outside interface to access the internet.)
0
I am upgrading our Network and wanted to see if I am thinking properly.  I want to utilize 2 Different firewalls with a shared DMZ Zone.  Below is the configuration I am thinking about deploying.  I am using fictious IP's.

Internet
---------------------------------------------
Router IP - 50.50.50.1
--------------------------------------------
Firewall 1 WAN IP - 50.50.50.2
Firewall 1 DMZ IP - 10.0.0.1
---------------------------------------------
Server with Dual NIC's
Firewall 1 DMZ Server IP - 10.0.0.2
Firewall 2 DMZ Server IP - 10.0.1.2
---------------------------------------------
Firewall 2 DMZ IP - 10.0.1.1
Firewall 2 LAN IP - 192.168.0.1
---------------------------------------------
LAN Network

Firewall Rules
Firewall 1 WAN Allow Firewall 2 LAN
Firewall 1 WAN Allow Firewall 1 DMZ
Firewall 1 DMZ Block Firewall 2 LAN

Firewall 2 LAN Allow Firewall 1 WAN
Firewall 2 LAN Allow Firewall 2 DMZ
Firewall 2 LAN Block Firewall 1 DMZ


What do you think?
2-FW-DMZ-Diagram.pdf
1
How to configure Radius accounting forwarding to Fortinet  firewall .
0
I am running into an issue with our Cisco 5506 ASA and Websense web security.  

I have been blocking all internet traffic on our firewall for around 100 machines because they have no need for internet access, but now we are in the process of moving to Trend's Worry Free Services A/V, which is a cloud based A/V.  Obviously this wouldn't work on machines with no internet, so I allowed all the URLs needed for WFS by adding fqdn objects and allowing them on the firewall.  

This presented a problem in Websense though because we were now exceeding our subscription limit because of the new traffic logged in Websense.  I then configured Websense to ignore all Trend traffic that was allowed through the firewall.  That worked to ignore that traffic, but machines with 'blocked' internet (everything but Trend URLs blocked) seem to randomly be able to make between like 1 and 10 connections to random Microsoft related URLs.  Seems to mostly be windowsupdate.com, but I know I've seen other microsoft sites.  I'm sure it's things that these machines are just constantly trying to connect to, but how/why the firewall is allowing it through, even once... I can't figure out.  

The times seem to be pretty random, anywhere between 2am and 7am from what I just checked, so it's not like they are all coming in at 2am or something like that.

Sorry for the rambling, just want to make sure I include as much info as possible to hopefully explain it well.  I am really hoping I can figure out …
0

Hardware Firewalls

24K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.