Go Premium for a chance to win a PS4. Enter to Win


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Set-up issues

I will preface this by saying I had a UTM120 for three years with the UTM9 OS and right now thinking boy I miss those days.  I was told that my appliance was nearing end-of-life so to renew licensing I went with the XG115.  I had configured UTM9 on my own and generated help desk cases if issues arose.  This appliance is quite a bit different.  Firmware XG115 (SFOS 17.0.0 GA) so on the latest firmware.

What I am trying to resolve right now is that any type of web surfing is extremely painful.  I have an on-premise Exchange server so port 443 is being forwarded to it but I also have the default network rule of WAN to LAN all ports and all services are open.  I have a similar network rule that WAN to LAN port 443 is open thinking of other workstations that initiate SSL traffic it will find its way back to the device that initiated the traffic.  Let's face it.  Most web sites are https.  I am constantly being warned that the certificate cannot be verified and I have to click to still access the site or create an exception for the site depending on the browser.  I cannot log in using an account to any web site.  Some sites I can't even create the exception in Firefox.  I can't use the StartPage search engine.  Amazon looks like crap.  No pictures and just a bunch of links.

A little bit on the network.  Uverse gateway goes to a Cisco ASA appliance that I consider my perimeter (and why not have another layer of defense !).  The XG is in bridge mode.  For a …
Free Tool: Path Explorer
LVL 11
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Given all the posts here and elsewhere this seems to be a common problem.
I have a TZ215 running SonicOS 5.9.  I'm able to get connected with NetExtender, but cannot gain access to the LAN subnet.

Have an IP pool setup for addresses which are on the same subnet as the primary subnet (X0).  These addresses are specifically for VPN users and are not otherwise used (no conflicts).   Tried pinging from both sides with no response (VPN client to LAN subnet and Office LAN subnet to address assigned to VPN client).

Here are some of the settings:
SSL VPN -- Client Settings -- Client Route tab - is set to Lan Primary Subnet.
Users -- Local Groups -- SSLVPN Services -- VPN Access -- is set to Lan Primary Subnet.
Firewall -- Access Rules -- SSLVPN --> LAN is enabled for any service (Checked from LAN --> SSLVPN and that is setup correctly as well).
Users are setup with proper SSLVPN Services group.

Have setup newer units without much effort, but they have a different configuration parameters.

Would appreciate any help!

We've just found out our 2011 SBS Server has been sending out spam emails by their thousands.  I've checked that there is no open relay in Exchange 2010 (and there isn't) and turned off all PC's on the network but the spam emails keep coming so pretty sure they are coming from the server.  Have virus scanned the server and it seems clean.  I've found that all the spam emails are all coming from the same external IP address.

The network is protected by a Watchguard XTM25 firewall.  My question is can someone please talk a newcomer to Watchguards how to set up a way of blocking these emails coming in from that IP address on port 25?  

Many thanks

I'd like to test connectivity between a host in my DMZ and and a host on my inside network using the packet tracer function. However, although I can specify the source interface, I don't see any way to specify the destination interface.  Running the trace defaults to using the outside interface as the destination.  Can a destination interface be specified?
Dear All

I installed Fortigate 60 E and its blocking all the videos and Audios. Also its blocking all the social media sites.
do you know a tool to block rdp atacks which no need controlPanel/Windows Firewall to be activated ??
What are the differences between Sophos XG and Sophos UTM? Do we have an iso file of Sophos XG? Many thanks!
Goal: Allow a user to connect to his desktop computer with RDP  ONLY after connecting vpn.

Environment:   OPNsense/Pfsense firewall
53,25,80,443 allow through firewall-
Currently can successfully rdp  with or without VPN with port forwarding - suspect traffic is hitting the fw on public int/public static  and not the desired private Ip a range allocated VPN connection.

User successfully connects to vpn, receives ip, but cant access local resources.
The client side vpn registers an IP address, the FW sees the connection- Just doesn't seem to allow traffic from vpn to local network

The IP range assigned to vpn  connections 10.  the local ip range is 192.

I have a PIX 5515 running 8.2 software that will not allow me to access websites that use non-standard SSL ports (4443 in this case)  Is there some sort of configuration workaround I could implement that would allow me to access sites like these?
I have followed this guide
and I have successfully  connected to and passed Auth.
*yes i did add rule to allow vpn traffic access to local resources

When connected to VPN , I can not ping my vpn gateway (, I can not ping any local resources (192.168.37.X)
Outside of the the VPN I am able to make a connection.

Any help would be appreciated
Ready for your healthcare security check-up?
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

I manage a small legal office and have a SonicWall TZ 400 wireless that covers the current building ( 15 people on the LANand only one using wifi)
The owner of the company will be expanding into a separate building across a 30 foot Breezeway next door.
I have tested the current TZ 400 Signal and it "peters out" just outside the current office facing the new office space.
 the new office space will only have two people in it)

I cannot move the existing TZ 400 closer to the new building. ( I cannot use the AC wiring to extend the wifi)

QUESTION:  SonicWall just came out with a new "mesh" Sonic "WAVE" that are around $850 each . And it requires yearly fees but support is probably great and an integrated package may make sense.  But I don't even really know if the "Wave" is the right product.  Will a SonicWall Point that not on a ethernet lan act like a mesh ?

But it  seems like a pricey solution  and I might really need two of them ( $1700)
One to boost the TZ 400w inside the edge of the existing office and one to pick up the signal in the new building.
I would like to have a ethernet port from the  device in the new building and would also like to lower the cost (above)
Does anyone suggest the SonicPoint or Ubiquity or Meraki or even Google  Wifi mesh to accomplish this ?
I have a main office running OpenVPN on Untangle v9.4 (I know, but they don't want to spend the money to upgrade and reconnect all of the offices) The remote offices are all on different subnets, and I have no problem reaching the main office by IP address or hostname from the remote office computers. From the main office, I am unable to ping or communicate with any of the remote offices. There are no issues with the main office connecting to the internet, but I am unable to communicate with the connected networks. The OpenVPN connectivity at each office is using a Ubiquiti Edgerouter-X with the config file imported and I use my laptop to support the various offices via a software client OpenVPN connection. When I connect to the OpenVPN server at the main office using my laptop, I am able to ping, use RDP, whatever, I can even use NSLOOKUP from the DC in the main office as the server and get the IP Addresses for the systems in the remote offices. Trying to run a tracert from the cli on the DC server in the main office gives me a first hop that is the LAN address of the Untangle box, but times out on every other hop. This looks like a route issue to me, but I haven't been able to add a static route in any form that allows me to communicate with the remote networks. Help!
Juniper SRX240h2 Interface re-configuration. Planning to move connection to our production environment from ethernet (ge-5.0.6) to 1GE SFP (ge-6.0.0). I have two firewalls in HA. What needs to be done for the configuration change?
I am looking for any software appliance for Sophos XG.

I need it for make practice with Sophos firewall.
I use Zywall 1050 model firewall. I use Load balancing trunk algorithms. But it appears some disconnect scenario. I know this Zywall firewall has 3 trunk methods such as Load balance, Round robin and Spillover.
Hi all, let me begin by saying my networking skills are not very good. I completed my Juniper certification many years ago but due to the nature of my work since then I have never really been tasked with any network administration, so forgive me if I do not make much sense - if you need any further clarification please let me know and I will do my best to answer.

We have 3  office locations which have a Juniper SSG in place, 1 in Australia, 1 in Malaysia, 1 in China. We also have a cloud environment (AWS).

These 4 sites are connected by site-to-site VPN's and everything was working fine up until about 2 weeks ago when all of a sudden or China office could no longer establish VPN with AWS. The VPN's from China to Malaysia and China to Australia continue to operate but we cannot establish IPSEC tunnels with AWS.

I have gone through various troubleshooting methods with AWS and the only answer they could give me was that their endpoint was receiving Phase 1 proposal and responding but our Juniper SSG140 on-site in China did not receive response and eventually timed out. We went to the ISP who suggested it may be ChinaNet (their backbone) dropping IKE traffic as per government crackdown on VPN's.

I am hoping to understand if it is possible to route traffic from our site in China to AWS via Malaysia as the tunnel between China/Malaysia remains up and tunnel between Malaysia/AWS remains up?

I figure if this is possible I would need to setup some sort of static route …
Today we were doing a new firewall install, the old firewall is a cisco ASA 5510 that was going to be replaced by a Sonicwall TZ 400(This was happening at 2 locations, the main office and the Colo).
The install was a bust and we were switching back to the Cisco, now upon switching back we cannot get virtual machines at the Colo to work, their office is up and running without issue, or any computer to use a couple IP addresses. Example LAN IP:
(it doesn't matter what the DNS is set to whether it is a public google/xfinity or to a DNS server that's local)
The systems cannot reach the outside network whatsoever
We have tried rebooting all network equipment
tried running netsh winsock reset
rebooting systems multiple times
destroying VM Switch adapter and recreating
investigated Cisco Firewall and no rules are in place stopping it.
The Cisco did show that from the inside out it is fine, but from outside in (Google dns to local ip) fails and defaults to the basic deny rule.
I have exhausted every resource I have and I am just short of going and sacrificing live chickens to the IT gods.
Please someone save me from this nightmare.
I have an ASA 5545x that is replacing a 5505. I haven't been able to get one aspect of the new ASA working yet. This location uses Office365 and client authentication requests get forwarded to an internal Web Access Proxy Server(WAPS).  In the old ASA, we used hairpinning to handle internal requests. But with the new ASA we're using DNS Doctoring.  Internal requests work fine.  

The thing that's not working is requests from the outside.  Which is surprising since that's pretty straightforward. We have a pubic IP address for this server.  In the config example, I'm using

I've run the traffic through the Packet Tracer and it shows it is allowed and being translated.  But when an outside host begins the process, the TCP SYN is sent, and no response is ever received.

I'm sure it's something simple (and obvious), but I'm just not seeing it.

When the old 5505 (running 8.2 code) is installed, hosts on the outside can access the WAP server fine.

Here's the relevant portions of the 5545x config.

object network WAPS-Inside
access-list outside_access_in extended permit tcp any object WAPS-Inside eq 49443
access-list outside_access_in extended permit tcp any object WAPS-Inside eq https
object network WAPS-Inside
 nat (inside,outside) static dns
access-group outside_access_in in interface outside

Open in new window


Enviroment Checkpoint + r77.20

Every time I open a FTP SSL session, IPS drops randomly the transfer. If disabled works fine.

I´ve added  exceptions to IPS  for FTP SSL but still drops sometimes sessions.

any ideas?

Free Tool: IP Lookup
LVL 11
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I've been asked several questions about our team's deployment of ASA 5515 firewalls across an enterprise.  Cannot find these answers in Cisco documentation.
First two questions:
1.  What is the limit of levels in nested object-groups for the ASA?  I found that for Cisco IOS firewall, there is no limit but they recommend limiting to two levels of nesting.  And in Firepower documentation I found the limit for that is 10.  But nothing found for ASA itself.
2.  Is there background data for Cisco recommendation for <100 ACEs for ASA 5515?  There is a recommendation of <100K, but it is not a hard limit, but just a cpu and memory consideration.  There is no test data I can find for the 5515 (for other models, yes there is data, but not for the 5515).  Has anyone looked at this, and has any finding?  We are over 200K but the cpu usage and used memory levels are still pretty low.

We have 120 users on network with cyberoam ( 50 ING ) firewall  configured , from last 2 weeks we had issues like http websites not resolving getting error could not reach . But on other ISP it works fine.

Environment :
Cyberoam 50 ING Firewall with BSNL ISP configured  ....connected to Unmanaged switches
Internal AD integrated with DNS Server windows 2012 r2
All server + clients having primary dns server is windows server local IP address

But if do the nslookup domain name then it resolves fine but on browser it stucks. But sometime it works fine too.

ipconfig / flushdns
ipconfig / release
ipconfig / renew
ipconfig / registerdns
Winsock reset
Antivirus scan + malware scan , after malware scan it works for sometime and again it stucks. some of PC having the malware or spyware which blocks the http 80

everything did but http is not working . Only remains the Cyberoam Firewall firmware upgrade and restart of Windows 2012 server.

Please assist me to resolve this issue on urgent basis

Vijay Kadadi

I'm trying to establish ITSec VPN for my firewall with another vendor in remote site.

The tunnel is not getting UP. The remote vendor says they allowed UDP port 500 and 4500.

But I suspect there is some issue at their end on opening ports above.

1. How do I confirm the udp ports 500 and 4500 is opened above ? I tried using portquiry and it seems not accurate.
It says port is opened for any port I scan. How do I verify port 500 or 4500 is opened or closed at their end ?

2. Another thing is when VPN not getting UP, I want to run some debug in Cisco ASA.
Last time when I setup IPsec tunnel for Fortigate firewall, based on debug I can see where it is failing. Phase1 or Phase2.
In Cisco ASA, which debug commands will tell me where it is failing, how to see traffic comming in from remote end or not ?

We need to block and monitor website access specific to certain users via a centralised Router / firewall or server program for a small business eg we need to allow access to you tube but allow some you tube pages through . Any recommendations please ?
Hey gang,

I'm trying to figure out how to get my ASA connected to my residential FiOS correctly. I've read different posts where you have to create a VLAN and assigned the cloned MAC address to it and assign the outside interface to that VLAN to get DHCP. Other posts say you can put the mac-address command on the outside interface itself. Conflicting information here. I've read to use ip route dhcp or a setroute command not sure which to go with, or will they achieve the same thing.

Anyone have a scrubbed working config for their ASA --> FiOS that I can take a look at? If not, point me in the right direction?

Here is my outside interface config so far from what I've come across:

interface GigabitEthernet0/0
 mac-address 0c8d.db8f.3c98
 nameif FiOS_Outside
 security-level 0
 ip address dhcp setroute

Running ASA 5520 on version 9.1(7)19.

Be easy one me, not used to setting it up in a DHCP fashion. TIA
I know this DMZ Forest Trust type question has been asked many times.  I read most of them and have followed many of the recommendations, however I still seem to be having trouble with this.  I'll explain what I'm trying to do...

  • I have a new, 2016 functional level, forest created in the DMZ (we'll call it edge.domain, or edge DC)
  • I have an existing corporate, 2008 functional level, forest on the LAN (we'll call it lan.domain or lan DC)
  • I have created conditional forwarding zones for each domain in each DNS.
  • All necessary ports were opened between lan DC and edge DC
  • I have established a one way non transitive trust, where the edge.domain trusts the lan.domain.
  • I have several servers in the DMZ, some windows some linux, some of these servers must authenticate to the lan.domain and currently have firewall ports opened from each of these servers to our domain controller to authenticate.
  • I would like to accomplish a few things. 1) Allow administrators to log onto the edge.domain windows servers using thier lan.domain accounts.  2) Allow other servers in the DMZ to authenticate with the edge.domain controller instead of the lan.domain controllers.  3) Tighten up firewall rules to ONLY allow edge.domain controllers access to the lan.domain controllers, nothing else comes in from the DMZ.

So here's one issue so far that I'm facing.  Although the trust looks to be …

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.