Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have  a problem with our fortigate 620b unit that is running on the software version 5.2.1
The setup we have is that we are running the 620b  with 2 vdoms.
We have assigned the GW for example of IP 82.106.14.108/255.255.255.240 to vdom 1 wan 1 and  82.106.14.109/255.255.255.240 to vdom 2 wan 2.
Both Vdoms go out via the ISP Gateway of 82.106.14.97. The issue I have is that Vdom 1 and Vdom 2 are not able to ping each other externally via their public IP Addresses.
I do not need to setup inter vlan routing internally, just need to be able to ping each other via their external IP addresses. So 82.106.14.108 should be able to ping 82.106.14.109 and vice versa but they are not. I can ping both of these addresses externally from another IP but not across each other.
0
Microsoft Azure 2017
LVL 13
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

We are considering a gateway that will manage our access points ( we presently use UAP-AC-PRO) , our primary interest is to be able to manage employee data bandwidth usage. block certain websites. manage what they are seeing / data management. etc. port forwarding, limit internet data usage on employee phones etc.

We are considering UniFi Secure Gateway (USG) and or pfSense SG-1100 Security Gateway. Kindly make recommendations not only limited to these 2.
0
I have an old ASA 5500 and I have websense beside it. Normally, the traffic is supposed to be redirected from the ASA to the Websense Appliance, however that  has stopped and I can't figure out why.  I have WCCP enabled on the ASA wccp 0 redirect-list WEBSENSE_REDIRECT group-list WEBSENSE_PROXY and wccp 70 redirect-list WEBSENSE_REDIRECT group-list WEBSENSE_PROXY.  I'm not that great with the command line but I get around. I most use the ADSM.  I don't see anything for wccp web-cache and I'm wondering if this could be why the traffic has stopped being redirected back to Websense.  Right now we have total open internet becuase I can't get a handle on this and since this ASA is basically retired Cisco will not help.  Any one that can  help me out I'd greatly appreciate it.
0
I am in the process of having a vendor convert iptables configurations into ASA FirePower configurations. And I am testing using a couple of methods. I have taken the iptables log (which are primarily DROPs) and extracted IP addrs/ports and fed these into python / scapy code and sent them to the firewall. I have also taken the same extracted IP addrs/ports and turned them into "packet-tracer" command line entries and sent them to the ASA over an SSH connection. I have a limited lab environment, and I am running the ASA config on ESXi and using 2 Ubuntu 18.04 instances to send traffic and CLI requests to the ASA.

For the "packet-tracer" command line stuff, I am getting a LOT of "Drop-reason: (no adjacency) No valid adjacency". And when I create an adjacency (by adding an IP address on the ubuntu instance) I can fix the adjacency issue. But this seems cumbersome and there are far more IP addresses that I need to test than is practical to configure on the ubuntu box.

This would be a scary piece of code . . . but is there an app or can an app be configured (like netcat  or some such) that would respond to arp requests for any IP address? Or are there other reasons the ASA would throw the adjacency error?

I am brand new to the ASA . . . and most of my research on adjacency errors refers to NAT'ing out the wrong interface, and I am not NATing these addresses.

Thanks in advance for the help
SteveJ
0
Working with an ISP that has guaranteed 1Gx1G dedicated fiber for $575/month. I haven't seen anyone else able to touch this, not even close. I wasn't expecting this low a price for another 3-5 years.

Brings up a good question regarding firewalls my clients are using, the SonicWall TZ400. I spoke with my Sonicwall rep and she mentioned the TZ400 will reduce the bandwidth substantially for a 1Gx1G dedicated fiber due to DPI limitations that max out at 300M. We discussed if DPI is needed,  I made the case it's not, mentioned I have it disabled on many networks because it's created too many dropped packets. She didn't exactly say this renders the TZ400 useless but she couldn't come to terms why I would do this or not upgrade to the TZ600. Selling point? The TZ600 is $1000 - $1200 more and only increases the DPI bandwidth 100M to 400M total. Nothing hardly to insist spending the money to upgrade. Further in the conversation she priced me out a firewall that would handle the DPI for a 1Gx1G network and it was over $20k, well over.

TZ400
400
This brings up allot of questions regarding firewalls as bandwidth continues to increase and the limitations they have regarding security and bandwidth limitations.

What are EE's experience / thoughts regarding the following:
- General use of the SonicWall TZ series firewalls with bandwidth over 400M to full 1G.
- Do you feel DPI is needed? Definitely a great feature but is it needed? In my case we have other…
0
Hi Experts

I got a Cisco ASA 5545-X WITH FIREPOWER THREAT DEFENSE, 8GE, AC and I have configured interface IP, NATting, policies for the firewall using Web based GUI.

All are working ok. But I notice when I access CLI console, it is always in Firepower session. I think there is no ASA installed ?

When I check in online article, it is always in asa session in console and firepower is managed using ASDM.

I my case, I don't even see ASA. It is just firepower.

based on the name description ( ASA 5545-X WITH FIREPOWER THREAT DEFENSE) , isn't it supposed to have ASA OS installed and using ASDM, we should manage firepower?

I have attached my show inventory and show disk0: result. Can help me confirm how I can check if my box has ASA installed and if not installed, how to install ASA?

Thanks
ASA.png
ASA-sh-inv.png
0
We have about 10 Palo Alto devices at the edge of our network and needed to implement DLP with these devices, but need assistance.  We also need to block any Gmail or email solutions to where users will not be able to access or send info through an outside email service.
0
I have a computer lab with about 75 computers (Windows 7 64bit). We have a Windows 2008R2 server and Windows 2012R2 server as DC's and DNS. The servers and lab computers are separated by a Fortigate 301E UTM. This firewall is new, and the problems started when it was put in.

Problems:
1. Students randomly take a long time to login to their workstations. Many students are fine, but sometimes at least 20% of the class will sit looking at the welcome screen for anything from 5 to 15 minutes, as the cursor spins in front of them.
2. Students using the Typing program that is run from the one DC server will have random "not responding" issues. This will happen every few minutes for a few seconds.
3. All students when running MS Word or MS Excel documents from the server (their home directory), will have a "not responding" issue now and then. This recurres about every ten or so minutes.

It most likely is the new firewall. I opened all ports between firewall and Lab workstations, and removed all antivirus, and intrusion protection filters.
This still has not helped, and I am not seeing any obvious denial of traffic going on between the two subnets.

Any thoughts?
0
Hi Guys,

I have a fortinet 100E UTM device.  I was applying a SSL Web certifcate and foolishly imported this into the wrong area (Remote Certifcate ... rather than Local).  So I deleted the certifcate in the GUI and tried to re-import it to Local.  However, when doing this, it gives up an error of :     Certificate file is duplicated for CA/LOCAL/REMOTE cert.

I've rebooted the box, but still getting the same error.

Anyone came across this before?

Many thanks guys, appreciate your help.
0
Our company just upgraded to Fiber. Need SFP (mini-GBIC) transceiver module - RJ-45 product recommendation.

Thanks in advance!
0
CompTIA Network+
LVL 13
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Dear Experts, we have several Exchange 2016 servers, routing via Smart host (Sonicwall ESA7000). As my understanding, all emails will transmit locally in LAN to that Sonicwall firewall before going to the Internet.

So do we have to keep the NAT entries for those Exchange email servers on the Router? OR do we just need to keep the NAT entry for the Sonicwall?

Please suggest! Many thanks
0
hi Experts,

I have a SonicWALL Firewall 2600 and i need to configure MPLS and Internet so that my remote branch can access internet from HQ SITE on branch site. I use Cisco Router 1900 series, how can i achieve that configuration with SonicWALL firewall 2600.
0
I have OpnSense (Another version of Pf Sense) Firewall installed. I can not get out to the Internet on my second, 3th, 4th LAN ports.
I have an OpnSense Firewall PC box I made which has the following inside…
OpnSense 18 (latest version) https://opnsense.org/about/about-opnsense/ 
-G.SKILL Ripjaws V Series 16GB (2 x 8GB) 288-Pin DDR4 SDRAM DDR4 2400 (PC4 19200) Desktop Memory Model F4-2400C15D-16GVB
-King Spec SATA III 3.0 2.5" 60GB MLC Digital SSD Solid State Drive for PC B5Y1
-AMD Athlon 200GE 2-Core, 4-Thread, 3.2 GHz Base, Socket AM4 35W YD200GC6FBBOX Desktop Processor
-ASRock A320M-HDV AM4 AMD A320 SATA 6Gb/s USB 3.0 HDMI Micro ATX AMD Motherboard
-80 plus bronze certified power supply 380Watt
-Dell Intel PRO/1000 VT Quad-Port Gigabit Ethernet Card Standard Profile YT674
-IOCrest 4 Port Gigabit Ethernet PCI-e x1 Network Interface Card SI-PEX24042
This is inside a 4U server Case, inside an APC 48U Server Rack


 
My goals are the following...

-      I want to one 4 Port NIC using different IP Addresses such as
10.10.10.1 --- Web server Network
2.2.2.1---- Entertainment Network
90.90.90.1---- Work Network
30.30.30.1 --- Web server Network
I already setup these networks inside my box but I am willing to START from the beginning if you need me too.

-      I want the networks not to be able to talk to each other.
-      I have 5 block of Public static IPs which I want to use.
-      104.XX.xx.1--- This is assigned to the OpnSense itself
-      
-      104.xx.xx.1 talks to …
0
Fortigate 100E Deep Packet Inspection - DPI Performance Issues

We have two Fortigate 100E devices, each at a different site, that have problems when DPI is turned on.  We've opened a case for each with support, but haven't seen any progress on resolution.  I want to share here in case anyone has any insight on this...maybe something you saw and solved without engaging Fortinet support.

FW 1 Issue Description.

We've been experiencing a problem with deep inspection where all websites time out unless we switch to certificate inspection. A firewall reboot will temporarily resolve the issue, but it returns within 10 days or so. CPU and memory are both completely fine (CPU under 10% and memory under 60%).

This configuration ran fine with no issues with deep inspection for probably close to two years. Issue started after updating from 5.4 to 5.6.7. We then updated to 6.0.4 to try and remedy the issue per Fortinet's recommendation but the issue keeps returning every 10 to 14 days.  

FW 2 Issue Description.

This firewall was new in October and implemented using 6.0.3

We are experiencing issues when enabling SSL Deep Packet Inspection for domain users in a single 100E, 40-50 user environment.We had a separate policy with SSL DPI enabled for 4-6 users for a couple weeks with zero issues.Then I turned it on for all users (same policy just a different user group), and after about 4-5 hours, all outbound internet stops working for users on all sites, exceptions or …
0
Trying to configure WCCP on Cisco ASA Running 9.x.
Added ACL's, Service Groups and Redirects.

Show WCCP is still showing "Router Identifier - Not Yet Determined", whereas this should actually be the public IP address on my outside interface.

The old command "ip wccp source-interface" is not recognized in this release (9.x)
0
We have a printer issue that is having an issue connecting to a network via wifi. We have DHCP setup on our Sonicwall firewall, but we are not using this for the printers, we have setup a range of IPs 192.168.0.2-50) outside of the DHCP scope, to be used specifically for these printers. One of the printers (192.168.0.10) they are not able to print to, nor is it pingable. If we change it to DHCP and it gets another IP, we can print and all is fine. If we assign it another static IP from the range I mentioned above (192.168.0.30) it prints fine as well. There JUST seems to be an issue with this one IP (192.168.0.10) - Like I mentioned, no one else would be getting this IP because it is outside of the DHCP scope, and there is no other device in the building that is statically assigned this IP. Has anyone seen this type of issue? Any suggestions?
0
So I have had an ongoing issue between a Sonicwall firewall and 2008 R2 server utilizing NPS for radius authentication.  The issue is that it will be all setup and working fine, for about a week.  At some point the communication just breaks down.  If I attempt to use the test on the sonicwall it returns a communication error.

The fix is to retype the shared secret on the sonicwall side only, then hit apply.  After that it works again for about another week.  I have no idea what would be causing this or how to fix permanently.
0
Anyone familiar with Meraki MX Firewalls? I have 2 external IPs brute forcing my webserver and want to block those IP but need instruction?
0
Is it possible to have multiple ip/gateway combinations on a computer?  I have scenario where a customer resides in a "shared" office space. They would like to install their own server.  The addition of the server is not a real issue, I can install it on the same subnet as the existing network that is available to the shared office space, both wired and wireless.  However, they would also like VPN access to the server remotely. That is where I am not sure how to proceed.  Even if I acquire a separate internet connection and firewall and connect it to the server, how do I make the server able to be connected to both networks simultaneously so they can access it remotely via the separate internet connection/firewall combination and also be connected to the share office subnet (when onsite) so they can have wifi or wired access to the server as well as being able to access the shared printers that are available on the shared office space network.

Any insight would be appreciated.
0
Become a Microsoft Certified Solutions Expert
LVL 13
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

We are moving from sonic wall to fortinet firewall. Any suggestions? Best practices? What are the action items i need to follow. Please advise me. Thanks
0
We have a Sonicwall NSA 2600, and we are having issue where at our school, students are downloading 40-60gb files (movies etc) and its becoming an issue. Does anyone know if there is a configuration setting where we can limit the download size to a max of, for example, 4gb?
0
I have a Cisco ASA 5512x which I use as my router with Cisco switches and AP's.  I have configured one of the interfaces for our Guest Wi-Fi which it was working.  However I recently got new AP's and switches from Ubiquity  and now that Guest Wi-Fi does not work.  I want to know if it is just a configuration issue or is there just a flat out incompatibility between the 2 vendors?

Thanks!
0
I have a Watch guard XCS appliance. I upgraded to the latest version of 10.2 from 10.0. After the upgrade my login credentials don't work. I am doing this remotely through web ui.
I get prompted but it will not accept my credentials.Support is no longer available for this EOL product. Any thoughts?
0
Being a network administrator, among other things, I'm often asked by users to open ports in a firewall.
Usually the users don't know much about what they're asking for so they can't answer any questions - just forward what their technical people have provided.

Here is a typical example for a VOIP system:

The full network information for the VoIP system is:
Port Range (Audio): 35000-65000 UDP
Port Range (SIP): 5060 UDP, 5061 TLS
Port Range (Configuration Servers): 1024-65536 TCP source port, TCP Destination ports: 80, 443, 1443, 2443, 6716,
Port Range (Presence Servers): TCP Destination ports: 5222 and 5280.
I guess that's all well and good if you understand the context but that's where I'm not the expert.

I can set up firewall rules but, being conservative, I don't want to open incoming ports just willy-nilly in order to assure that the requestor gets what he/she wants.
If I ask them: "Are these incoming ports or outgoing ports?" they have no idea.
In some cases, I'm sure that some are outgoing.....
What I'm used to, for the most part, is that all outgoing will be allowed and all incoming will be blocked unless initiated by outgoing traffic.
Given this limited view, I would want to set up to allow incoming traffic to certain ports and leave things at that.
But, which ones?

I know this is likely a naive question.
So, in my context of understanding, how would you interpret the specification above?
And, in the details, I've never set …
0
I am using a PA 3020.  
We have an ISP1 which is our main corp internet.
We have an ISP2 which is also our active Guest network.  

I'm trying to configure ISP1 virtual router with Path Monitoring so that if fails pinging a group of IP's it fails over to ISP2 virtual router.  

Well I have configured Path Monitoring and can trigger it accordingly by monitoring a dead IP.
However I cannot get to the internet after this kicks in.

From monitor tab I check my test laptop and the From Zone is till the same, and To Zone has changed. But everything says "aged-out" in the "Session End Reason" column.
 Any ideas if there is another issue I need to check?
0

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.