[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All

I have a firewall problem that I believe is switch related.  My Sonicwall is alerting on IP Spoof Dropped but all the IPs are from my network into my BOVPN link.  I think the spoof is that the firewall is seeing many IPs coming from the connecting network on the Dell 3024 switch.  It seems I am unable to turn the connection from switch to Firewall into a trunk, I thought having a list of IPs from the local network as Tunnels would solve this but it hasn't.   Can anyone give me any pointers on how to resolve this problem?


How the Cloud Can Help You as an MSSP
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!


I want to use SSL certificate for VPN SSL or web management access, to my Fortigate 200D (version 5.6.3).
A SSL Domain certificate trusted bought to a CA, appears to been correctly uploaded in my Fortinet Firewall but is not shown in the menus such VPN/SSL-VPN Setting or in System/Settings/Administration Settings (Web UI). If I use the command line, that's the same problem. Certifcates are in the vpn list.
show vpn certificate local
get vpn certificate local details
But I can not select my domain certificate (by example, with "config vpn ssl settings" and "set servercert ....").

How did I proceed?
After generating and sending the CSR to the CA, I get instructions to create  two .csr files. I have uploaded the first (for the domain) as local certificate  (status was change from pending to OK), uploaded too the intermediate certificate of the CA. There are both in the certificate list. That looks fine, status is ok. But, there are not in the menus, when I want to select the domain certificate.
I've followed the official documentation
Other source
NB: sslsupportdesk is not my CA (Mine is a well known one).

The only thing, that's the documentation does not mention the password for the private key (certainly a bit too old). I have tried witch a 4096 bits …
Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Can you configure a SonicWall TZ300 via the Console port?   I want to configure it for a friend before I take it to their business.  I exported their settings from the TZ180 but when I try to import them it states "file corrupt".

I printed out all of the setting so I could input them.

Their setting are very basic.  In fact they are using the default
Hi everyone. I have a series of devices on an old IP range which I need to communicate with our new network range. These are connected through a Cisco ASA 5516 firewall. The devices will eventually be moved to the new range, but they can't as of yet. So I have been asked if I can set up a nat for this range of devices. So two questions:
Does it make sense to use a nat, or is there a better way?
Is there a way to set this up as a range? The IP addresses are a continuous block. Otherwise do I have to make an individual Nat rule for each device?
I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.

I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.

It reminded me - there's a watchguard firewall at the sbs 2011 location.  I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.

Anyone know where that is?  Could that be why they are failing the migration?

can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?

How do I get the default gateway to show as the first hop in tracert using a Dell SonicWall TZ400? Route print confirmed the default gateway is the first hop on the host I'm testing from.

I've read multiple articles stating "Login to DELL SONICWALL --> Firewall Settings -->Advanced there enable check against Decrement IP TTL for forwarded traffic under Detection Prevention and test"

When I enable the settings below the first hop shows 1   *    *    *    Request timed out, unchecked it doesn't show the default gateway, the 2nd hop is shown as the first and tracert starts this way, skipping the default gateway.
Need education on 5 WAN IP block (same subnet) and the MPOE running up a fiber connection to the office suite.    We walked into this situation illustrated below.  There is one circuit coming into the suite.   The internet service installed a 200 megabit fiber connection at the MPOE.  A couple businesses want their own separate public WAN IPs running off of this one circuit.   There is currently a couple TP Link routers that we like to replace.   What device (switch?  what kind of switch?  Any problems using one switch over another one?) do we use between the biscuit (one ethernet port) and the multiple WANs on the Sonicwall? Here's what we summed up the ultimate game plan below...

Use a Sonicwall Tz 500(a model with at least x8 interfaces) and configure 2 additional interfaces as WAN ports - this would then give us 3. Each of these we can configure with their own static IP accordingly. Next we would configure a LAN interface for each company. Then we would use Policy Based Routing to move traffic from example: LAN 1 "Company A" to WAN 2. Sonicwall also provides QoS I believe which will support VOIP traffic through the routing.

I have a server 2012 running hyper-v with guests.  It has two nics.  I also have two networks with 2 routers each with static IPs.

I want to use one nic for the guests and the other nic for the host OS.  I don't want the networks to see each other. Reason being, one network (hyper-v guests) will be public facing (website and game servers) while the other network (host) will be used for personal purposes in my home network.  

How can I do this?

Note: I know how to assign a guest to a specific nic but my concern is the host server being on both networks.  I know that the OS will default to the first nic it loads, but since the second nic still gets an IP, my worry is security from that second network, even if it is not activly using it.
Hello - what (if any) are the options for shaping traffic on an X-series firewall?  I have a customer with a Gig handoff Internet circuit, currently provisioning 150-Mbps. This is terminated on an old ISR, which is shaping the traffic via "bandwidth 150000" command to prevent carrier policing. We need to move this connection off of the ISR onto a ASA 5525-X.

From what I've found so, it appears there's no way to handle traffic shaping on the X-series firewalls. (I haven't looked into the new FTD appliances yet, so would be interested in feedback on those as well.) The 5525 is currently running 9.2 code, and the 9.2 configuration guide (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-qos.html) indicates that traffic shaping is only supported on the 5505 (not the "multi-core models such as 5500-X"). I haven't checked newer release notes.

Is there a way to perform the same shaping function on an ASA 5525, with either the existing or newer code? If not, how are other customers handling sub-rated circuits to prevent policing and the potential resulting connection drops? Again, if the newer FTD appliances (2100's) can provide for this, that'd be helpful to know.

Thank you
Fundamentals of JavaScript
LVL 12
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

I currently have a Fortinet firewall set up to site-to-site VPN to a remote site and it's working fine. I want to set up another site-to-site VPN tunnel with a new location. Am I ok copying the same security policy configuration settings from the existing tunnel for the new one, or will I need to make some changes to some settings (encryption/authentication/etc.) to prevent any potential issues between the two VPN tunnels connecting to the main office? Any other caveats I need to keep in mind when setting up a 2nd tunnel?

We have a Cisco ASA 5506-X as follows:
  • Security Plus License
  • ASA v9.9(2)
  • Device Manager 7.9(2)

We have a leased line and a VDSL line, both with their own routers.

There are 3 VLANs:
  • Main
  • MAN (management)
  • Guest

We would like to be able to configure either:
  1. A different WAN connection for different VLANs (e.g. VDSL for Guest, leased line for Main)
  2. Failover for all VLANs from leased line to VDSL
  3. Load balancing between the WAN connections

Currently we are able to use either the leased line or the VDSL, but not both - whichever route has the lowest metric is the only one that works.  Also the NAT rules only specify one WAN or the other, and these need to be changed to swap WAN as well as the route metric.  Here is the relevant config (am happy to post whole config if requested):

interface GigabitEthernet1/1
 nameif VDSL
 security-level 0
 ip address [REDACTED]
interface GigabitEthernet1/4.21
 vlan 21
 nameif MAN
 security-level 100
 ip address
interface GigabitEthernet1/5.11
 vlan 11
 nameif Main
 security-level 90
 ip address
interface GigabitEthernet1/6.30
 description Guest
 vlan 30
 nameif Guest
 security-level 80
 ip address
interface GigabitEthernet1/7
 nameif LeasedLine

Open in new window

I am looking at switching from my physical old Cisco switches to a Meraki solution.  Anybody has any thoughts about Meraki, I'm planning to use their Firewall, switches and APs.

I currently am using Sophos for my firewall and the renewal cost for my subscription is a bit more than if I were to just outright purchase a Meraki hardware and subscription for 3 yrs.

Any major pros/cons?  The demo looked great for Meraki, but how does it work when it's actually in production and not just demo mode?

The other option is to purchase new Cisco physical switches, but those are more expensive than the Meraki solution.
What kind of hardware firewalls can be placed behind an AT&T BGW210-700 DSL modem?
I'm looking for simulator software that will help teach me how to configure and support Palo Alto hardware firewalls and routers.
When I try to export the settings on  TZ180 all I get is this.  How do I export them so I can use them on a new Sonicwall?

Hello Experts,

I have asa  5525 with Firepower module and I want to shut it down gracefully and bring it up after few hours. What are the files do I need to backup - running-config and what else should I backup.

Do you know what is the best practice to do this?

Thank you,
We have HP MSM 720 wireless controller with fortigate 200e firewall & server 2012 radious server. What are the best options to provide internet access to guest users. Solution should not create firewall rules every time & it should be a time based token access for specific users.
If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit
Redefine Your Security with AI & Machine Learning
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Received a certificate from a 3rd party and I installed in ASA under CA CERTIFICATEs , what is the process now to update it under identity certificate.
Hi there,

I am doing some ASA work as a backup resource and I have not touched ASA in a longtime but here is the scenario,
I have some servers that are moving to the cloud and they all have public IP.
I know from the ASA configuration anything from the inside network(trusted) can go out to outside(untrusted). Do I need to create an access rule for this to connect to these servers in the cloud?

Another requirement is that these servers may  access some resources internally, like our AD or DNS, what do I need to do on the ASA for this to work.

Thank you,
I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :

I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:

a) all Firewall rules requests as well as proxy requests (say to whitelist
    a URL or permit certain file types to be saved/downloaded) are to
    be reviewed & approved by the IT Security governance as well as
    requestor's managers  while Firewall admins implement them:
    is this what's generally practised?

b) reviews of Firewall logs/events are jointly done by a network admin
     or lead or manager who is not an implementer of firewall rules &
     counter-reviewed by IT Security gov : certainly we hope to automate
     this by SIEM with UEBA but Audit still requires such events/logs reviews
     to be signed off by 2 parties

c) What about firewall rules review : which parties should review them?
    Certainly not firewall admins as they're the creator of the rules so
     they'll just sign off as "No issue" : it's a conflict of interest.  We had
     run into case where a critical & sensitive Prod server was permitted
     for access to entire organization.  Tools like Tuffin only review for
     "dormant" rules but not such rules created for "testing" but forgot
     to be removed.   Any tools could help with such detection?

I have ASA 525 with DHCP enabled in inside interface. Is it possible to reserve IP for MAC address?

Hi All,

I am using XTM 26 series watch guard firewall in the company. We have some remote location offices are running independently and they all have CCTV camera is installed. Now when I am trying to access all remote offices camera (P2P Connection) using company network, it is not connecting at all. While, I am switch to mobile network, I can see all the cameras of all offices and vice-versa.

I understand that, firewall is blocking something. To check it, I did some real time monitoring and I have found the following log message

2018-10-04 14:54:07 Deny 32761/udp 50222 32761 1-Trusted Firebox Denied 80 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

I already have created SNAT rule from any-external to internal DVR IP address and allowed the ports 80,32761,9000

Can anyone tell me that, What i am missing here.
Need to block network users from being able to access BitTorrent (BMTORRENT).   I have a Sonicwall TZ-215 along with the premium content filtering.  I can block the URL of the usage, but can not determined the proper ports to target the service to block.  

Goal is to not have to upgrade to the "Application Control" that can detect the signature of the traffic or such.  I am fine with blocking the defaults or making more difficult for the person.  I understand that they could use other methods to avoid detection.

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.