Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

what is the difference between state full inspection and deep packet inspection ?

thanks !!!
Become a Certified Penetration Testing Engineer
LVL 12
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Howdy folks,

I have a question in regards the ASA 5505. I totally understand the concept from higher to lower level, but I noticed something interesting while I was doing something at work today. Traffic from my inside could see my web server located in my DMZ via local IP address. For example source local IP (MyPC was able to establish tcp session towards my Apache server addressed to  I thought once you've created level of security none of them interface should communicate unless you have an access-rule such as NAT or ACCESS-LIST in placed. Please let me know if im wrong.

 Also, I have no routing nor access-list, just basic simple configuration, I just noticed it after mistakenly typed an IP address.

DMZ 50

Thanks you!
Recently we bought a new firewall fortinet 100D to secure our company network.Our network is

now our network is flat network and we would like to implement VLAN also.

we have one unit Cisco 3750 switch ,now we already configure. firewall LAN port using and connected to switch port directly and working without any issue.

1.If we configure create the subinterface 10(Management),20(Server),30(Users),40(Wifi) and 200(Voice)what should i need to configure for the switch port connected to firewall ?
*All the traffic must visible in our firewall.

2.Our DHCP server is running inside the hyper-v and now the switch port i configure LACP with switch port mode access to allow VLAN 1 only.Do i need to configure to trunk and native VLANs ?if native VLANs is require which VLANs should i configure ?

3.How to migrate all my server to VLANs 10 without downtime ?

4.What is the purpose of management VLANs  i put it there just research online many people are design in this way.

5.How to configure the switch port which is user connected ?now all the user arw connect thier PCs via Cisco IP Phone ?
Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
Dear All, I am having an issue getting all of my Branch Site to Site connected ASA's to be able to be able to utilise Main Site Radius Server for 2FA.  All of these Branch sites have been connected and operational for hundreds of days and everything still works fine, with exception of this issue.  The issue I have is trying to get the AAA server of to working at any of the branch site ASA's.  Now every server/PC on each of the Branch sites are able to ping and even web browse to the Radius server, but none of the ASA's themselves can communicate.  I naively assume this is something to do with it seeing this as data being treated as from the outside interface?

When I initiate the AAA test, this is the error from the log file. Routing failed to locate next hop for UDP from identity: to inside:
Basic topology
Can i have a Draytek Vigor 2860 behind another firewall?
The reason I am asking is that the company are going to upgrade the firewall to a Sonicwall Next Gen firewall but the existing firewall (the Draytek) manages the wireless access points so i want to keep it on the the network if possible but just for that task rather than for its 'firewall abilities'.
Can this be done?

Are there instructions somewhere for setting up VPN on Ubuntu via command line?

Anyone can provide any reference please?  Thank you!!
Secondary VPN Connection Help Needed
We have a location that we are using for data processing
It has a current vpn to our location, they are setting up a failover connection to another ISP
How to setup a second vpn connection to the failover ip on the Fortigate
the Fortigate side does NOT have a secondary wan connection only the head end at this time
Do not need someone else to configure it for me just trying to find where to get more detail we have begun working on the Fortinet side, but keep falling into trouble when trying to setup the backup vpn on the Fortigate site
Just a gentle nudge towards to where to find this solution been scouring the net for hours so far
I blocked gamble.com for my company but still can access. We have sonic wall.
What to adjust on server, as port 993 is not responding, like is responding on port 80 (http). isn't responding on port 993 (imaps).
while I already opened TCP & UDP Inbound & Outbound Firewall rules on 993 port.
Learn Ruby Fundamentals
LVL 12
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

I work with quite a few small businesses who have been using commodity routers as their internet interface.  
Features vary of course.
Because many of these configurations are set by the owners before I've seen the system, there are many different devices in use.
I'd like to be able to recommend something sensible.  Thus these questions:
1) What small /low cost firewall would you recommend in place of a commodity NAT router and why?  (I'm not so much interested in simply testimonials, rather, rationale).
2) What real added features are there that you believe to be important?
I don't believe that dual WAN is a necessity here.  Redundant ISPs are almost never used - just like redundant telephone systems were rarely used.
I have about two dozen remote sites that I need to create VPN tunnel.  I have Checkpoint FW cluster here.  The 23 remote sites either have Cisco, Forcepoint, Palo Alto or Juniper firewalls.  Using IPSEC, I need a good plan for setting up individual tunnels to these disparate sites.  I have a general understanding of IPSEC but not the specifics for configuring each firewall.

Can you point me to good literature, or links, or video media that helps me lay out a plan for gathering all the information needed for/from each customer to roll out these VPNs?
I want to change an ip range's dns-service from default to a policy I created.

current CLI:

set dns-service default

what would the commands be to change?
I'm trying to get to a server that's behind my ZyXel and it's giving me the dickens.

I'm using a ZyXel USG310.  

My private server is on and it's listening on port 65510.  It's a VM and from my host, I can telnet to it just fine.

In the ZyXel, I am going to NAT and doing a 1 to 1 NAT from my WAN port to the IP of the virtual server and it's just not working.

I'm thinking my ISP has it blocked as even with ICMP enabled, I can't ping the ZyXel.

Am I missing something?  I know I'm missing the publish server wizard in the sonicwalls!  

I had these specific related questions after viewing Upgrading from WS2003 to WS2016 (AD issues).

It seems there is a consensus that migrating (no in place upgrades) to new a DC/DNS server running WS2016 keeping DFL/FFL at 2003 for the time being, then the legacy fileservers folders can be migrated to new WS2016 servers subsequently, and finally raising DFL/FFL 2008 then 2016 when all legacy systems deprecated.

A. There is a WS2008R2 with ASP.net framework 3.x running a legacy asp.net 2.0 app and MySQL 5.x. Push to ASP4.0 framework and it falls over.

The original strategy was to leave it in place whilst a new version is developped.   There are some references to potential problems with the application and RPC in the proposed new environment.  Has anyone come across this or offer any insights in this scenario ?

B.  There is a SQL Server 2000 running on WS2003 with a DC role, under VMWare.  The same server runs Sun Accounts v4.x.  I know there are potential issues running SQL Server 2000 in the new environment, and am concerned the Sun Accounts system whilst am told it does not directly use AD, may have RPC problems similar to 1. above.

Any feedback or insights greatly appreciated.
Hi All

I have a firewall problem that I believe is switch related.  My Sonicwall is alerting on IP Spoof Dropped but all the IPs are from my network into my BOVPN link.  I think the spoof is that the firewall is seeing many IPs coming from the connecting network on the Dell 3024 switch.  It seems I am unable to turn the connection from switch to Firewall into a trunk, I thought having a list of IPs from the local network as Tunnels would solve this but it hasn't.   Can anyone give me any pointers on how to resolve this problem?



I want to use SSL certificate for VPN SSL or web management access, to my Fortigate 200D (version 5.6.3).
A SSL Domain certificate trusted bought to a CA, appears to been correctly uploaded in my Fortinet Firewall but is not shown in the menus such VPN/SSL-VPN Setting or in System/Settings/Administration Settings (Web UI). If I use the command line, that's the same problem. Certifcates are in the vpn list.
show vpn certificate local
get vpn certificate local details
But I can not select my domain certificate (by example, with "config vpn ssl settings" and "set servercert ....").

How did I proceed?
After generating and sending the CSR to the CA, I get instructions to create  two .csr files. I have uploaded the first (for the domain) as local certificate  (status was change from pending to OK), uploaded too the intermediate certificate of the CA. There are both in the certificate list. That looks fine, status is ok. But, there are not in the menus, when I want to select the domain certificate.
I've followed the official documentation
Other source
NB: sslsupportdesk is not my CA (Mine is a well known one).

The only thing, that's the documentation does not mention the password for the private key (certainly a bit too old). I have tried witch a 4096 bits …
Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Can you configure a SonicWall TZ300 via the Console port?   I want to configure it for a friend before I take it to their business.  I exported their settings from the TZ180 but when I try to import them it states "file corrupt".

I printed out all of the setting so I could input them.

Their setting are very basic.  In fact they are using the default
C++ 11 Fundamentals
LVL 12
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Hi everyone. I have a series of devices on an old IP range which I need to communicate with our new network range. These are connected through a Cisco ASA 5516 firewall. The devices will eventually be moved to the new range, but they can't as of yet. So I have been asked if I can set up a nat for this range of devices. So two questions:
Does it make sense to use a nat, or is there a better way?
Is there a way to set this up as a range? The IP addresses are a continuous block. Otherwise do I have to make an individual Nat rule for each device?

I have a PFsense router at my location and there has been some malicious activity coming from a device on my network.  Our ISP has notified us that they think that it's a problem with port 23 and if I block it that should fix the problem.  I've blocked port 23 outbound and inbound on all of the interfaces.  The complaint to our ISP gave a reference to BitNinja to check on the malicious requests sent from our network.  Here's a copy of the last request:

    "PORT HIT": "98.#.#.#:21349->185.#.#.164:8899",
    "MESSAGES": "Array
                [01:36:54] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0

I see that on 11/2/18, the malicious activity was on port 23.  Now, today I see that it's going on port 5680.  And the latest request was 8899.  

I don't know what device is doing this.  I've scanned the network and don't see any unknown devices on the network.  Here's something strange that happened.  There was a car in our parking lot with dark tinted windows and ghetto rims.  He was always gone when I came by the office.  I was talking to someone in the office and they said that that strange car was back.  I asked if they saw the driver.  She said that he was sitting in the back seat.  I remoted onto a computer in the office and scanned the network.  An IP address showed up that shouldn't be there.  I pinged it but it didn't respond.  …
I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.

I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.

It reminded me - there's a watchguard firewall at the sbs 2011 location.  I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.

Anyone know where that is?  Could that be why they are failing the migration?

can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?

How do I get the default gateway to show as the first hop in tracert using a Dell SonicWall TZ400? Route print confirmed the default gateway is the first hop on the host I'm testing from.

I've read multiple articles stating "Login to DELL SONICWALL --> Firewall Settings -->Advanced there enable check against Decrement IP TTL for forwarded traffic under Detection Prevention and test"

When I enable the settings below the first hop shows 1   *    *    *    Request timed out, unchecked it doesn't show the default gateway, the 2nd hop is shown as the first and tracert starts this way, skipping the default gateway.
I am trying to verify some AWS prerequisites for Server Migration.  Could someone help me with the following 3 prerequisites listed below.   specifically:

a) verify if the following prerequisite connections are allowed
b) if they are blocked, how to open the requested ports in the fortigate

1)  DNS—Allow the connector ( to initiate connections to port 53 for name resolution.

 2)  HTTPS on WinRM port 5986 on your SCVMM or standalone Hyper-V host

 3)  Inbound HTTPS on port 443 of the connector ( —Allow the connector to receive secure web connections on port 443 from Hyper-V hosts containing the VMs you intend to migrate.

We use Mitel 5212 IP Phones. we are trying to get them to work on a custom VLAN setup on a watchguard m500 firewall. We have created the custom vlan and the ip scope which works fine. I have mimicked the DHCP options from our windows based dhcp server, however this didn't work. On the DHCP windows based DHCP server the options are:

128 Mitel TFTP xxxx.xxxx.xxxx.xxxx
129 Mitel RTC xxxx.xxxx.xxxx.xxxx
130 Mitel IP Phone Identifier MITEL IP PHONE
132 VLAN for Mitel IP Phone 0x3
133 priority for Mitel IP Phone 0x6

On the firewall dhcp scop options 9All custom)
Code       Name                                 Type            Value
128         Mitel TFTP                           IP                  xxxxxx
129         Mitel RTC                            IP                    xxxxxx
130        Mitel IP Phone Identifier  Text              MITEL IP PHONE
132        VLAN for Mitel IP Phone   Hex              3
133        Priority for Mitel IP phone Hex             6

When the phone eventually boots it gets a crazy VLAN id. Any clues as to what I am issing, or a how to guide on getting the IP phones to work?


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.