Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

On a Palo Alto Networks firewall (5060 current OS), what do you need to configure to have two redundant tunnels to a business partner like
Google or Amazon? The goal is to maintain connectivity even if one of the end points at the BPartner goes does.

Thank you.
Become a CompTIA Certified Healthcare IT Tech
LVL 13
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Is there Checkpt Gaia & Fortigate hardening guidelines?

If there is, can point me to where to download & if there's none,
a paper from the principals recommending not to harden  them
is appreciated.
Hi All,
I have been asked to setup web filtering on our firewall in hopes of eradicating our Symantec web filtering. Does anyone have any thoughts on how to do this or what my first steps should be?
We run several protections on our web traffic, Firewall, IPS, web filter, how can I determine what is blocking a website? I've looked in all devices and cannot find anything being blocked for this one specific site, so I am assuming it's a secondary resource being blocked? I can load it just fine on my phone?
I am trying to find a solution for a client which will allow them to push all SSH traffic over remote access VPN? they are also requesting that it must have split tunneling and all http/https traffic must go out over the local internet. Is this even possible? they currently have a fortigate, which says no its not possible, I've called a few other vendors who say their VPN solutions are not capable of that. I know in cisco you can force specific sites to go over the VPN but you need specific IPs and it is not recommend. OpenVPN might be able to do it but I might be misinterpreting what I'm finding. Has anyone come across something like this before and can point me in the right direction?

Basically this client has a lot of remote workers who download large images which is why split tunneling is a must. They work through AWS and SSH into the boxes. The security for this is getting out of hand as they have a lot of servers and they are putting everyone's public IP in the security settings to allow them to access the servers. They no longer want to do this and only use their public IP for security reasons so we are trying to get a baring on how one would be able to accomplish this as they want 1 point to cut all access to the servers if a user would leave or be terminated.
I am in the process of implementing HA for a client with 2 Cisco ASA 5516x. One of the requirements if am correct is to make sure the same files exist on both ASAs. I'm looking to understand what files exact need to be present on both ASAs.
I have an ASA 5516x. I have 7 interfaces setup. I have not done NAT or PAT other than nat (inside,outside) dynamic interface. Only management and inside have security-level 100.  I run packet tracer on the inside interface. I can put any source IP (on inside network) to any destination IP (outside, dmz, ...) and the packets are droped. The error I am getting is "no valid adjacency". I have not set up any routing except default gateway. What do I have to do to setup adjacency?

Thank for your help
Dear Experts,

We have configured SSL VPN for the Sophos XG 310 firewall to use.

When we tried to add a second ssl vpn account copying the first account settings, we are unable to connect.

Is there a log for SSL VPN?
We are considering a gateway that will manage our access points ( we presently use UAP-AC-PRO) , our primary interest is to be able to manage employee data bandwidth usage. block certain websites. manage what they are seeing / data management. etc. port forwarding, limit internet data usage on employee phones etc.

We are considering UniFi Secure Gateway (USG) and or pfSense SG-1100 Security Gateway. Kindly make recommendations not only limited to these 2.
Working with an ISP that has guaranteed 1Gx1G dedicated fiber for $575/month. I haven't seen anyone else able to touch this, not even close. I wasn't expecting this low a price for another 3-5 years.

Brings up a good question regarding firewalls my clients are using, the SonicWall TZ400. I spoke with my Sonicwall rep and she mentioned the TZ400 will reduce the bandwidth substantially for a 1Gx1G dedicated fiber due to DPI limitations that max out at 300M. We discussed if DPI is needed,  I made the case it's not, mentioned I have it disabled on many networks because it's created too many dropped packets. She didn't exactly say this renders the TZ400 useless but she couldn't come to terms why I would do this or not upgrade to the TZ600. Selling point? The TZ600 is $1000 - $1200 more and only increases the DPI bandwidth 100M to 400M total. Nothing hardly to insist spending the money to upgrade. Further in the conversation she priced me out a firewall that would handle the DPI for a 1Gx1G network and it was over $20k, well over.

This brings up allot of questions regarding firewalls as bandwidth continues to increase and the limitations they have regarding security and bandwidth limitations.

What are EE's experience / thoughts regarding the following:
- General use of the SonicWall TZ series firewalls with bandwidth over 400M to full 1G.
- Do you feel DPI is needed? Definitely a great feature but is it needed? In my case we have other…
Rowby Goren Makes an Impact on Screen and Online
LVL 13
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Creating a template from an ASA Configuration.

We are running Cisco ASA 5545 v 9.10 and using ASDM  7.10

We exported our configuration via ASDM to a text file and are using an Excel Macro to make all of the necessary changes to the configuration.txt file for the ASA's respective location. We use ASDM File Management to drop in the newconfiguration.txt on the ASA. From the CLI we verify the file is there using the Dir command. We use the Copy disk0:/newconfiguration.txt run command and it does not bring any configuration from the text file.

I have tried using .csv format as well.

What we are doing with the exported configuration.txt file from ASDM is a simple find and replace via a macro in excel. Excel saves the new file after the find and replace as a txt. We save the newconfiguration.txt and try to copy it to the running configuration.

Thoughts / Ideas? We would really like to use this process as a template because we have so many ASA's to release to the wild and this would significantly help reducing errors and man hours.
I have a SonicWall TZ 400 wireless-AC and am utilizing GEO-IP Filtering to filter countries.

I wish to grant users access to a country... for a while anyway.

I moved the country from Blocked Countries to Allowed Countries and Accepted the change.

Still could not access the site.  They get a "Connection initiated towards country: Brazil" message.  "Block reason: Gateway GEO-IP Filter Alert"

I restarted the SonicWall.  Brazil shows in the Allowed Countries list but they still can't get out.

What needs to be done to allow them out to the site?
Experts!  Has anyone had any experience with the Ubiquity Unifi SDN product.  I have some aged firewalls and switches but have a few Unifi APs.  I've used Meraki in the past but get's quite pricey.  How does the UniFi Firewall, Switch, AP and network controller solution add up?  How is the Intrusion Prevention/Detection system?  I really like the ability to centrally manage and define my network.  We are an educational institution and have 2 primary and 2 satellite campuses.
Does anyone know what a best practice design is for two Checkpoint firewalls running in a cluster with two ISPs (with ISP A - primary having higher bandwidth than ISP B- backup) and how the connectivity is?

Should both Firewall A and B point to ISP A for the default gateway and if Firewall A fails, ISP B then use ISP A as the ISP.  Or should Firewall A point to ISP A and Firewall B point to ISP B and if Firewall A fails, Firewall B takes over and then use ISP B as the primary internet.  Look for some design topology and connectivity information and configuration guideline too if possible.

Thank you in advdance,
Dear Experts, we have several Exchange 2016 servers, routing via Smart host (Sonicwall ESA7000). As my understanding, all emails will transmit locally in LAN to that Sonicwall firewall before going to the Internet.

So do we have to keep the NAT entries for those Exchange email servers on the Router? OR do we just need to keep the NAT entry for the Sonicwall?

Please suggest! Many thanks
I am setting up our infrastructure to enable remote phones on a new phone system we installed. The phone vendor requirements were fairly simple, port forward UDP 443 to a device on our DMZ(the virtual machine). Easy, or so I thought.

Everything looks good from the Firewall end. If I plug in the phone, I can see the traffic hit the firewall, and be forwarded to the device lets say is No issues I can see from the firewall end. It's a Barracuda NG F280, I have gone over it over and over with Barracuda support and they see nothing from their end.

The issue is that traffic never hits I have set up a monitoring VM on my DMZ with wireshark, never see the traffic. The VM has a packet monitor built in so I can create packet captures on the interface directly, never see the traffic. If I run a netcat cmd for UDP 443, I see nothing. I see other traffic. If I ping from anywhere else on the network, I see it. There is nothing between this device and the Firewall, except the VMWare hypervisor.

I am at a loss at this point. My Firewall vendor says it isn't on their end, my phone vendor says it isn't on theirs. I believe that to be the truth, but I don't know what else it could be. Does anyone have any ideas? Only thing I can think of is something in VMWare, but I have never seen VMWare block traffic like that before.

Some more info:

Seems localized in some way to port number. If I change my forwarding rule to port 3300 instead…
Dear Experts,

My customer is doing a core switch migration and I need to clear the firewalls cache sin order to clear of the mac address.

Are these the commands to clear them?

1. Palo Alto - clear arp all
2. ASA - clear mac address-table dynamic
3. Fortigate - execute clear system arp table
In the following (see below) SonicWall Syslog entry is fw= or src= the failed interface

019-02-05 06:01:37      Local0.Alert        id=firewall sn=Z1 time="2019-02-05 06:01:38" fw= pri=1 c=2 m=586 msg="WLB Resource failed" n=8855 src= note=" Default LB Group" fw_action="NA"

Thank you
I'm looking for a "home sized" firewall for my home.  I've been using a Sonicwall TZ105 for years with no problems but I understand that they are going to end support for this device soon.  Dell, of course, acquired Sonicwall a while back and looking over the offerings that they have now I may be looking at $500 ish for something comparable.  Any other decent options or do I just need to do it?
Learn Ruby Fundamentals
LVL 13
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

New client with Adtran router and the password they have on file doesn't work. I believe Adtran's can be accessed by a serial port however any advice how to access without a full reset is my question. Is it possible? It's not a hijacked situation the password was misplaced. Just bringing this up so this post does not go down the wrong path.

Question, is it possible to reset the password via the serial port and not take the router down. It's in production.
I have been trying to configure Port-redirection on my ASA firewall for ports 80 and 21 to a computer in the inside network.
Outside Network X.X.X.X./24
Inside Network
#1) All firewall is disable on InternalPC and IIS is installed with ftp server. i can reach the server internally via http and ftp
2#) The ASA is configure with all base config, so all computer reach internet from asa dhcp using PAT, outside is config with 0 security level, inside config with 100 security level. All works fine. ASA version 9.1.
#3) i am trying to configure port-redirection but i am still get access denied when connecting from outside. below is the additional configuration i placed on the ASA.
 is there anything else i need besides below commands. Please advise.

Object network PC_Web
Nat (inside,outside) static interface service tcp www www
Nat (inside,outside) static interface service tcp ftp ftp

access-list outside_access line 1 extended permit tcp any object PC_Web eq www
access-list outside_access line 2 extended permit tcp any object PC_Web eq ftp

access-group outside_access in interface outside
Sonicwall TZ300, cannot add firewall rule. Every time I try I get the attached error.
The main network is short of IPs, so we created a VLAN and moved all VoIP phones to this new VLAN. The PBX has to remain in the main network. We setup firewall rules to allow all traffic between the main network and the VLAN on both directions. All the VoIP phones on this VLAN work fine EXCEPT that
1. Paging voice do not come out from the speakers on all phones any more
2. Background music do not come out from the speakers on all phones any more.

For troubleshooting purpose, we moved a VoIP phone back to the main network, the above 2 problems disappeared right away, the phone worked as normal again.

I could be wrong, but I think we need to enable broadcast between the main network and the VLAN on the firewall. But i have no idea how to do it.
The firewall is SonicWALL TZ215

Any thoughts?

Hi Experts,

I have a very strange problem with https sites.
In one department we have 10 persons. They connect all over the same firewall policy to the internet.
But two of them cannot connect to some sites like -> www.orf.at
Other https sites work.
On the policy I have disabled all UTM features, no webfilter is active.

The users geht this error in each browser : DLG_FLAGS_INVALID_CA

Please can you help me out ?
So far this problem is just on WIN10 machines.
Regulator recommended to turn on Netflow: guess this was obtained from
CIS' Critical Security Controls V6.1 for effective Cyber defense, item 12.9 :
 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity

However, my network colleague's understanding is Netflow can only be turned on for
Layer 3 interfaces

Is this true or L2 Cisco switches can also enable Netflow?  If so, can share a link on
how this is done?

One pair of routers belong to Telco (not ours) which is beyond our jurisdiction so we're
leaving this out.
However, can Gaia firewall enable  Netflow equiv (aka Source Data, Flow Cache)?
Links below seems to indicate so or I read it wrongly?
Seems like Gaia has it:
  https://www.cpug.org/forums/showthread.php/21480-Checkpoint-and-Netflow-collector  :

“can configure Gaia OS as an Exporter of NetFlow records for all the traffic that is accelerated by SecureXL (SecureXL must be enabled for NetFlow to operate properly) …“

To enable SecureXL:
[Expert@HostName]# fwaccel on

Juniper firewall has JFlow but we plan to tech refresh our Gaia to Fortinet: does Forti
has equiv of Netflow?

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.