Hardware Firewalls

24K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

FortiOS v6.2.3  - I'm setting the log to "all" but I can't see any logs on "forward traffic log"
Screenshot_1.pngScreenshot_2.pngWhat am I missing? Is there another option I need to enable?
0
I'm behind a SonicWall TZ400 and I need to upload a document to an external FTP server ftps://ftp.xxx.xx:990 IP 147.29.101.4 but I get a error that I'm unable to connect to the server. I think the firewall might be blocking access. What is the best way to open up for access to this site?

Thanks,
Ronnie
0
Hello,

I am looking for help regarding settings on my NetScreen SSG5 firewall.  Two days ago I updated my internet from a legacy Time Warner plan to a new plan from Spectrum.  This involved swapping out my model.  The old Time Warner product was a combination modem/wifi router while with Spectrum I was given two devices - a modem and a separate wifi router. I have two networks in my home - one is for personal use and for our streaming TVs.  The other is a work network I use for my home office and my wife's PC.  When I made the switch the personal use network worked fine but nothing sitting behind the SSG5 could connect to the internet. Attempting to ping anything public, including google, resulted in timed out errors.  I suspect that either a port needs to be opened in the new wifi router or an IP setting(s) needs to be changed on the SSG5.

I called Spectrum tech support and logged into the SSG5 and looked at all of the settings.  It was correctly sensing the new public IP address.  There was a problem with respect to the DNS settings.  The IP address listed as the primary DNS address was actually the secondary address and the one listed for the secondary was incorrect.  I changed these to the correct values but the problem still remains.

I realize you probably need more info than this to figure the problem out.  Please let me know what you need.

One idea I had was to unplug the SSG5 for a minute and replug i in, to sort of reboot it.  I have not done any …
0
We have 2 units Fortigate 101 configure as HA Active-Passive ,both devices port 1 are connected to our one of the internal switch  but recently our switch is faulty and we will planning to buy 2 units stack the switch together to have redundancy.

Please advise to archive this i need to configure aggregation two port and configure POL in switch port ?Fortigate HA
0
I need help to establish a VPN connection from my home Linux box (Debian 10) to office's SonicWall TZ300 using strongswan ipsec.
Here is my config files:/etc/ipsec.conf
conn GroupVPN
        auto=add
        left=%any
        leftid=@GroupVPN
        leftsourceip=%config4
        leftsubnet=192.168.1.2/32
        leftfirewall=yes

        right=<SW_IPaddress>
        rightid=@<UniqueFirewallIdentifier>
        rightsubnet=10.0.0.0/24

        keyexchange=ikev1
        keyingtries=0
# aggressive=yes disabled by default when auth by PSK. It's enabled by setting
# charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf
# see https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
        aggressive=yes
# see https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
        ike=3des-sha1-modp1536!
        esp=3des-sha1-modp1536!
        authby=xauthpsk
        xauth_identity=<MyUserName>
        ikelifetime=8h

#include /var/lib/strongswan/ipsec.conf.inc

Open in new window

/etc/ipsec.secret
#include /var/lib/strongswan/ipsec.secrets.inc

@GroupVPN @<UniqueFirewallIdentifier> : PSK <SharedSecret>
<MyUserName> : XAUTH "<MyUserPassword>"

Open in new window



# ipsec statusall
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.19.75+, armv6l):
  uptime: 2 seconds, since Jan 28 19:02:33 2020
  malloc: sbrk 811008, mmap 0, used 468032, free 342976
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  192.168.1.2
Connections:
    GroupVPN:  %any...<SW_IPaddress>  IKEv1 Aggressive
    GroupVPN:   local:  [GroupVPN] uses pre-shared key authentication
    GroupVPN:   local:  [GroupVPN] uses XAuth authentication: any with XAuth identity '<MyUserName>'
    GroupVPN:   remote: [<UniqueFirewallIdentifier>] uses pre-shared key authentication
    GroupVPN:   child:  192.168.1.2/32 === 10.0.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
  none

Open in new window

GroupVPN policy/AdvancedVPN/Advanced SettingsFrom SonicWall log (most recent at the top):

Open in new window

0
We are currently using a Fortigate 100F with firmware v6.2.2 build 6083.  We recently upgraded from an older 200B that is end-of-life soon. To geo-block countries in the past, we had added an Address object named "Country Block - Countryname" and set a type of geography to it.  We then added this address to an Address Group named Country Block that is contained in the existing IPV4 policy that blocks incoming traffic from the outside-zone.

With the latest build of 6.2.2, is there a more efficient way of doing this?  Also and perhaps more importantly, we are considering blocking everything but US sources and I am curious what the recommended course of action is to do this efficiently.  We don't have public-facing servers and I am just looking to harden intrusion prevention.  I realize this isn't a silver bullet but anything I can do to lessen exposure to risk is desired.
0
I know an ex-colleague has a way at command line (script or whatever) to automate
adding of IP to block malicious IP for Nokia Checkpoint : that's years ago.

My current network colleague says it's very tedious to add IP as he has to create
object, then go into another screen to add it to a group & we often get 100-700
IP from threat Intel (from a cyber regulator):  is there a way to automate to mass
block it for CheckPoint  Security Gateway 12600??     Isn't there a way to get to
SG12600's Unix command prompt & write a script to automate?


For sure Linux iptables, we can do it easily by Shell script.

Heard Palo Alto has an interface to add IP en masse but my network guy says
CheckPoint (& possibly Fortigate) don't.
0
Hey!
I have Godaddy Standard UCC/SAN SSL Certificate
mail.mydomain.com - exchnage certificate
gp.mydomain.com - paloalto globalprotect vpn certificate

my certificate was expired at 26/12/19 so i renewed the cert install it on the exchange all fine
but how to install the new certificate to my PA-820 globalprotect vpn without renew or creating a new CSR?

Thanks!
Capture.JPG
0
I have been contacted by our wells fargo bank rep and they told us a URL has changed and we are to add it to our firewall rules for continued access.  I have a SonicWall applianace, so the first question I have is where can I find the model number?  The interface recently changed and I used to be able to find it quickly.  Second question, how to I add this url to the firewall so it does not get blocked?
0
I am a long time Sonicwall user/admin.

Does anyone else utilize bandwidth control on a Sonicwall with firmware 6.5 or greater?

I have been using it for years quite extensively but about 6 months ago I had to disable it completely due to a very odd issue. Sonicwall documentation on it only talks about how to create and such, not best practices or gotchas. I am not looking for howtos, I am looking for best practices and such for overall usage and performance.

Specifically, we are using a HA pair of NSA2600 with multiple WAN interfaces (for redundancy)
0
Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

Q1:
What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

Q2:
There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

Q4:
To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard …
0
Hi All,

We are trying to help an external company who wish to publish their Juniper Firewall for remote management. We can ping the external address quite happily, however we cannot connect to the web ui over http. On the untrusted interface under management services / other services, ping and web ui are ticked. If we untick the ping we can see that external pings do drop off, so this works. I have confirmed with the ISP that there is nothing their end that would block the connection.

Any suggestions?

Thanks for your help.
Paul
0
Network access/routing issue.  The configuration that is place worked perfectly fine until the broadband ISP switch out their cable modem.  See attached diagram for clarification.
The issue at had is before the cable modem gateway was replaced, any workstation on the local LAN (192.168.1.x) was able to access the DVR/NVR camera system using it's address of 10.1.10.101.  However, now that address is pingable from the 192.168.1.x network, but no other network access works (ie. the NVR software can't connect to it).  The NVR system is still accessible from offsite by using the public static ip of the ISP gateway which has port forwarding to the NVR device.  In an ideal world, I would have had the camera system installed behind the network firewall so all devices were on the same ip network.  So I am looking for some input on what might be going on here.  Why would the old ISP gateway allow the communication but the new gateway appears to not.  Is there something that we should communicate to the ISP to change in their gateway to fix this issue?

Any insight is appreciated.
Network-Diagram.pdf
0
I am looking for a solid, reliable VPN or terminal service solution.  Here is the scenario.  A web development company has access to several remote sites/servers located in customer data centers.  Those remote sites have the main office of the web developers building outgoing IP address white-listed so that they can access the servers that they need to.  The web development company has several employees that telecommute from all over the country.  Therefore, for these telecommuters to access those customer sites/servers, they need to be logging in from the main office and be seen as the white-listed IP address.  

What I am looking for is a good, reliable solution that will allow those users to do just that.  Currently we use FortiClient VPN since we have a FortiGate firewall, but it is flaky, unreliable and simply not working for what we need it to do.  So I am looking for a better VPN solution.  I've also entertained the idea of putting up a computer specifically for people to access at the main office, and then access the remote sites but I'm afraid that remotely connecting to a customer server, from a PC that the employee is already remoted into from their geographic location might be "over-remoting." :-)

Thanks in advance!
0
We are setting up a remote office with a FIOS internet connection.  Remote office users will connect to the main office using VPN.  Do you think I will need a firewall appliance at the remote office location?  I'm not sure it is necessary since users work from home and connect to the office using VPN and they do not have firewalls at home.  

Thanks,
cja
0
I am trying to log sonicwall capture logs to an FTP server but it fails I have attached a pcap file of the failurefailed-ftp.pcapng
0
I purchased a EdgeRouter X  so that I can take advantage a 200 MEG connection. When I plug directly into the cable modem I get about 175. When I plug the router in, I get about 10 mbps down and 13 up. This router is brand new, replacing and old Netgear ac1200.

I did upgrade to the latest firmware with no change.

ubnt@ubnt# show
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
1
Dear Experts,

Previously, with the forticlient, i am able to sslvpn to my office network.

Now when I try to connect after keying in the fortitoken, it says permission denied (-455)
0
After upgrading our FMC 4500 to 6.5.0, we can no longer SSH into it.

Here are the symptoms:

1. Before upgrade, we could successfully use Putty and SecureCRT to access CLI via SSH

2. We are trying to use Putty and SecureCRT and neither emulator is working after the upgrade.

3. SecureCRT says "password authentication failed"   see pic

4. Putty says "access denied"    see pic

5. We have verified usernames and pw's of people attempting to access and they have admin rights.

6. We have attempted multiple users

7. We are not using external authentication. All of our users have local accounts to the FMC

8. See attached FMC Log file tooPutty ErrorSecureCRT Error1Secure CRT Error 2FMC-Log.txt
0
"Forwarded" domain unreachable. Users get "Page Can't Be Displayed" when trying to access website forwarded using GoDaddy to another domain. forward is a "permanent (301)" and set for "forward only" (No Masking). SonicWALL firewall with all Security Services disabled still cannot access. Other sites with similar FW can access site successfully.
0
Normally I've configured PANs from their own GUI. On this gig, I need to push the network, zones, routes etc from templates in Panorama. I've upgraded the code and updates in standalone. Their management interfaces and routes are all set. I think I'd need to configure HA in standalone before pushing the network template to the pair from Panorama. Are there any other elements to consider deploying on firewalls themselves before pushing the network template? I found a PAN document on pushing network template from Panorama but it didn't address the HA issue unless I was using Active/Active in which case they recommended using two separate templates. But this is just old fashioned active/passive.
0
Hi,

I have question. Can we manage Firepower 4110 without using FMC (Firepower management center) or I will need to buy one?
Which appliance or virtual FMC I need to buy? and is there any free license or no?

Thanks in advance
0
Dear Experts
We had to install Cisco FMC as VM appliance on VMware the engineer completed this task. But in the vmware web console in the status it is showing as “Warning” and also following event message
1.      The configured guest OS (Other 2.6.x Linux (64-bit)) for this virtual machine does not match the guest that is currently running (Other 3.x Linux (64-bit)). You should specify the correct guest OS to allow for guest-specific optimizations.      Warning
2.      Another issue is when we shutdown the FMC safely and again started due to server maintenance later now turned ON but it is more than 4 hours still it is showing up “System processes are starting, please wait. “ when accessed the FMC.
Please help on how to fix the above 1 and 2 , thanks in advance.
0
Dear Experts
We have installed Cisco FTD 1010 for routing and firewall and Cisco FMC for managing FTD . We have CISCO 1830 SERIES (WIRELESS ROUTER)  integrated with windows AD, windows radius server for wireless users of Windows AD to access network. Now would like to implement the best practice method for guest users
1. Please suggest should we have to create guest user in windows AD and provide these details to guests. Guest users  would only require the internet hence not sure is this best practice, think if go by this approach then guest users will connect to the same network

2. or should we have to create guest user at wifi device level and separate guest network from LAN private network ( hence this assigns IP to the guest users and they are not connected to our internal network. Please suggest the best practice.

Thanks in advance.
1
Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

Cheers,
Paul
0

Hardware Firewalls

24K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.