Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Setting up a site to site vpn with a partner.  We have overlapping networks so we need to setup NAT.  The partner does not want to pass private IP's over the VPN stating that it is best practice to not use private IP's.  Is this best practice?  We have created several vpn's and all have passed private IP's.  The problem we have is our end is on the AWS network and they do not allow NATing in their VPN connections.  Is passing private IP's really a bad thing?  We are limited on our end by AWS but if the partner wants to connect and pass public IP address what are our options?  Traffic will only be initiated one way....from partner to AWS network.  The partner needs to connect to a load balancing device at using port 6500.  If I can't NAT my IP subnet and the partner needs to NAT to a private IP, what are the options?
What does it mean to be "Always On"?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Can "any" be used in a security policy on junipers as in the to-zone in the line below? Entering a ? after to-zone shows the available zones but not keyword "any". I see some "to-zone any" in the idp section e.g "set security idp idp-policy Recommended rulebase-ips rule 2 match to-zone any". Does it work the same for security policies? Thank you.

set security policies from-zone foo-untrust to-zone any policy passgo match source-address friendly-1
I have a user that is abusing their privileges and would like to block services internally. A user wished to have the Dish Network application installed on their laptop to use while traveling. There has been reports that the use was using the application in the office while on the network. I wish to block services to this application while on the internal network. I currently have Palo Alto firewalls on the network. How do i block this service from my internal network?
I know very little about watchguards (or really most complex firewalls).  I have 2 watchguards in location A and location B.  looking at the policies on the main office's watchguard, I have 16 rules.  wonder which are needed?  

This is an XTM21 (old unit, right?)

it takes a few seconds to go from screen to screen / get the list of firewall policies, etc. 'retrieving data' on screen for 9 seconds... there's 16 policies in the list.  Is that a long time for pages to load?

a) do you just replace watchguards after x years because they are old?
b) do you reboot them on a schedule? How often? every week? month? year?

This watchguard is set up for:Exchange on the SBS server on the LAN, General surfing from inside the office, VPN to the other location and phones being able to connect to the exchange server from outside.

How many rules should those take?

Looking at the policies, I think this is what are set up. I inherited this network so may be unneeded / defaults that came with the box?
FTP OUTboundSMTP ( to Any external)
GeneralProxy (From HTTP-proxy to ANY  Trusted)
SMTPtoMailSrv (From ANY to 75.127.x.x->
HTTPtoMAILSrv (From ANY to 75.127.x.x->
POP3toMailsrv (From ANY to 75.127.x.x->
IMAPtoMailsrv (From ANY to 75.127.x.x->
HTTPStoMailsrv (From ANY to 75.127.x.x->
RDPtoMAILsrv (From ANY to 75.127.x.x->
Voicecom mail system (From ANY to 75.127.x.x->
Watchguard …
if a users has a VPN connection on my ASA device then potentially he can use those credentials to connect on any computer.  Whilst i can restrict the connection to certain IP addresses and ranges, can I restrict the connection to an individual computer NAT'd behind that public IP address or range.

The risk comes in that i may not  know the patch or AV state of a computer that connects to my internal network.
I have a Fortiwifi 90d and I'm wondering what command need to be enter to do a check-disc or something?

I am trying to use the built in Wifi on a FortiWifi 60E. SSID is broadcasting and the user can connect but they have no Internet access.

I am pretty sure the Policy is correct, I am guessing there is something I may need to do in the CLI.

I have ticket open with Fortinet and they seem to think the setup is also good and they want me to collect debug logs which I cannot do until the users are in the office.

Has anyone come accross a similar problem?
Hi guys

So we have a slight issue. We are unable to get to two particular websites on HTTPS. Their Australian and New Zealand domains are what we can't get to from our internal network. We can get to the HTTP sites, just not their HTTPS.

However, if we use our guest-wifi we can get to the HTTPS. If we use our mobile phones we can get to it.

Our firewall is permitting the traffic out. So I took a snapshot and we get to a HTTP BAD REQUEST and at the bottom it says something about 'nginx', which proves we are hitting some sort of proxy/web server at their end. I assume they have some sort of load balancers or web proxy causing an issue?

Thanks for helping
I am new to PA firewalls and wonder what's other's opinions compare to Ciscos please.  I heard they are user-friendly but security guys hate them.  They can be very pricey as well.
Thanks in advance!

I have just configured a LAN > WAN  Static Route within a  Sonicwall TZ300 running firmware utilizing dual WAN connections pointing a specific Private IP Address to the X1 WAN Interface.

the issue is:
While I am able to run Windows Updates, a remote backup service (MozyPro), a remote log in service (Log Me In Rescue) on the Server with the static Private IP Address stipulated in the Route I am unable to browse the internet on this same Server.
I am able to PING,,,etc when the route is active but I cannot browse.
DNS configured on  this Server included in the Static Route is the LAN Gateway IP and

IF I disable the Static Route = all is good (the Server CAN browse the internet) but it is using the U0 Interface without the Static Route in place.

Config is as follows:
* Dual WAN:
"Basic" Failover / Load Balanced Enabled
Default LB Group Ordering:  1st= UO, 2nd= X1 probing turned off for both connections and both "always active".
By default this causes all LAN connected devices to point to and utilize the U0 WAN interface which is working with out a hitch.
* Static Route:
Single Server 2008 Private Static IP  configured for "Any" Destination, "HTTP" Service ("ANY" in this field did not allow any WAN connection), X1 Default Gateway and X1 Interface with a Metric of 10.

The inability to browse the web on this particular Server is not really an issue except when we need to browse to a software …
Important Lessons on Recovering from Petya
LVL 10
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.


What firewall equipment is recommended for a small of 1 server (rackmount) with  15 windows 10 pro workstation?

Also what antivirus-spam-ransomware software best fit this type of scenario?
I am running ubuntu 14, using the built in FTP server.
When I try to connect to it, it connects, but I get this error below

Status:      Connection established, waiting for welcome message...
Status:      Logged in
Status:      Retrieving directory listing...
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Error:      Connection timed out after 20 seconds of inactivity
Error:      Failed to retrieve directory listing

Yes, I know I can change the setting in filezilla to active mode and then it would work, but that does not solve my problem.  I have a computer running a script FTP'ing files to my linux box, and it stopped working.
The only thing I did yesterday is disable and enable the firewall on the linux box, and it almot seems since then, it stopped working.

I'm thinking the problem is on the linux box?
anyone know easy way to get Palo Alto evaluation licence for physical firewall PA-500
I am using Linux, trying to connect to my ftp server using service-U in a remote data center.  I have an always on vpn connection to the data center. From a windows box, I can ftp just file to the server,  it from the Linux box, I keep on getting this error message.

First it says:
Connected to 10.2.x.x
421, service not available, remote server has closed connection

So I looked at the logs on my ftp connection and I didnt see any connection attempt.

Is this a Linux issue or my firewall, I'm thinking it's my firewall.
Hi Experts,

We added a new server to our environment and would like citrix to communicate with that server. In the past environments I remember having to configure outside\inside address in the  firewall or the citrix server itself to allow communication between servers.


I'm using the 3rd party Linux Virtual Appliance to secure the email hygiene for all emails into my On-premise Exchange servers.
From what I can see the two Windows DNS servers in my DMZ, are running WIndows to host my Public DNS.

If I wanted to host the Email hygiene service to the cloud, what sort of settings that I need to make on the Exchange Server 2013 ?
and do I need to make any changes as well on the Public DNS entry or in the User Outlook settings / internal DNS ?

Any help would be greatly appreciated.


I have a couple of WAN connections and used by few users to access company services like : Mail,Web Applications...etc.
Both Lines have "A" Records with our ISP. if one line is down,  is it possible to redirect the users to access services through the back up line ? or can you suggest best scenario ?

Best Regards
Hello Team,

I used to have my vpn tunnels using sonicwall to sonicwall. Some of my remote offices are hiding behind a natted static public ip address and the wan interface of the sonicwall has a private ip address assigned. When using sonicwall to sonicwall a public vpn tunnel can still be accomplished in this scenario when specifying the PEER IKE IP (private ip of the wan interface) on the sonicwall on the other site along with the public ip. This is refereed to as NAT Traversal.

Now we're moving to Checkpoint in our primary site where all our remote offices connect to, so we need to have a checkpoint to sonicwall VPN and so far it works fine except on the sites that are using NAT Traversal. How can we apply this same PEER IKE IP concept in the checkpoint connecting to the sonicwall with a private ip address in the WAN interface.

Thank you.
Let's say I want to permit PING. If I specify PING in the Application tab, in the next tab over "Service" should I set that to "application default"?  If I set that service to ANY is that the equivalent of permit IP any any in Cisco?
Industry Leaders: We Want Your Opinion!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Should this do the trick?

set system syslog host port 20002 any any

I'm not seeing any syslog from the device. Any tips on troubleshooting it?
I had this question after viewing Connect a wireless router to a sonicwall firewall.

Presently using Sonicwall TZ-215 with 3 TP-Link EAP 330 - (coverage decent but not perfect.)  in small business environment:
1. Would using the Linksys Velop in bridged mode give me better coverage (turning off wireless on Sonicwall TZ-215; turning off DHCP on Linksys Velop) ?
2. Since the Sonicwall TZ-215 would be the main router, will the network be secure?
how to know the whitelisted ips/Domain/email address details from Iron port
We wound up having some traffic flow problems and HA pair sync problems after pushing a few deletes and adds of AD servers via Panorama so a few PAN pairs. What debug tools exist that would show exactly what happened during the Panorama commit?
Hello Experts-

I have 'inherited' an older Cisco ASA 5525-X in one of my labs. It is running out-dated software:

Device Manager =
(ASA) Software = 9.0.1

Latest releases of software per Cisco are:

Device Manager = (June 19 2017)
(ASA) Software = 9.8.1 (May 15 2017)

My questions are:

1. Do I need to perform 'step' upgrades of the software? i.e. upgrade to each lower version until I reach the latest?
2. Is there a certain order I should upgrade each? i.e. - upgrade Device Manager software, then the ASA Software, or vice versa?

Thank you in advance for your insight!

I have setup asa 5505 Ver 9.2 through the factory default with a static ip on the outside int and was able to access internet.  I wanted to setup wifi through the e0/2 (dmz port) since then I was not able to access internet unless I change the outside interface from static to dhcp.
Can someone shed some light.  Below is the configuration.  Thanks

ciscoasa> en
ciscoasa# show run
: Saved
: Serial Number: JMX1706Z16M
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(4)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
 switchport access vlan 3
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan3
 nameif dmz
 security-level 50
 ip address
ftp mode passive
object network wifi
object network LAN
access-list inside_to_outside extended permit tcp any any
access-list inside_to_outside extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no …

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.