Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Our company website is working fine and is accessible externally however all internal clients cannot access the site through our Smoothwall filter.

Our website is on the same domain as our internal domain and we have a www record in DNS pointing to the external web server’s IP address.

None of our clients can navigate to or ping the website. I logged into the Smoothwall and under the IP Tools section ran a ping to the company website and got 100% packet loss yet pings to all other and obvious blocked sites get through fine so it’s not filtering.

Also if I run the ping tests from the 4 internal Ethernet port interfaces we have setup in Smoothwall I get a 100% failure yet if I use the external Ethernet port it gets a working ping.

It seems to be a DNS issue and the Smoothwall doesn’t seem to know how to either get to our website or deal with the response back from our internal DNS server, or possibly isn’t getting a response back.

The strange issue that has really stumped me is both my IP address and one other in our internal range can access the site fine internally. My IP and the second one that works are both added as Exceptions in the Smoothwall but so are my colleagues and they are all getting site unavailable.

This has been working fine. Any ideas/pointers?
CompTIA Cloud+
LVL 13
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Looking for help getting my Sonicwall logs files to upload the the Microsoft Azure Cloud App Security system. I am trying to setup the Sonicwall's so they forward their logs to MS to be analyze. I need to have a forwarding machine installed to do this. They have a Docking image of Linus, but I can't seem to get it to work. My working knowledge Linux is pretty limited. I have been using this article as a reference: https://blogs.technet.microsoft.com/cloudready/2018/03/07/configure-microsoft-cloud-app-security-to-analyze-sonicwall-logs/. Thanks
I have a client with a SonicWall TZ105, he currently has a tunnel from his home office to his work location.  He just purchased a Windows 10 laptop and wants to VPN  in when he is travelling.  Does the unit come with a license so he can do this or is an additional license required to be purchased and installed?  What is the best client to use on the laptop?
I have an IPSec VPN from site 1 to site 2.  The VPN shows up and working.

From site one, I can ping the full range over at site two.  I can ping site 2's full range of from site one.

From site 2, I can only ping the first range in the subnet at site 1.  The subnet at site 1 is and I can ping anything in the, but nothing higher than that.

I've verified my two address objects and made sure the mask is correct, but I'm having trouble with this final problem.

Can someone point me in the right direction please?

Thank you
I have (2) Watchguard M270's configured in a firecluster.

Interface 0 is the External interface configured with a /28 block.
Interface 1 is the LAN

We have consumed all of our IP's so I ordered another /28 block from our datacenter today. As soon as I configure Interface 2 for our new IP block, outbound traffic for the most part ceases to work on our network, however some things do work.. so we'll call it intermittent. As an example, I can ping out to but can't ping As soon as I disable Interface 2 that is configured for the new IP block, I am able to ping again.

I'm assuming this is because we now have 2 WAN interfaces configured and outbound traffic doesn't know which interface it should be sending traffic out on but I couldn't be sure. I've made 4 calls to Watchguard support and nobody can identify the problem. I even had our datacenter issue us a different IP block just to rule out any kind of odd conflict but the problem persists with a new IP block.

Am I going about this all wrong trying to have 2 IP block's configured on our Watchguard? Is the better solution to just order a bigger block of IP's and re-IP everything? I was trying to avoid that hassle by just adding an additional block of IP addresses but it seems that what I'm trying to do here isn't working..

I would appreciate any advice or input that someone could give on this. Thank you!!
I am trying to figure out how to enter snmp priv and auth passwords on a Cisco ASA.

the existing config looks like:

snmp-server group net3group v3 priv
snmp-server user net3user net3group v3 engineID [lots of numbers] encrypted auth md5 [lots of hex] priv aes-128 [lots of hex]

I have been given a new password for netuser (ThisTaskKindaSucks) and I am not sure how to to enter it. How do I convert "ThisTaskKindaSucks" into hex to enter the new password?

What am I missing?

I had a recruiter asking me if I had experience with Juniper routers and switches. I don't. But I do have quite a bit of experience with the Juniper SRX firewall. I wondered - is the "set..." syntax of the Juniper SRX firewall the same type of commands (or in some cases identical) to what used in Juniper routers and switches? Inquiring minds want to know.
We have a Sonicwall firewall and there are NAT working well.

Recently, we need to setup a new NAT (TCP: 19832) from external to our internal server. My setup is as below:

1. Copy other NAT rule, and allow the port, but no luck
2. telnet the port by internal network, it works
3. To setup NAT by tp-link, it works by telnet in external network
4. Change to another tcp port, not luck

I have double check the NAT and firewall rule, there is no hints on it.

Anyone has hints on it? Is there magic difference between TP-Link and Sonicwall NAT (port forwarding)?

I check on firewall, there is activity on hitting the NAT rule, but no traffic...
We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711

Open in new window

I am using Freepbx 14 and working fine but I got thousands of attacks and in Intrusion Detection, my public ip  has been blocked sometimes and because of this calls are not working. I am using fortigate firewall and opened the 5060 to 20000 ports for the FreePBX so My question is 1. are ports forward mandatory for inbound route ( if I change the sip registration port from 5060 to other and do same with the trunk provider ) . Please let me know how I can make this FreePBX more secure so call disturbance would not occurred in future.
Why Diversity in Tech Matters
LVL 13
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Dear Experts,

I need your assistance regarding 40net/40gate firewalls, i need to know a list of CLI commands that are commonly used for daily operations to troubleshoot end users issues.

Thanks for your attention to this question.
I would like to know if someone knows a firewall that I can set an authentication page before hitting the target page, let's say that I have my server idrac page available on a public IP, I would like to know if there is a way to have the firewall to authenticate access first and then forward the request to the dell idrac web server in order to add an additional layer of protection.
I have 2 of PA-3020 firewalls. Is there a guide on how to do the cabling so that they are setup correctly in active/standby mode? For example I don't know if my ISP modem is supposed to have a cable going to both same ports on both PA-3020s.
Hello Experts,

I am looking for a solution to meter Internet usage and bandwidth by user on a LAN.

In other words I would like to have the ability for a user on the LAN to (based on that user's account information):

1. Restrict bandwidth based on user settings.
2. Restrict total usage (time) using the internet based on user settings.
3. Be able to reset usage etc. based on user settings.
4. Logs/reports showing All User statistics while on the Internet.

Does anyone know how to do this?

I am using PFsense2.4.4 with 3CX 16 and Everything (inbound and outbound calls) are  working fine but I am not able to register the phones over the VPN ( other end firewall is fortigate) I have done everything as https://www.3cx.com/docs/fortigate-firewall-configuration/  . The interesting part is I am able to work with softphone but not with IP phones( tested with yealink,polycom).

I have a client who needs a fast router/firewall as they will be hosting an App from their office.

This is a start up so money is tight, ensuring I put in a business grade router/firewall what is my best option for speed and security.

Having an issue with a meraki and an ASA site to site.  When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA.  But Still can't talk to devices behind the asa.  And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green.  Not sure if its an issue with meraki and using summarized subnets or something else.  Anyone have experience with this?Capture2.PNG
Hi Experts,

what is difference b/w source-nat and destination-nat? i believe source nat is just hiding your internal IP behind the public IP address, and destination NAt we use in mainframe system or headless devices that do not have a default gateway. this concept driving me bananas. i really appreciate your clear answer.
upgrading ADFS 2012 R2 TO ADFS 2016 R2

PRE-REQUISTE - are this correct

Take a note of your ADFS 3.0 Server Properties.
Export the Service Communication Certificate.
Export ADFS Configuration to Files. ( not sure of this step)
Import the Service Communication Certificate.
Install ADFS 4.0 on New Windows Server 2016 ADFS01-Temp Server.
Import ADFS Configuration Files.
Verification of ADFS 4.0 functionality.
Import the Service Communication Certificate on Proxy Server.
Install and configure Web Application Proxy on ADFSProxy01-Temp.
Rename ADFS 4.0 Servers with old ADFS 3.0 Servers IP.

i am upgrading from ADFS version  3.0 2012  TO 4.0 2016

for that i am setting up windows server 2016 server and migrating adfs 3.0

we have servers on VM. So we have templates for building windows server 2016

when we export the service communication certificate from ADFS 2012 server does it also includes
the token signing and token decrytion certificate as well.

if not then how we export the token signing and token decryption

2) also apart from service communication cert. export how do we export the adfs configuration files from ADFS 2012 TO ADFS 2016

4.On the Windows Server 2016 server, should i do this -open an elevated PowerShell command window and run the following cmdlt: Set-AdfsSyncProperties -Role PrimaryComputer, will this

we have traffic right now running from firewall to citrix netscaler which is having sts. doamin.com …
OWASP: Threats Fundamentals
LVL 13
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Sonicwall TZ600 constantly disconnects that worked fine until about 2 weeks ago.  I'v reached out to Sonicwall tech support, and they try the same connection using RDP and the latest GVC(which is what we are doing) and Sonicwall has no issues.  I've sent them the TZ600 vpn logs and the GVC client logs, but they have not resolved the problem for me.  

Here is a copy of the remote user's log:
2019/08/15 16:20:01:748	Information	x.x.x.x8	The SA lifetime for phase 1 is 28800 seconds.
2019/08/15 16:20:01:748	Information	x.x.x.x8	Phase 1 has completed.
2019/08/15 16:20:01:848	Information	x.x.x.x8	User authentication has succeeded.
2019/08/15 16:20:01:948	Information	x.x.x.x8	The configuration for the connection is up to date.
2019/08/15 16:20:02:028	Information	x.x.x.x8	Starting ISAKMP phase 2 negotiation with xxx.xxx.xxx.xx5/
2019/08/15 16:20:02:078	Information	x.x.x.x8	The SA lifetime for phase 2 is 28800 seconds.
2019/08/15 16:20:02:078	Information	x.x.x.x8	Phase 2 with xxx.xxx.xxx.xx5/ has completed.
2019/08/15 16:20:33:091	Error      	<local host>	Failed to send an outgoing ISAKMP packet. A socket operation was attempted to an unreachable host..
2019/08/15 16:20:34:411	Information	x.x.x.x8	Starting ISAKMP phase 1 negotiation.
2019/08/15 16:20:34:471	Information	x.x.x.x8	NAT Detected: Local host is behind a NAT device.
2019/08/15 16:20:34:471	Information	x.x.x.x8	The SA lifetime for phase 1 is 28800 

Open in new window

I have a 2 Network cards in a server, one is setup for 192.168.0.XX and the second is setup using 10.1.30.XX.  I am in a subnet of 10.1.1.XX.  I can make changes on my sonicwall for the 10.1.30 and the 10.1.1 to be able to see each other in my local network.
I am trying to access the software on the 192.168.0.xx server, it is running our video software.  All our cameras are on the 192 backbone.
I not quit sure how to connect the 192. and the 10. networks so I can run remote logon to the server.
I will be contacting the vendor of the video server in the morning to see if they can assist.
I hope this all makes some sense, looking for suggestions?
need to block port 500 and port 443 on linksys e900 router and sonic wall soho.  cant seem to figure out how on either one.  any ideas?  thanks  :-)
just had two sites fail pci compliance tests with certificate errors on sonicwall tz180.  trustwave does the scans and this is what they said: The server should be configured to disable the use of the deprecated SSLv2, SSLv3, and TLSv1.0 protocols. The server should instead use stronger protocols such as TLSv1.1 and/or TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the SSLv2, SSLv3, and TLSv1.0 protocols on this service is sufficient.
i have no idea how to do what they said.  any help is really appreciated.  thanks

I have a question regarding my new mailserver. If I send an email, the IP address of my firewall is listed in the mail header, so the SPF check fails.

What can I do that the mail servers external ip address gets used?

Thank you in advance!

I have two Zyxel 1100 routers and about two months ago, I set up a site to site IPSecVPN between two sites.  It set up quickly and worked perfectly.

Today, I logged in to bring a third site online, but I noticed that the VPN between site 1 and site 3 is down.  I disconnected, deactivated and then reactivated and reconnected, but still I can't ping from site 1 to site 2.  It's strange...the VPN shows up and connected, but I can't ping between the two sites.

Short of breaking the VPN and rebuilding it, which I have not tried to do yet, is there something else someone can suggest for getting this reconnected?


Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.