Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi guys

As part of the last question I asked about firewall rules, I am looking at our firewall right now and monitoring the traffic. I'm looking at the traffic between VPN connections from our stores to a main server. These stores are all using the same application to communicate with the server. However, I'm looking at the server and it is receiving connections from our various stores, but every single store is communicating via a different port. So one store will be coming through port 4274. The other one will send it via port 4288. My point is, are applications specifically written in this way to prevent security breaches from happening by constantly randomising their port sequences so that they can't be 'guessed' by a malicious attacker?

And if that is the case, surely going back to the answers being given previously, this does warrant the ability for the 'ANY' ports to be open from site A to site B via VPN.

Thank you
Challenges in Government Cyber Security
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Hi guys

I'm trying to lock down our VPN tunnels and firewall rules between sites. The one thing I am seeing in some places are that there are 'any' ports set up which is not explicit.

So one place that always creates problems is the Active Directory systems. We have PC's in remote locations that talk to remote AD servers.

In order for the systems to not get affected, I need to be absolute in every single port I set up as I will be killing the 'any' port.

This MS article covers ports domains and trusts: https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

But then for RPC, it has ports 1024-65535/TCP!!

Do you have a setup on your firewalls in the same way as MS has described? And what about the RPC port? Not over-exposed?!
Fortigate 200D in HA cluster

i have a problem (user "accidentaly started wizard" to change gateway)....

and fortinet stoped routing as expected, as it seems nothing has changed.
static routes are the same as before, route lookup hits the right route, traffic seems to hit the right policy.

Monitoring the traffic it says       "Accept: session timeout" for everything

i can ping port to internal network from CLI, i can ping something on Internet (WAN) from CLI

but nothing gets thru from external(WAN) to internal network (PORT1) or viceversa
I have a server, with a combined apache website and sql gaming server on same server.  I have the domain being routed to a different nameserver/proxy with ddos protection, and made a seperate subdomain there that goes directly to the game server because it is game traffic and cannot use the services.  Everything works fine, but I want to block the incoming subdomain from accessing anything but the game server port on the destination server.  

Question: On the game server firewall, how can I only allow the incoming subdomain traffic to use a specific port, and block all other ports?  I don't want it to impact the website traffic using the domain name and ports 80/443
ASA 5525-X with ASA5525 VPN Premium license.  

When I log on via console I am not able to do basic functions like name an interface or assign an IP address.  Example from interface management 0/0:

host# conf t
host(config)# int management 0/0
host(config-if)# ?

Interface configuration commands:
  channel-group    Etherchannel/port bundling configuration
  default                 Set a command to its defaults
  description          Interface specific description
  duplex                  Configure duplex operation
  exit                       Exit from interface configuration mode
  flowcontrol         Configure flowcontrol operation
  help                      Interactive help for interface subcommands
  lacp                      LACP interface subcommands
  no                        Negate a command or set its defaults
  shutdown          Shutdown the selected interface
  speed                 Configure speed operation

Same options on all interfaces.

It feels like the thing is in transparent mode, but there is no firewall command in config mode.

Code version: 9.8(1)
Cisco ASA 5505 and I need to upgrade to latest IOS.  I upgraded it to 8.4(6) as several documents say is the interim step for anything later.  But I cannot find docs that reference the 5505 going further.  I see a lot of 5506-x references.  I see that htere is also a 8.4(7) as the latest in the 8.x series, but seem to remember putting 5505's at 9.1 and 9.2 in years past, but am not sure.  Can anyone tell me the latest version of IOS to put a 3 year old ASA 5505 at?
we use a sonicwall nsa 4500 at my company.  I recently purchased a sonicwall 4500 so I can learn more about it.  However, the firmware is not updated, am I able to download the correct, most updated firmware from my company and use it for my personal use with no issues?
Here's a weird one...

I have to install a Cisco 5506 ASA at a location that had a Cisco 5505 ASA.  The old 5505 will be moved to a branch site.  Both ASA's will be accepting remote access VPN connections and a site-to-site VPN between the ASA's.

Since I'm doing all this remotely, I had the new 5506 shipped to me.  I took a spare 5505 that I had and connected everything to a 3750 switch that I configured to act as the internet.  I got both ASA's configured so that I could establish remote access VPN sessions from "the outside" and access devices on the inside.  The site-to-site VPN came up fine as well.  

I boxed up the 5506 and shipped it to the main office where the existing 5505 was removed and the 5506 was installed in it's place.  Worked perfectly.

The 5505 was then given the new config that I created in the lab environment.  It was then installed in the branch site.  The 5505 came up fine, inside users have internet access, site-to-site VPN works fine and remote access VPN sessions can be established.  But... remote access VPN users can't access any inside devices.  And I can't establish an SSH session to the ASA.

I compared the running 5505 config with the one that works in the lab.  They are identical.  I then setup my spare 5505 on the lab environment with the exact same config.  I can establish a remote access VPN connection, access inside devices and get an SSH session to the ASA working.

The question is: why is it not working on the live site …
No one inside the office has internet access.

I'm working with a Cisco 1900 series router,  Cisco 5520 ASA(firewall) and Dell Powerconnect 6224 switches.

Service has been confirmed up to the router.  The line out of the router goes into the Cisco 5520 ASA (firewall).  The line out the firewall goes into one of the Powerconnect Switches which are stacked (configured as master/slave (unit 1 & 2).

I can ping and connect to the switch from the Domain Controller but when I ping the Cisco 5520 (firewall) the reply I get is "Destination Host is Unreachable".  I get the same reply from workstations.

When the problem began one of the PC 6224 switches would not come on so the cables plugged into it were moved to the other switch.  Shortly after the switch that wasn't working came back on.  The cables were then randomly moved back into the switch.  I'm not sure if certain cables were designated for certain ports.

How can I get things working again.

Any help would be greatly appreciated.

Thanks in advance
Is it possible to configure the SSL VPN on Sonicwall such that all traffic will route through Sonicwall, except the networking printing, where it should go to the client's network printing ?

Currently, a remote VPN client can't print to his network printer if "Tunnel all mode" is on. It can only work if the setting is off.

Can I setup a routing table in SSL VPN to tell Sonicwall how to route a client's network subnet back to the client ?

Become a Certified Penetration Testing Engineer
LVL 12
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

I need to factory default a Calyptix AE800.  I took over this network from an IT company who will not share the login information.  I can't find any information on line, and there is no reset button on it.  Anyone who can help would be appreciated!  Thanks!
ASA Firewall vs Router Zone based Firewall

I would like to know what is the difference between ASA firewall and Zone based firewall configured on the router.
I mean if I have a router that support zone based firewall, then I do not need to have ASA firewall ?

I am looking at a replacement for our aging Cyberoam UTM. One of our options is the Sophos X330, which appears to be a good upgrade path for my requirements.

Has anyone used Cyberoam and the moved to Sophos? I am curious if there are setup and managing similarities. Seeing as Sophos acquired Cyberoam a few years ago, I was wondering if the Sophos UTM would be familiar in some way after using Cyberoam. Maybe they had adopted various features, and so the appliance would be familiar in how it was setup.

Would you consider the Sophos XG series easy to setup and deploy? I don't really want to get a technician in to setup the system on the new UTM. I setup our Cyberoam and continue to manage it without a problem, so I am hoping to do this with whichever new one we choose.

Any other thoughts about your positive or negative experience with Sophos UTM's would be appreciated?
How do you import the settings from the old Sonicwall T215.  e.g. where is it in the menu options
hello experts
i have 3 SSID configured on an autonomous Cisco AP, all authenticate against ACS server, so three policy for each SSID, i did configured DNIS as *WIRELESS_SSID in "End Station Filter" but looks like it only works for WLC not autonomous AP, and seem Cisco autonomous AP not sending SSID info to ACS while the processing of authentication, my question is how to make Cisco autonomous AP to do this, i did try the following:
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 30 original-called-number
radius-server vsa send authentication
but it doesn't help, please give me your suggestion.
I have a question about best practices regarding network topology.

I operate a relatively small network.  I have my network broken down into 5 different networks: /24 - for device management - VLAN 1 /16 - for servers (original IP address space before I came to company - everyone was on the same network with the servers) - VLAN 2 /24 - For wired Ethernet devices - workstations and laptops - VLAN 5 /24 - For Wireless devices - laptops mainly - also a VLAN 10 /29 - Very small subnet, used for a VLAN 254 between our main switch up-link, web filter and firewall device.

That last subnet is where my question lies.

Is it a good practice to concentrate egress/ingress Internet traffic into its own VLAN?  When I set this up 7 years ago, I thought it was.

We are getting a new firewall/router - it will replace our current firewall and web filtering solution.  I am wondering if I should keep this setup, or if I should just make the new device part of the network and call it a day?

The other idea I had, since this new firewall has many LAN side ports was to eliminate VLAN 254 and use 3 separate up-links for VLANs 2, 5 and 10 on my main switch to the new firewall.

My other thought was to use a trunk port for the up-link to the firewall and configure it like router-on-a-stick using sub-interfaces on the firewall.

My networking skills are a little rusty, and was hoping to hear from others that may be wiser …
I would like seek for expert advice for my diagram attached ,I am not strong in networking ,our company has purchase new device sonicwall TZ600 ,Aruba 2930F and HP 1950.Please review to the picture I send ,please guide me my question below:

1.For the firewall Uplink in the switch port how do I configure eg .untagged Vlan 100 or 6 and do I need to tagged Vlan ?

2.For the firewall interface which s configure d I need to do anything ?

3.For the downlink and uplink switch to switch what should I configure ? because in cisco I notice that just trunk all and HP is untagged and tagged so which Vlan should I Untagged and tag ?Vlan for Uplink
I need to know whether my fortigate 60d is blocking outbund traffic from an internal IP.  Wireshark shows that traffic is hitting the firewall from the internal IP.

How do I accomplish this using fortigate gui or cli?
I am unable to connect to a remote site using Citrix Receiver software through our SonicWALL NSA 2600 firewall.
This is the case on several machines behind out firewall, when I test on a computer outside of out firewall the Citrix Receiver works OK.

The remote site is a vendor's site that we have no control over and they require that we use Citrix Receiver in order o connect to their web-server, the connection will not establish though and just gets stuck "negotiating" the connect. Or the reciever disappears and a black window appears instead of the remote machine.
PMI ACP® Project Management
LVL 12
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

I am converting to SIP at a company site.  I set up the fortigate 60d identical to another one of our company sites where SIP is already implemented.

The SIP Cloud provider tells me that the firewall is not "passing confirmation packets  the phone system (PBX) sends out when it detects an incoming call",
and this is causing their system to transfer the call to our failover number.

I have opened up all requested ports (TCP/UDP etc), configurd policy,and QOS to high priority- everything they suggested, and as I mentioned earlier, it is configured exactly like our other site's fw.

I suspect it is a configuration with one of their servers.  In any case, Logging for all events is enabled in the firewall policy.  How can I tell if the firewall is blocking/not passing back the confirmation packets they SIp provider mentions?
Need to close an open port on Cisco ASA 5505 version 9.1. I have a compliance issue with port 5555 and need to block it. I know I need to create an ACL but want to make sure I configure correctly. I am also completing these changes remotely.
I have an ASA-5508x, adminstered by a vFMC. Both are running Note that this is FTD, not the older ASA software.

I have a server behind the 5508, in a DMZ, that I want to have send email via an SMTP connection to Office 365. The problem I am seeing is with the FTD perfoming "SMTP inspection" mangling the SMTP session. This can be seen when I telnet to port25, and see a heap of asterixes.  ie
220 ***************************************************************************************.

Open in new window

This, unfortunatly, prevents my application from being able to start a TLS session, authenticate and relay.  

I am trying to figure out how to turn this off. I have checked the rule that is allowing traffic on port 25, configuring NO intrusion policy and NO file policy, but SMTP inspection still seems to be occuring.


How do I disable this, and have SMTP traffic pass unmolested?

It would be preferable if I can do this in a rule, or in some other way make it apply to just a single host, but if it has to be implemted globally that is workable.
Need to setup a Cisco Asa 5500 to allow only certain ip4 addresses in from the wan to the lan on ports 5060, 5061 tcp and udp.  I want to block all other ip4 addresses from the was trying to access port 5060, 5061 tcp udp from the wan to the lan
Dear Experts, in this diagram, can we use Cisco router instead of ASA Firewall 5515?

We'd like to setup the failover between Routers/Firewalls. Is there any other diagram which we can achieve it?

Behinds the Router/Firewall, we have Exchange 2016 servers, Active Directory servers, ERP servers, SharedFile Servers. Which ports/configurations should we consider to allow traffic through Firewall/Router? Many thanks!
Dears ,

I need to buy kerio control Next generation firewall NG500 and i need to make 2 VLans one for our guest network and one for our corporate.

thank you

Hardware Firewalls





Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.