Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi guys

One of our users has a Mac, with Outlook 2011. They can't be put on the domain as they have a personal laptop, so they are accessing their emails from Outlook via the OWA url link which is mail.domainname.com.

Seeing as they're accessing information like this, they can't access the directory service and contacts aren't being pulled up from AD. So, I just wanted to know if anyone knows what to enter in the 'Directory Service' section of Outlook 2011 and what to enter in the 'URL'? Along with what port number?

Thanks for helping
Yashy
0
How do you know if your security is working?
LVL 1
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

We have been hit with ransomware.  Please see the attached screenshot.

The file extensions have been changed to STG.

They hacked into the network, created admin users and made them part of the Admin group, created shares etc.
0
Dear Experts
We have hosted application on-premises which is behind the firewall.  the application runs on Ubuntu 16.4 server OS and with the components of apache2, mysql5.7, php7.x. This application has to be accessed from the external network( though the internet) which is located in other county from their office where the users will be behind the firewall.  we have to allow the access to them hence I have asked to share their gateway ip so that I can enable access only to this IP.  our hosted application by itself has authentication however we would like to add one more layer of authentication but the remote users will not accept any client software installing on to their local systems like vpn client or OTP SMS, or pass code call back.  They only prefer web based access to the hosted application and they are okay if we send the second level security pass-code to their official email so that finally we can achieve 2 level of authentication which is in additional to allowing their IP only to connect to our network.  Following were my recommendations
1.      Over internet (leased line circuit) Site to Site VPN between their firewall to our firewall so that end users will not have any additional efforts or vpn client not needed, this they denied as their IT policy does not permit to configure their side firewall
2.      Suggested MPLS VPN between their work location to our network but this also been rejected.
Now I am thinking of some solution like placing the Cisco ASA SSL VPN…
0
Sonicwall NSA 2600 intermediately blocking certain PCs from Internet Access.  Just started a couple days ago and nothing has changed on the Sonicwall.  Randomly 2 PCs (that I know of) will be blocked from Internet & site-to-site VPN access until the main Sonicwall is rebooted.  Then connectivity will be restored until the Sonicwall blocks them again.
0
Hi all,

We have a VPN tunnel between two Sophos firewalls.

Location A = 10.102.0.0/24, 192.168.99.0/24 (VLAN99)
Location B = 10.102.1.0/24

The VPN tunnel is UP and communication between the main networks is working properly.

From site B, however, the DMZ network (VLAN99) in site A is only limited reachable.


From Site B -> I can ping the gateway (192.168.99.1) but the Printer (192.168.99.14) is not reachable. I should say only the gateway is reachable everything else can't be reached through the VPN tunnel from side b.

I have attached a screenshot of the VPN tunnel configuration of both sites.

Thanks in advance.
connection-between-site-a-and-b.png
0
Dear Experts

We would like to restrict users from internet (though they have login for the application server)  our objective is  users who have application login access  should still be allowed based on their mac address,  first level at our firewall check mac id allow or reject then second level application level authenticate , we are completely okay to allow the users who work from remote office which has strong firewall but the same users from their home or internet then mac id to be checked and it is not from the accepted mac id then it should deny the access . application is webbased linux , apache and mysql .below are my doubts
  I have been as asked this to implement however I am not sure the users who access this application is from their office  behind the firewall and they will have to pass their firewall in this case will it be still possible to validate user mac addess and grant or reject access from our firewall,  is this possible ,  through vpn is fine but what if vpn details are known to others and if they access from their systems hence mac restriction is been asked, can you please suggest control based on mac is it good to go or is there better solutions , thanks in advance.
0
If you have a Sonicwall to protect the network and Anti-Virus on each computer/server, is it safe to turn off Windows Firewall?
0
Hi guys,

I know juniper has a default username “root”
Is there any way to change the username root to some other name ?
If root cannot be changed. Any ideas to secure  admin user account of juniper ? Because if it’s root, I think it can be easily guessed
0
I have inherited several small business customers with 1 - 3 PCs in their office.  Most run Norton Security.  A few get hammered with viruses constantly.  

I am under the impression that a hardware firewall would give them a significant extra layer of security.  Is that correct?

If so, I would like to find out if there is a hardware firewall device I could use for all of these customers, regardless of what type of router they have, that is reasonably priced AND easy enough to manage.  To me, a reasonable price for a small office might be a few hundred dollars.  And "easy to manage" would mean it is as simple as Norton Security, where all I ever have to do is set up a firewall rule so they can access their shared data on one of the PCs on the network.

If such a device exists, please point me in the right direction, along with any details and pros-and-cons.  Or, if I'm off on the wrong track here, help me understand why.  TIA
0
I am unable to access our Cisco ASA 5505 via ASDM because we don't know IP address. We were setting up the ASA to act as a DHCP server and made a mistake and changed the IP address. We have the credentials to access it via the ASDM but without the password it won't work. I've tried to access it using Putty but it's asking for a password we don't have.  Is there a way to figure out what IP it is set for?
0
Managing Security Policy in a Changing Environment
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

can we use letsencrypt certificates for Sonic wall firewall.
issue: DPI SSl is enabled for users & firewall self signed SSL certificate is pushed to clients by GPO. but when applying the filtering rules for mobile users (smart phones, Iphones, IPads & other computers that are not part of internal domain) they get SSL not trusted error. cannot perform https filtering with this error. so is there any way to use a publicly trusted certificate for my sonic wall local IP or any workaround to filter https for those clients.
Sonic OS 6.5 later  

thank you.
0
I'm looking for some guidance on how to allow Remote Users to access system applications. We currently are running a phase 1 setup where users are sent home with company equipment and use Sonicwall Global VPN software and Remote Desktop to remote into their own computers, located on site.

This is not, however, ideal, as it requires equipment on both ends.

Ideally what I'm looking for is to have a way for a user to have equipment at home, use a secure VPN connection with the Sonicwall Global Client, and then have the user access a desktop that is not in use. One way, obviously, is to have a bank of PC's with one dedicated to each person, but this seems cost prohibitive. So my thought is a virtual desktop.

I currently have two Windows 2016 Servers running my main system, including DNS and Active Directory, among other, core services. Is there a way I can build virtual desktops within that server? Should I have a separate server dedicated just to this task? What would be my starting point? Would I use Microsoft's built in Hyper-V? Would I use VMWare in some way?


The first group will probably be only 5-10 users, though this number may go up. I know there are options like Citrix which would provide a web interface but the way our applications are setup they would require a direct connection and so I don't know if Citrix and the like would work, though I am looking into this as well.


We have hundreds of available DHCP over VPN connections through our …
0
Dear Experts,

I am about to do a VPN entry in an ASA firewall ASA5515.

The thing I don't remember how to do is create a copy n the nvram in case I need to reboot the ASA  so it restarts with the saved configuration.

I mean if need it reboot the firewall so it goes back to the previous configuration.

Thank you!
0
I have a Cisco ASA 5505 configured to send netflow to a flow collector.  I need to disable all firewalling on the ASA so it just routes (no NAT).  This is for a lab deployment to measure flows through the firewall, but not block any traffic.

I don't know how to configure the firewall to accomplish this (I want to use the 5505 and not some other device due to its supporting Netflow v9, and it's freely available in the lab for me to use for this purpose).

Or do I just set both interfaces to be "inside" named interfaces with similar security levels and that will accomplish the goal?
0
Hi,

I have five locations that have Sonicwalls and all five locations are connected by VPN.  The contract is up with the five Sonicwalls and the contract is up for renewal.  The owner wants to consider installing a different VPN firewall at each location.  He's has not been very happy with the Sonicwalls and doesn't want to renew the contracts for the Sonicwalls.  I've used Sonicwallls in the past and don't have any problem with them but the boss wants a change.  Each location has 4-5 Windows 7 or Windows 10 computers.  The owner wants to know if the Ubiquiti Edgerouter would be a secure solution using site-to-site VPN.  I've used the Edgerouter before but never in a situation like this so I don't know if it would be a good solution.  I was thinking about looking at a Fortinet VPN router to replace the Sonicwalls but I want to see what your suggestions are.  Why or why not would you recommend going with a Edgerouter for a site-to-site VPN between 5 locations?  Would Fortinet or Ubiquiti be a better (better value--same level of security) solution as a Sonicwall replacement?  Is there a better (better value) solution?  Thanks in advance for your help!
0
My main office ASA 5520 runs an EZVPN site to site with an ASA 5506. Up until storms the other night the VPN was up, after storms the VPN won't reconnect. I've tried rebooting the remote ASA, ran clear crypto ips sa peer <ASA IP> from both sides, and even pulled out the ezvpn config from the remote side and put it back in. No luck

sh crypto isa sa from the 5520 shows:
Company-Firewall# sh crypto isa sa

4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

Company-Firewall# sh crypto isa sa

Open in new window

Then
4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H

Open in new window


sh crypto isa sa on the 5506 shows the same thing only AM_WAIT_MSG2 instead of MSG3.

Debugging the connection from the 5520:
debug crypto isa 5
---===---
Jun 11 16:22:21 [IKEv1 DEBUG]Group = <EZVPN Group>, IP = <Remote FW IP>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Floating NAT-T from <Remote FW IP> port 500 to <Remote FW IP> port 4500
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW 

Open in new window

0
I work for a small company with roughly 50 users and have been asked to have an outside vendor perform security/vulnerability testing.  We have several servers, ranging from SQL, to Exchange, to Remote Desktop with a hosted firewall through Windstream.  I thought I would appeal to the Experts in the Experts-Exchange community for advice and/or recommendations for a good vendor that specializes in such things.
0
Every morning we come in and our connection to a hosted application is unavailable.  After a few hours of being in, the connection is some how restored automatically.  This connection is restored at the same time every day.....

I ran a timestamped ping test to the remote LAN IP over the VPN tunnel from a computer to determine when it goes down and when it comes up. The ping replies with "No resources" right at 11pm and then the connection is restored right at 9am.  You can find the ping file attached.

I don't think this is a physical connection issue on the local end because internet remains up the entire time and this only happens on this one VPN tunnel.  This seems like there might be a timed rule on the remote VPN side to terminate or block connectivity for that time but I could be wrong?

Any thoughts?
0
Hi AD Experts,

I need advice on creating an additional "domain admin" account for a specific appliance/service, but restricting it if possible... Herewith the details and background;

Background:

We have a single domain forest for a large Company (MS Win Server 2008 R2 Forest Function Level) with several geographical sites, each site has it's own Global Catalog and the main AD Servers with the FSMO Roles are situated in our DMZ in our "private cloud" on the WAN, they used to have one central internet breakout in the DMZ for all the sites, they are all part of a WAN + private Cloud (DMZ) where we host several applications. We manage the AD for the entire Group (i.e.: we are responsible for AD + Security and we have Domain Admin password etc.)

Recently one of the Businesss (Divisions) were sold and they installed their own local Cyberoam Firewall which is connected to a new local fibre link internet breakout, but the WAN Link back to the rest of our Company, as well as the Active Directory, remains as is, because they still access some of the hosted applications in our DMZ. A new IT Company is now looking after the Cyberoam Firewall on-site at the Business that was sold.

Question:

The new IT Company (the one looking after the Cyberoam Firewall on-site) has requested us to supply them with a Domain Admin Account on our single domain forest AD so that they can use the credentials on their new Cyberoam Firewall for ADS or LDAP …
0
Cloud Class® Course: Microsoft Windows 7 Basic
LVL 12
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Hello,

I need to create an IE lock down group policy to block all internet access for some computers but allow exception for specified work related internet websites and also allow the internal websites

Please advise how this can be probably done.  

Many thanks.

Nav
0
Hi
Cisco ASA 5506 X, I mistakenly deleted the boot file - I meant to delete the ASDM version :-). So I can only boot into rommon. I have seen many articles about using tftp in rommon to copy an image but the problem I have is that the ASA interfaces are down. No link light. My Ethernet cable shows as not connected, so my TFTP server is not listening. I have tried using a normal patch cable directly between my PC and ASA, also plugging both interfaces into a switch.

Does anyone know how to fix this?

Thanks very much.

Alasdair
0
Cisco ASA 5520 with AnyConnect VPN authenticated via LDAP. I'm trying to tighten my security down by limiting which users are allowed. I've taken a test user out of the two groups defined by my dynamic access policy and the user is still allowed to connect in. Why?

I have four pictures attached explaining my situation as I understand it:
1) My LDAP Attribute map shows "Users" or the "<Location> Users" OUs/Containers are mapped attributes.
2) My Dynamic Access Policy shows users that are a member of the "Administrators" OR "<Company Name> Company" group are allowed to continue.
3) A test admin user that's been removed from the "Administrators" group  & has never been a part "<Company Name> Company" group.
4) A normal level test user that's been removed from the "<Company Name> Company" group & has never been a part of the "Administrators" group.

Both of these users can VPN in fine. Why? Any help is appreciated.
AnyConnect_LDAP-Attribute.JPG
AnyConnect_Dynamic-Access-Policy.JPG
Anyconnect_Admin-Groups.JPG
Anyconnect_Test-Groups.JPG
1
Office:
I have an small office that has one windows 2012 R2 Standard server (which is a Domain controller too .) with several other workstations and all seems to works fine.
The office use Sonic wall TZ300w Firewall.

Home Office:
I have an home office with windows 7 Pro that was joined with the Domain prior to be moved and relocated to Home office.
The Home Office use Sonicwall TZ100

The Sonicwall GVC (VPN Client) is used to connect the windows 7 Pro to the Office. Upon established connection, I can ping the server or any other computer by IP and also by Name, in addition I can Map the resources of the shared folder on the server.

The above statement will be true from the office and I can connect to the windows 7 shared folder (MAP) and can ping by IP and by name. However after a while everything stay the same except the map driver to windows 7 will break and is not available. I still can ping the the remote windows 7 by name and IP but \\192.168.168.5 or \\homebackup will fail.
Can someone please assist where the problem might be (TZ100, TZ300, GVC, Server)?
BackupChart.pdf
0
how to setup IPsec VPN between Mikrotik and Fortigate routers
0
We have a Technicolor Modem/wireless router combo device given by Spectrum.  When Spectrum tech first set it up I could connect to is wirelessly and I could see the public wan IP as ie. 1.2.3.4.  We plugged it into our Sonicwall device and everything is working fine.  Bridge mode is enabled and we have a dynamic public ip so I set it to DHCP.   I just want to know why  I'm getting a address of 192.168.0.5 showing on my WAN.  I was expecting to see the public ip instead like 1.2.3.4.

Wan interface
Capture2.PNG
0

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.