Software Firewalls





Software firewalls, also known as host-based firewalls, provide a layer of software on one host that controls network traffic in and out of that single machine. Most operating systems now include firewall software, but many available software firewalls include central distribution, antivirus systems and disaster recovery.

Share tech news, updates, or what's on your mind.

Sign up to Post

I am on an Amazon Linux 2 AMI running Apache 2 and I need a software solution for security.  I have been told mod_security isn't a good choice.  So does anyone have experience with the AWS Waf?  If so, what rules are you using?

Or, do you have another idea altogether?

On my previous instance I used fail2ban but I found the bots could outsmart fail2ban so hopefully someone will have a better choice.

Let me clarify my biggest  problems are postfix issues, stopping ddos, bots running up and down my site stealing bandwidth, clicking on every link and having numerous disk i/o's which I have to pay for.

By the way, I am not interested in using another AMI due to the complexity of my existing AMI.
The Firewall Audit Checklist
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Dear All,

We are planning to install a new Windows server 2012 domain controller on our network and join the existing domain. However, the original domain controller is located on another sub-network protected by firewall.  We have opened the firewall rules (Two-ways) according to the link which are as follows:

TCP 3268
TCP 3269
Kerberos (TCP/UDP 88)
TCP 25
TCP 135
TCP 49152 TO 65535
TCP 5722
UDP 123
UDP 49152 TO 65535
UDP 138
TCP 9389
UDP 67 and 2535
UDP 137
TCP 139

while all other ports other than the above are dropped.

We have configured the DNS server of the new Domain Controller pointing to the first Domain Control on the other subnet. Both servers are running Windows server 2012 standard edition. When we try to promote the new server to DC and add a domain controller to an existing domain the following error prompted :

"Verification of replica failed, An Active Directory domain controller for the domain could be contacted. Ensure that you supplied the correct DNS domain name"

After we request our firewall team to open Any-To-Any (Two Way) between the first and new domain controller, the above error message disappear and able to join the domain.  The firewall is managed by other team so we cannot check the deny log on the firewall.

Our …
I am trying to take backup of my ASA through tftp.

Command: ASA01/Hyb(config)# write net

Response: Building configuration...

                      INFO: Default tftp-server not set, using highest security interface Cryptochecksum: ******************************** !

%Error writing tftp:// //Test-561.tmp;int=inside (Timed out attempting to connect) [FAILED]

 Also after executing this command,  Test-561.tmp is created in TFTP directory but with size 0

TFTP server is installed in Linux, tftp is working fine as I am able to take backup of other ASA which is in the same network.

Your help will be appreciated.

Dilraj Kumar Paswan
We have cisco wireless controller 2500, there it will not support webfiltering. i just want to do web filtering for my office wifi.

so can i use any tool in dns server to block websites??

please suggest me some simple and open source tool

Hi Anyone,

Can I anyone advice how to troubleshoot this error as attached for your kind.

1. Is able to ping and SCCM can detect client and is active.
2. When tried to \\LIOE17BSD1889LC\admin$ => I've the local admin password but just can't connect when trying to use domain\admin, .\admin or \admin still can't  

Trying to go client action > Run Software Inventory Cycle and got this error.

Ps advice.


I am looking for some discussion and feedback on best practices for managing a firewall with HTTPS Inspection/URL and Application Filtering and dealing with a consistent issue with CDN's resources somehow not being successfully pulled down and resulting in a page not loading. This could be due to any of the blades of the firewall affecting the ability for it to load including the inspection, a particular CDN not already being white listed or an ASK for verification of use policy not showing because its being pulled down as a .js resource.

In a nutshell, i want to hear how other firewall admins are managing the constant need to allow CDN's resources to sites for user bases with no real streamline way to proactively plan for it or even sometimes resolve it in a reasonable about of time.

For example - I am experiencing an issue where a user can not access a certification site. The site is pulling down resources from Cloudflaressl, cloudfront and facebook. The domains addresses are very specific and i dont think bypassing https inspection, if thats the issue for these domains is a good call. What do you do short of turning the firewall off? : )

Thanks in advance.
My goal is to be able to connect to private network located behind OpenVPN client ( via OpenVPN server WAN interface.
For example I want this forwarding: http://{Ubuntu WAN IP}:443 -->  http://{Private LAN IP behind OpenVPN client }:443
Please take a look at the attached screenshot.
-  Ubuntu VPS knows the route to private LAN subnet that is behind OpenVPN client ( and MikroTik router knows the route to OpenVPN subnet (
- I can connect to Ubuntu VPS via SSH and successfully ping MicroTik OpenVPN interface ( and also I can ping any host from MicroTik private LAN subnet that is behind OpenVPN client ( , needless to say the private LAN hosts that are behind OpenVPN client (from subnet) can easily ping Ubuntu OpenVPN interface ( too.
- Also any host from OpenVPN subnet ( if connected to OpenVPN server via OpenVPN client allows communication like http://{Ubuntu WAN IP}:443 --> http://{Private IP of OpenVPN client}:443 using UFW NAT rule.
When I’m trying http://{Ubuntu WAN IP}:443 --> http://{Private LAN IP behind OpenVPN client}:443 I have following behavior:
1)      Packets successfully arrive to host behind OpenVPN client (to any host from )
2)      But the host of this subnet can't route back this received public IP packet via OpenVPN tunnel, it replies using ISP WAN address.

I would very happy if someone is able to help me solve this …
Hello, Could you help with this issue ? i can't push a policy in checkpoint i have this error
eror database checkpoint
COuld you help me ?
Cannot access FTP Server (Win2016Std) from Internal.  (or from outside, when used with WordPress as a client)

FTP Server ( and IIS on same server behind firewall (TMG 2010). Configured publishing rule to forward External IP (X.X,X,X) to Internal (

All firewall rules are configured. Can connect from outside by FTP client (PASV) - no problems! Do not really need to connect from LAN, but


WORPRESS SITE requires FTP Server setup on WEB Server to upload Updates from WEB Site.

When I try to ftp from WordPress it sends internal IP of the WEB Site as a client IP ( not the Client IP of the Browser machine.
So, TMG does not allow internal to external loopback...

Any solution?
blocking webmail on Cisco Umbrella but allowing gmail, office365 links

the problem is i am allowing and but when i block the webmail category it also blocks gmail. can idea what other url i need to allow?
Cloud Class® Course: Microsoft Azure 2017
LVL 12
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Website can't be reach internal network!

I have weird issue came up. we have company website that hosted on and working. I can access from outside of my network and without our router/firewall. I used my laptop directly plug into ISP modem and can access the website fine.  I can ping by ip address of the site and name of the address.  I can ping or just fine.
I can nslookup from internal computer and came up with correct ip address. I cleared the cache on internal DNS server.  I tried turn off firewall (Cisco RV345P).
None of these working. Help!!!
Apache Tomcat 8 with IIS and Apache Connectors getting null request.getRemoteUser() when trying to get to a secure application.  I have multiple applications and one in particular keeps throwing this error.  I am logged in already but when I go to this application I get this error.  I have tried the old suggestion of tomcatAuthentication="false" and that is making no difference.  This particular application is old and the newer ones built in Grails are not having issues.  A team mate thinks something in IIS is stripping something out causing this however other applications are working so it would be hard to say it is stripping things out.  This is all running on Windows server 2016.  Https is in use and there is a firewall involved.  Ports have been allowed.  Old applicaiton with the issue is running an old version of Struts.
Hi All,

We have an issue with our remote devices not talking to the SCCM cloud management gateway. A device that is on the internet will not connect to the gateway. The LocationServices.LOG will return entries like WINHTTP_SECURE_FAILURE. When the device starts up a VPN connection with the company network, it connects properly to the on premise SCCM MP. Oddly enough, when deconnecting the VPN, the device switches over to the cloud gateway without any problem and stays connected. After a reboot, for instance, the same story starts all over again.
Could there be an issue with the SSL certificate on the cloud gateway? I believe it has been configured correctly. Below is included an excerpt of the locationservices.log. Any help would be very much appreciated!!

]LOG]!><time="08:26:06.909-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="event.cpp:840">
<![LOG[Failed to send request to /CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT at host ABCDEFG.CLOUDAPP.NET, error 0x2f8f]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=https://ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" …
I am receiving intermittent issues on a client server. After a while, users cannot access the internet or internal servers. Unfortunately, I am not on site and only have access to the logs as we need to restart the server before I can get there to minimise down time for all users.

Once the server is restarted, all users can access the internet/internal servers/share drives etc.

This has only come up over the couple of months randomly. Previously the DNS servers on the server had another IP which is the virtual server NIC (nic 2) and the TCP/IP V4 DNS had The 169.x.x.x has been removed and the has been changed to

Would really appreciate what else I should be looking at as this has me stumped. Are there any ports on the firewall that need to explicitly be open?

The errors at the times of the issue commencing is Netlogon error 5774 entries. I have copied one below however have slightly changed the DNS record of the internal domain name. The IP Address is the Server 2012 R2 DC. It is the only one on the network.

The dynamic registration of the DNS record 'DomainDnsZones.DOMAINNAME.local. 600 IN A' failed on the following DNS server:  

DNS server IP address:
Returned Response Code (RCODE): 0
Returned Status Code: 10054  

For computers and users to locate this domain controller, this record must be registered in DNS.  

Determine what might have caused this failure, …
Ok can someone please explain how to get my VPN IP pool talking to my inside network. Everything works fine using any connect VPN client. Assigns IP address but I can not ping inside subnet and the firewall itself cannot ping the VPN IP pool address .

update: ok now the firewall can ping connected client in the VPN IP Pool address and it can ping the internal (inside) network but the VPN client cannot ping the inside subnet.

My goal here is to be able to launch ASDM to administer the firewall from afar. Any help would be appreciated..
i currently have a watchguard firebox with UTM and using vmware.
im currently upgrading the environment to the latest vmware and nsx.
is it recommended to eliminate the watchguard and ONLY use NSX?
Checkpoint R 75.46

I have installed smart center on one VM and trying to connect from one host machine via smart dashboard.

I am getting an error attached.

I can ping to smart center server and telnet on port 18190.
Dear Expert,

I will shut down my Checkpoint Firewall R77 and Hitachi San (model: HUS130) . Could you please provide a startup and shutdown procedure for Checkpoint and HItachi SAN manual. In addition, Will share your experience for shutdown /startup process. Thanks
The Lifecycle Approach to Managing Security Policy
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

I work in a hospital. We use the Stratus iPad app for interpretation.  We have a guest internet circuit that these iPads are on.  The circuit was recently upgraded from 35 Mbps to 100 Mbps. No other changes that i know of. Around that time the Stratus app stopped connecting. There is an asa 5505 on this circuit, but only default config is enabled.

 I took the ipad home and the app worked fine on my home wifi.  I ahve contacted the vendor and our ISP. Both claim it must be a firewall issue, but nothing has changed.  Any ideas?
I use FreeBSD ipfw, I want to measure current speed in bytes per second and packets per second for monitoring.
If I have a pipe and two queues in it, ipfw doesn't give current speed when executing 'show'. If I try to measure speed by counters (ipfw rules), I don't get real speed because counters measure queue input, some packets can be dropped in queue or pipe.
Please, help.
I have a ubuntu server on wan. i can connect to it via ssh from windows on another ip rang.
my clint not ping it and i can't ping my client from server.
how to use X app from server i install xinit and x app on server .
firewall is disabled on ubuntu server.
PFSense v. 2.2.4, connected to a Comcast circuit with 30 down, 15 up.  A computer connected directly to the PFSense tests speeds at right about 30 / 15.  But if a switch is introduced, the speed drops to 2-4 / 10-12.  Several switches have been tried - all 10/100/1000, none managed or manageable.  Several computers have been tried.  Same result with each.  In each case only the testing computer and the PFSense were plugged into the switch - no other devices.  In the PFSense, the LAN interface is set to automatic and shows a connection at 1000 BT, full duplex.  What could possibly be happening that slows the internet down so significantly simply by virtue of introducing a switch?  And it should be noted that upload speeds are still good, it's just download that drops down significantly.   I do realize that the PFSense needs to be updated to a more recent version, and I will do that, but since the speed is just fine when the computer is directly connected I really don't think the version upgrade is the issue.  Any ideas are appreciated!
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance

I am trying to run PowerSchool Gradebook from our client computers that go through a forefront tmg filtering 2010.

But for some reason i get an error message i wish to share below with you.

can anyone guide me and help me whats happening?

Launch file error message:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase=""; version="">
        <title>PowerTeacher Gradebook</title>
        <vendor>Pearson School Systems</vendor>
        <description>PowerTeacher Gradebook Application</description>
        <description kind="tooltip">PowerTeacher Gradebook</description>
        <homepage href=""/>
        <icon href="wgb_dockIcon.png"/>
        <icon href="splash.png" kind="splash"/>
    <resources arch="">
        <j2se version="1.7+" initial-heap-size="256m" max-heap-size="512m" java-vm-args="-XX:MaxPermSize=384m -XX:PermSize=256m -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=70 -XX:+ScavengeBeforeFullGC -XX:+CMSScavengeBeforeRemark" />
        <jar href="boot.jar" />
        <jar href="lib/powerschool-gradebook.jar" main="true"/>
        <jar href="lib/powerschool-httpinvoke.jar" />
        <jar href="lib/powerschool-i18n-sdk.jar" />
        <jar …

Software Firewalls





Software firewalls, also known as host-based firewalls, provide a layer of software on one host that controls network traffic in and out of that single machine. Most operating systems now include firewall software, but many available software firewalls include central distribution, antivirus systems and disaster recovery.