Vendors Firewall

Similar Messages

• Afctl automatic firewall

  I am having a fair number of ssh brute force attacks on my server. The afctl firewall takes care of these attacks initially by adding rules with ipfw. The rule numbers start at 1700, and the it looks like multiple rules are added for each offending IP address (about 10 rules as it seems). After a short while, the rule number reaches 1899, and then no more rules get added. The system.log list the following error message:
  Jun 19 16:14:54 computer_name afctl[32548]: Too many rules, entry not added to the blacklist
  Is this behavior normal, i.e., why are so many rules added for the same IP, and why does the system stop adding at rule number 1899? I could not fine any way to configure the rule numbering in any of the configuration files.
  Any help would be highly appreciated.
  -Stefan

  Botnets are routinely large enough to bypass IP-based blocks; one probe from each of a gazillion hosts.
  Botnets routinely render user-based evasion schemes ineffective; evasion is an old scheme, and the botnets defeated that approach years ago.
  Got a couple of scrap x86 boxes and some spare PCI NICs? Congratulations. Add pfSense or M0n0wall or Smoothwall open-source packages, and you've got a firewall.
  Watch any of the used-equipment sources, and wait for a surplus (insert vendor) firewall.
  As for other options...
  :: fwknop or knockd or other port-knocking.
  :: Move ssh off port 22, and relocate the port somewhere up in the non-privileged port range and often somewhere up near the ephemeral range, preferably on an unallocated port. (With port-forwarding at a mid-grade firewall, you could potentially relocate the port at the firewall and leave the server unmodified, as various of the server-grade firewalls permit forwarded ports to be retargeted to other ports. Otherwise, you're reconfiguring ssh at your server.)
  :: VPN. Preferably at your new firewall.
  :: [Denyhosts|http://denyhosts.sourceforge.net>.
  Regardless, move your ssh-enabled users over to certificates or certificates with passphrases and not passwords, and only enable specific users for ssh access. That reduces your exposures, even if it doesn't avoid filling your logs with failed accesses and your server with ssh overhead.

• What is the best design to connect redundant Firewalls to redundant switches?

  Hi All,
  I would like to know the best possible design to connect redundant Firewalls(Netscreen,FortiGate etc) to redundant switches.I have dealt with Cisco FWSM's in which both the Firewall and switch is in the same chassis. So for the Vlan's behind the Firewall, we just create the L3 interface on the fwsm and do a static route in the switch. The Gateway IP will be tied to the primary fwsm and the failover happens through the network. But now i need to know the best possible design when i am connecting to a different vendor firewall.
  Let's say i have 5 vlans and all these vlan's are behind the Firewall. The redundant switches will have the L2 vlan's created and have a static route to the Firewall. I am proposing the attached design in which i will have L2 vlan's created on the switch and L3 on the Firewall. The Firewall's and the switch will be connected with one trunk port and an access port for uplink and downlink traffic. The two switches will be connected each other using a vlan trunk.The two firewalls will be connected using a redundancy vlan.
  I am not so sure about the working of other firewalls such as Netscreen and FortiGate. I am also confused with the traffic path that the frames will take by having this design.Please advice if you have any suggestions.
  Appreciate your help and advice.
  regards
  dathan

  subhash007 wrote:It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side.
  To be honest, I don't understand how the Linux bonding mode can work without anything configured the other end.
  My understanding of 'bonding' comes from Multilink PPP (MLP) where the data stream is chopped up and split across two (or more) circuits. At the other end, a similar MLP-enabled device reforms the data stream from the multiple circuits, maintaining packet order. But this requires MLP-enabled 'bonding' devices at each end.
  Perhaps you could help me better understand the Linux bonding...
  subhash007 wrote:If any single homed server is connected to Switch 2, what will be traffic path for its data packets?Switch 2 ------------------> Switch 1 ----------------------> Active firewall                                   ORSwitch 2 ------------------> Passive Firewall -----------> Active Firewall
  If the firewalls operate in the same fashion as Cisco ASAs, then the inter-firewall link doesn't carry traffic. It's for failover detection and HTTP replication only. But like I said, I'm not familiar with this vendor's products.
  subhash007 wrote:Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?
  Same as above.

• Last time I updated Firefox (V. 5) it deleted my Fast Dial page and it was a real hassle getting it back. If I update to Firefox 6 will it delete my Fast Dial page?

  If I update to V. 6, will I lose my Fast Dial page like I did when updating to V. 5? If so, is there a quick fix to restore the Fast Dial page and all the saved bookmarks?

  '''''Fast Dial''''' has a new version available for download here: https://addons.mozilla.org/en-US/firefox/addon/fast-dial-5721/versions/
  *Users are not currently being automatically updated with this new version on users with a prior version of Fast Dial installed until the new version is fully released
  Note that other Add-ons may not be compatible with Firefox 6.
  *Some Extensions will never be updated by their developers for new versions of Firefox
  *Google toolbar is one (Google will only produce Google toolbar for IE in the future)
  **http://googletoolbarhelp.blogspot.com/2011/07/update-on-google-toolbar-for-firefox.html
  **http://www.google.com/support/toolbar/bin/answer.py?answer=1342452&topic=15356%29
  **Google Toolbar 8 FAQ (IE only): https://www.google.com/support/toolbar/bin/answer.py?hl=en&answer=1111588
  **Alternatives:
  ***http://kb.mozillazine.org/Using_Google_Toolbar_features_without_toolbars
  ***https://addons.mozilla.org/en-US/firefox/addon/googlebar-lite/
  ***https://addons.mozilla.org/en-US/firefox/addon/gbookmarks-google-bookmarks-fo/
  *some security software vendors (firewall, AV/AS) have not updated their toolbars for Firefox -- check on the forums for your security software or contact them directly via phone, e-mail, chat or whatever method(s) of communication they offer to their customers.
  '''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.'''
  Not related to your question, but...
  You need to update some plug-ins:
  *Plug-in check: https://www-trunk.stage.mozilla.com/en-US/plugincheck/
  *Shockwave Flash (Adobe Flash or Flash): [https://support.mozilla.com/en-US/kb/Managing%20the%20Flash%20plugin#w_updating-flash Updating Flash in Firefox]

• Firewall/Security Vendor Suggestion

  Hey,
  Please bare with me before we start the main content...
  First, I would need your suggestion. Especially if you got hand-on experience with the following vendor products.
  Second, If you could help list Pros and Cons for the suggested vendor/product, that will be great.
  Third, prefer to not to make this to be a hugh feature comparison plus no personal attack plz (u know what would happen if someone saying others are better than Cisco here )
  So here is what I need suggestion for: we are solely a Cisco shop when selling firewalls to customer, mainly SMB customers. Now we would like to expand our product offering portofolio on the network security side. So we wont stuck with one product(we had a really bad experience end last year of a particular Cisco product). After some digging, I narrow down to followings:
  Checkpoint
  fortinet
  watchguard
  There is a big ISP re-selling juniper firewall here in town. So might not be a good idea to join fight with them...
  So what is your suggestion? Maybe there are also other vendors/products I missed? Please keep in mind, our target market is mainly SMB.
  Also from certification perspective, the value of the cert from vendor? I had CCSP (now called CCNP Security) but expired in 2010 ...
  Thanks,
  /S

  IMO UTM is strictly a marketing term. In the real world I have yet to see a device that can do everything. A router is not always more money. For example an ASA5505 with unlimited users is more money than an 891 Security router. A 50 user license with Anyconnect is within a couple of hundred dollars of an 891. If you buy a 10 user count license, then the ASA has a lower cost. The nice thing about routers is that they have such a rich feature set. Features like DMVPN, QoS, AVC, Multicast, GRE, PBR, etc that ASA's can't do. The features in IOS should be an easy sell to the customer.

• On win 7 64 bit mozilla or IE 10  I get the following message This installation package could net be opened verify that the package exist and that you can access for contact the application vendor to verify this is a valid windows installer package I trie

  I get this following message when installing the latest itunes on mozilla or IE10 was working on this machine before crash and reinstalled for HP disc I tried at leat 15 times firewall off /on microsoft essentials on/off  on windows 7  64 bit  see  message
  This installation package could net be opened verify thatthe package exist and that you can access for contact the application vendor to verify this is a valid windows installer package

  If you are not already doing so, install from an Administrator account.
  If you haven't already done so, download the iTunes Installer from:
  http://www.apple.com/itunes/download/
  Then right click on the installer and select "Run as Administrator." (Even though you are using an admin account).
  If that doesn't work, try creating a new administrator account and installing from there.

• Windows Firewall damaged by 'Windows 7 antivirus 2012'

  I run Windows 7. I think 64bit, not sure.
  I have been getting hit with a lot of rogue antiviruses and up till now have been fighting them off, but last night I was hit by a new rendition of "Windows 7 Antivirus 2012".
  I got a window saying explorer.exe wanted to make changes to my computer, I would tell it no and each time it would return. In between the constantly returning window I managed to open the task manager, find the process, and end the process. I then found
  the file and destroyed it with killbox.
  Everything seems to be back in working order now, except for the firewall. Every page in the control panel for windows firewall gives me an Administrator button that says use reccomended settings', when I click it it says it can't do that and gives
  me error 0x800705b4, which I understand to be an authentication error.
  The last time I had this I tried to reset my firewall with an admistrator command prompt, it would tell me it could not load wshelper.dll, so I did some stuff I cannot remember to reset my winsock and was then able to reset my firewall and all was good again.
  This time when I go into command.com and type 'netsh advfirewall reset' instead of the DLL message, I get 'An error occoured while attempting to contact the  Windows Firewall service. Make sure the service is running and try your request again'.
  In my attempts to fix this myself I have been to the device manager. I had it 'show hidden devices' and located my Windows Firewall Authorization driver. I found it had been stopped, and so I started it again. It currently says it is started, but nothing
  has changed functionally.
  I have been into Services as an Administrator; Windows Firewall is not there. I was also told to look for Windows Event Controller and Base Filtering Engine and they are not there either.
  I have done an administrator command promtp with sfc /scannow and the first time it said it had made changes and the second time it said everythign was alright but nothing functionally has changed.
  I have been told to enter the following command prompts and gotten - the following results
  netsh advfirewall reset - error stated above
  net start mpsdrv - The requested service has already been started
  net start bfe - The service name is invalid
  net start mpssvc - the service name is invalid
  regsvr32 firewallapi.dll - Popup window stating DllRegisterServer in firewallapi.dll succeeded
  no functional change after that.
  I have also been told to try:
  sc config wuauserv start= auto - [SC] ChangeServiceConfig SUCCESS
  sc config bits start= auto - [SC] ChangeServiceConfig SUCCESS
  sc config DcomLaunch start= auto - Access is denied.
  net stop wuauserv - The Windows Update service was stopped successfully.
  net start wuauserv - The Windows Update service was started successfully.
  net stop bits - The Backround Intelligent Transfer Service was stopped successfully.
  net start bits - The Backround Intelligent Transfer Service was started successfully.
  net start dcomlaunch - The requested service has already been started.
  I have also tried a system restore, but whatever is screwing with my firewall is also screwing with that an it will not complete successfully.
  A Windows XP thread steered me toward a file called, I believe, netfw.inf in my windir folder, related to the firewall. This does not seem to be on my Windows 7 machine and I have been unable to find the Windows 7 equivalent.
  So, it appears my firewall is gone, or just pretending to be. I fixxed it last time by making some correction to my winsock but I cannot seem to find the process I used for that. Additionally, Microsoft Security Essentials has dissapeared from my system
  tray, though otherwise seems to be working fine.
  I am confident that this can be fixxed without a wipe and reinstall. Please help.

  Hi
  Make sure that PC is clean(free from zero access rootkit before trying this fixes)
  This firewall issue is commonly found on vista and windows 7 (64 BIT OS)
  It is recommended to contact malware removal forums to remove it first and try the fix
  Run the services repair tool by ESET
  http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
  Restart the PC.Firewall and critical missing services should work.
  Manual Fix
  Download both the registry files
  Windows firewall - 
  Firewall
  Base filtering engine - 
  BFE
  Launch them,You should get a UAC prompt now
  Click YES  & Restart your PC
  Now,Press Windows+ R key and type
  regedit and click ok
  go to
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
  Right click on it-permissions
  Click on ADD and type
  Everyone and click ok
  Now Click on Everyone
  Below you have permission for users
  Select full control and click ok
  Now,open RUN and type
  services.msc and click ok
  start base filtering engine service and then windows firewall service
  If you still have this error
  Windows could not start Windows Firewall on local Computer. See event log, if non-windows services contact vendor. Error code 5.
  Download and launch this key,click YES
  Shared access
  give full control permission to this key similar to previous one
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess
  Right click on it -permissions
  Click on Add and type
  Everyone and select Full control
  You should able to start firewall now
  You may also be missing security center windows defender ,BITS and windows update services
  Download
  Security center  -wscsvc
  Windows defender - windefend
  BITS    -  BITS
  Windows update  - 
  wuauserv
  Launch them and click YES when you get a UAC prompt
  Good luck

• Network Security IIS 7.5 FTP & Managed Firewall

  Hello
  The scenario is that we have an IIS 7.5 Windows 2008 R2 box ("IIS Box"), and on that box we want to configure a single FTP site.
  The FTP site will use the Basic Security option (no Anonymous access)
  The IIS Box sits behind a wholly-independent managed firewall appliance from a leading vendor. We trust the managed firewall and its configuration, and as such, Windows Firewall is completely disabled on the IIS Box. The managed firewall is configured to
  NAT 1-1 from private to public IP addresses.
  Ideally, I would have liked to have configured a policy on the managed firewall to allow all traffic through based on a specific source IP address, since the FTP clients to access the FTP site are well-known to us and we are not giving access to very many
  clients. Unfortunately this is not an option because the clients who are requesting access do not have static IP addresses.
  We also believe that establishing a Site-to-Site VPN and running the FTP within that, is not an option.
  What we are considering having to do, therefore, is to configure the managed firewall to allow FTP protocol through, regardless of the source IP address associated with the connection. i.e. Everyone can establish the connection, and we rely upon the Basic
  FTP security mechanism built in to IIS to protect us.
  I do not think this is ideal but it should be only a short term arrangement and we will ensure that the Physical Directory that can be accessed through the service leaves a reasonably narrow scope in terms of potential attack / abuse
  The question I have before I proceed with this, concerns the need for Passive FTP Data Channel ports.
  Clearly, to make this work, I will have to specify within the IIS settings, which ports to use. Let's say for example that I go for ports 10000-11000.
  Q1. My understanding is that I need to configure the managed firewall to permit INBOUND connections to the IIS box targeting ports 10000-11000, 20, and 21. Is that right?
  Q2. If I do, I then have a situation where my firewall is going to allow all connections through on those ports, and since this firewall is NOT application-aware, it won't care whether they are being used for FTP or anything else. It will simply let ALL
  connections through. At this point, what are the ramifications in terms of how IIS will respond? For example, is IIS FTP smart enough to realise that it should only permit connections that it has already arranged over the Control link (20/21)?
  Q3. If I specify in IIS admin that I want to use 10000-11000 for FTP - is IIS clever enough to PREVENT those ports being used by any other apps on the same IIS box? My concern here is, given that the managed firewall will definitely be letting ANYTHING through,
  what potentially happens if some other app or code starts listening on port 10500?
  I understand that whatever dynamic port range is configured on the server would generally be used for Outbound connections any way (source ports) but Still - I just would like any thoughts on the security ramifications of the configuration I am proposing.
  I don't feel Entirely comfortable yet, that I am not opening up an point of vulnerability.
  I am really looking for technical thoughts on the networking side of this, rather than (for example) general advice about "make sure you have Windows Updates installed" etc.
  thanks

  Hi Robert,
  I suggest you use the passive operational mode to achieve your goal.
  In which mode, the client initiates the data channel connection, then the server responds with the TCP port number to which the client should connect to establish the data channel. We can
  restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers.
  How to Configure Windows Firewall for a Passive Mode FTP Server
  http://technet.microsoft.com/en-us/library/dd421710(v=WS.10).aspx
  Best Regards,
  Amy

• 2 Tier firewall design

  Hi All
  what are peoples thoughts on a 2 tier firewall design for a large enterprise, is it normal and recommended paractice to have 2 layers of firewall? and of different vendors ?
  also would the rulebase normally be duplicated on each firewall ?
  cheers

  Hi,
  The most common situations where I've seen this used is when a customer has an office network and an automation network. So mostly in factories/mills where its important to separate the 2 networks from eachother.
  In these cases the firewall pair between office and automation are usually doing NAT Exemption for all traffic. Any NAT is handled on the firewall equipment on the edge of the whole network.
  In these types of setups you can basically leave the inner ASA without any NAT configurations and you will mostly be configuring ACLs while the bulk of the firewall configurations are done at the edge devices.
  - Jouni

• Windows Firewall has a port open but when I do a port scan the port is closed

  Hello,
  I have a new door entry device that is being installed that has a internal IP address of say 192.168.200.12 that requires port 3001 to be open. The device is reachable via ping and is plugged into a HP Procurve 2910al switch that is connected or supposed
  to be connected to the the server for the KeyScan software at 192.168.200.13 but even with the TCP/UDP ports opened up on port 3001 the server at 200.13 it can't communicate with the device at 200.12 on the required port of 3001.
  Ironically I ran Zenmap to see if the port was open and it's not even registering the port as being open.
  I'm doubtful it's our Sonicwalls since this is a internal address; we are running a 32 server Windows Server 2008 R2 network that is running perfectly fine.
  What could I do to allow this device to communicate with the server even if the firewall is disabled or has holes poked into it?

  The vendor that was here to install it (CCTV) said that port 3001 needs to be open in order for the key-entry program on the server (a normal Windows 7 fat client) to communicate with the device in question @ 192.168.200.12.
  In my experience for Windows all you would need to do is either disable the windows firewall or poke a hole in the firewall for TCP/UDP on port 3001 for this to work.
  We run a network of purely on HP Procurve switches (that functions perfectly fine for over 1200+ user network) so were not dealing with a Cisco switching security issue so I'm left to think outside of the box or in this sense inside of the box. I'm doubtful
  it's our network but then again I've never had to open a port for a device that you can't physically manage.
  The device in question as stated before is like the hub that all of the key-entry scanners from all 150 doors tied into that then communicates via the IP in question to the key-entry server. in theory it should be simple but lol nothing ever goes smoothly!!!!
  any ideas?

• WRT54GS - Firewall - adding program to router's firewall

  Need help.  I have ATX 2007 tax software and I'm trying to do an e-filing.  I contacted software vendor and was walked through adding the software in exceptions using Windows Firewall.  I also disabled the windows firewall but still could not do a filing.  I kept getting error message of no internet connection.  Strange thing about this, I have ATX 2006 software and able to do e-filings and connect to internet.  The techies at ATX said the problem was the router.  They tried entering my computer remotely but could not get through because again they said router's firewall is blocking.  How can I add my software through the router's built-in firewall?  In the meantime, I have to revert back to dial-up (ugh!) on my old laptop just to do e-filings for my clients.  Any suggestions?

  The router only works with a broadband cable/dsl connection and not dial-up. Can you get online with the router?
  The box said windows xp or better... So I installed Linux!

• VSS MEC to different vendor devices

  Hello:
  I am configuring a VSS using two 4507R with dual supervisor, and I'd like to know whether MEC supports a different vendor's device in the other end.
  To be specific,  I need to connect this VSS to a non-Cisco firewall. If this firewall supports LACP, I want to use a L3 portchannel between my VSS and this firewall, but I' like to know whether this would work.
  Thanks in advance, Faimy.

  Did you ever figure this out?  I am in the same situation and cannot figure out how to refer to specific ports on the same motherboard.
  https://wiki.archlinux.org/index.php/Pu … ont.2Frear looks promising.  However I forget whether one of my cords is plugged in to the rear jack or the center jack, and moving my desktop to look is a little involved.  Oh well, next time the need arises I will experiment further.
  Last edited by rosshadden (2014-03-06 03:22:47)

• Oracle server and Checkpoint firewall

  When setting block Findricset SQL Injection
  on Checkpoint firewall and try to login by sqlplus
  to the db server (8.1.7) behind that firewall
  the following error messages occur:
  ORA-24323: value not allowed
  ERROR:
  ORA-03114: not connected to ORACLE
  Error accessing PRODUCT_USER_PROFILE
  Warning: Product user profile information not loaded!
  You may need to run PUPBLD.SQL as SYSTEM
  ORA-24323: value not allowed
  ORA-24323: value not allowed
  Error accessing package DBMS_APPLICATION_INFO
  ERROR:
  ORA-03114: not connected to ORACLE
  SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
  ORA-24323: value not allowed
  Can anyone tell me where's the problem?

  It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
  Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
  Justin

• R/3 to R/3(Outside the firewall)

  I need to send an IDOC outside our Firewall to one of our vendor and they are receiving the data, in an IDOC.
  How should I approach this scenario.
  On the Sender side I need to use the IDOC adapter (No Configuration is needed)
  on the receiver side what adapter I need to use, because the receiving system is outside the firewall, any special points I need to keep in mind?>
  thanks

  Hi Mohan,
  you can use saprouter SNC to create a secure tunnel
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e24ef6211d3a6510000e835363f/content.htm
  as shown on the picture
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e24ef6211d3a6510000e835363f/ADDONSEC_image004.gif
  to connect two R3 systems
  but probably your basis team will handle this connection
  Regards,
  michal

• Can JMQ 2.0 work through a firewall?

  We are interested in using JMQ for B2B communication for messages to be sent
  through firewalls from one enterprise to another. Does JMQ 1.1 support this or
  does JMQ 2.0? If JMQ 2.0 is the only option, can you please specify when it
  will be released, as of now it is only in beta version? I would appreciate your
  prompt response as we are in the process of evaluating each vendor.

  JMQ 1.1 only supports a TCP based transport, and could only work across a firewall
  if that fiewall was specially configured to let the communication through. JMQ 2.0
  will support use of HTTP as a transport, and this will eliminate the need for
  special administration for any firewall that will naturally allow HTTP through. JMQ
  2.0 is in Beta now, and is scheduled to be available as an FCS product early in
  Q2CY01.