Should the Router or Firewall Come First?

Network scenario…. I have a typical enterprise network meaning ISP>>>>Edge Router>>>>>Firewall|DMZ>>>>Switch>>>LAN.

I know there are several debates on the internet about what device comes first but based on a typical medium size office 500 people, what should come first in the network architecture, the firewall or the router. My thought was that the router should come first because the IOS firewall would be the first line of defense, then a Palo or Sonicwall for the firewall would come next to take whats left. Let mw know if you think im wrong.

Can a firewall duplicate denied traffic onto a TAP/SPAN port?

We have quite a number of Palo Alto firewalls at various points in our infrastructure, for east-west, north-south, and DMZ traffic, all managed with Panorama. These firewalls have TAP ports which are connected to a network packet broker (NBP) platform that balances session streams and captures all traffic as pcaps. Frequently, I will want to investigate traffic that the firewall has denied – either incoming attack traffic from the internet, or internal east-west traffic that is being incorrectly blocked. However it would seem that only traffic the firewall has allowed to pass is being mirrored to the TAP port. Is it possible to configure the firewalls to also mirror denied traffic? How would this be done?

Minimum (safest) firewall holes to create to connect to public WiFi networks and use a web browser?

What are the minimum (safest) Windows Firewall holes to make to permit Windows 7-10 computers to connect to public (secured or open) WiFi networks and browse the web with any modern web browser?

Assume all incoming and outgoing packets are blocked on every port unless explicitly allowed.

Note that Windows Firewall does allow incoming packets when only outgoing packets are allowed. This oddness is because it automatically trusts Established Connections. Thus allowing outgoing TCP packets on ports 80 and 443 will also allow incoming packets (even if they were not requested).

So far, this is what I’m thinking is required:

UDP - Local Port 53  - Remote Port 53  - Outgoing - Why: DNS TCP - Local Port 80  - Remote Port 80  - Outgoing - Why: HTTP TCP - Local Port 443 - Remote Port 443 - Outgoing - Why: HTTPS 

Also, to actually connect to the network and get assigned an internal IP address:

UDP - Local Port 68  - Remote Port 67  - Outgoing - Why: DHCP 

Is anything missing or too restrictive?

How to bypass Fortinet Firewall?

I am new to cyber security domain. I want to know what is the best method to bypass the Fortinet Firewall. I have tried using VPNs but the firewall blocks them, VPNs don’t connect. I tried Tor, but it doesn’t connect as well. What tool should I use? Also, this is my first question on this stackexchange, so if this is off topic or not posted with proper requirements, then please guide me in the comments

Modifying host file versus firewall

I am trying to protect a macOS computer. Specifically, I want to prevent the machine from making unwanted connections over the internet. I am aware of firewalls of course. But I stumbled upon the idea of adding many domain names to /etc/hosts, and redirect them to 0.0.0.0 to prevent connections to them.

Is this method safe? I can see it does not prevent connecting directly to an IP. Would most malware be fooled by such a hosts configuration, or would they likely use directly an IP address, or not honour the /hosts file?

How should I compare using a firewall versus using the /etc/hosts file? I guess the most low level, the harder it is for malware to get around. So which method is lowest level?

How can access to Intel ME / AMT be disabled with firewall?

Short of flashing BIOS, there seems to be no way to disable the Intel ME.

So, is there a reliable way to block access to Intel ME, such using HW firewall (Firewall in front of the machine, not running on the same machine)?

If Intel ME was used legitimately, how exactly would it be accessed ?

Would it be access using the same IP (and same MAC address) as the normal NIC, or does it have separate interface ?

How could I on the firewall distinguish between traffic going to main NIC, ant traffic going to Intel ME ?

Would disabling the onboard NIC, and using some other PCI NIC help ?

Why is it so hard to find description how Intel ME actually works ?

I just need basic info, and cannot find in nowhere online.

Why should I use firewall

Firstly, I know this looks like stupid question, but listen me.

I know what is firewall and what is purpose of firewall, it is for blocking / limiting access to specific service / port.

I know that it can be useful for allowing only certain IPs to SSH (for example I don’t want to have SSH open for whole world).

Imagine that I have server where is running apache2 (port 80 & 443), SSH (port 22), mysql (it is binded to localhost, so it doesn’t listen on public interface).

My question: Why should I even care to block all ports except 22, 80 and 443, if there is no other service listening on it (for example on port 8080), so there is no vulnerability.

Maybe I am wrong, maybe I miss something, can someone explain me this?

DNS Secretly Resets Itself Instantly and DNS Servers are Not Blocked by Windows 10 Firewall Rules

I noticed that on a Windows 10 machine I if I leave DHS to be auto-configured or change the DNS serves to OpenNIC addresses they are automatically reassigned to

8.8.8.8

75.75.75.75

Malware scanners are not detecting anything, but colleagues say it is a known attack vector to defeat DNS anonymity.

Only SpyHunter detects and reports this change, though I previously found evidence of this by testing. It also seems to override DNS configured by VPN software. It is forcing itself at the top of the list, so it always checks Google before considering OpenNIC as a fallback.

As a mitigation step I tried custom Inbound/Output firewall rules to block all traffic in a wide range of either IP, but these rules seem to fail because I can still ping those IP’s.

How can I find and fix the root cause and/or how can I completely block all DNS traffic to these IP’s?