Adding application signature to firewall rules - pfSense

Hello, in pfSense, is it possible to block/allow applications per firewall rule?

This is a sample from a Paloalto firewall. As you can see (if the picture comes through), each line of the firewall rule allows the user to specify source/destination IP, port and application and check for viruses and spyware.

Is it possible to achieve something similar to this with pfSense?

Thanks in advance for your response.
Mike

If you install SNORT you can do a lot of what the Palo can do. I have used it to replace my Cisco Firepower in my cloud hosting environments.

Thank you Fred for the quick reply. I have not used SNORT yet however my understanding is that it can detect and block applications, just not associated with firewall rules. So you don’t have one panel showing the flow from one end device to another with all the relevant pieces of information.

By the way, do you use any anti-spyware, anti-virus solution at the firewall level? (besides something like Untangle).

Thanks again,
Mike

They have some details in the Netgate / pfsense documentation on how to set that up.

https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

Thanks Tom. You have a video on OpenAPP id as well (thank you). Is there a reason you are using Suricata over SNORT (just the multi/core/threading or is it something else)? Can Suricata work with openApp ID? If not, do you filter for applications?

How do you handle spyware/viruses/etc. Only on the end nodes?

Thanks,
Mike

Suricata works better on lower end hardware, we focus on the endpoint for the filtering.

Okay, thank you Tom. And thank you for all your videos, this forum and all that you give to the community.

What I am hoping to do is basically what you show in your various videos: pfSense+various packages and also Security Onion or just the Zeek part and drop all the data/logs in ELK stack.

Does that make sense? Would you make this setup more secure?

I am not sure how to segment/protect some of the servers. For example I have a separate, secure vLAN for the management interface of the switches, firewall, etc. However, in order to gather network data in the ELK stack which is in the same vLAN, I will need to open up a port or two to the ELK server, which creates an opportunity to get hacked. How do you deal with a situation like this? (other than creating a separate vLAN for everything)

Right now I am testing ClamAV with Squid as a forward and reverse proxy, but I have had many issues with the deployment and not ready to put into production just yet. I do run TrendMicro on the hosts and only my proxy server (RDWA) has access to the internet.

I would love to have everything running on the pfSense because in my setup the mgmt isn’t accessible from any of the servers.

As far as your design for your syslog server, I would put the syslog server on its own VLAN separate from the network mgmt interfaces. I would then allow UDP port 514 inbound from the mgmt VLAN to the syslog server VLAN. This will force a one way communication protecting your mgmt interfaces should the syslog server get compromised.

Good security design is really about creating as many layers as you can and whitelisting only the flows that are required. If you put systems on the same VLANs/networks then any system on that network can reach another system on any port.

Makes sense. Thank you Fred.