Just watched a youtube video about pfsense and have some questions.
I work as a network security consultant for small enterprise customers.
My job is to install and maintain Check Point gateways and management servers for my customers.
This includes firewall rules, IPS, network segmentation, firewall debug, linux os debug and so much more.
Say I have a customer running Check Point today with 70-100 firewalls.
If I changed from Check Point to pfsense. How would I manage all the different pfsense firewalls running at the customers site?
In the world of Check Point, you install a management server and it communicates to all the different firewalls on-site and off-site.
A rule change on the management server will deploy the changes as needed to the correct gateway.
Logs from all the gateways arrive at a management/log-server.
This query has come up before … there isn’t an offering from Netgate to manage multiple firewalls. You’ll need to login 100 times to 100 different firewalls, perhaps there might be a 3rd party offering but I’ve not come across it.
I suppose it depends on your point of view, you can set up alerts on monitoring software like Zabbix. If you want to push out changes, it’s all in XML so perhaps there is a way programmatically.
There aren’t too many updates in a year for pfsense, however, for companies updating a core piece of infrastructure looks like a project to me ! Albeit a small one.
Though I guess you are seeking an automated way of doing this.
However, I believe large enterprises run pfsense, hopefully they have processes for managing it.
One of the big reasons that my customers changed from what they had to check point was the one management. Or one place to make changes for all the different firewalls.
Maybe I could try pfsense for smaller customers with 1-4 firewalls.
If the firewall is correctly setup and fulfill all stated requirements, I can’t see that much needs to be done, ok things can fail and need to be fixed but after that what needs to be managed ?
If the company is learning about what it needs then I can see that’s completely different, but in that case it’s a project obviously I come from the project world.
I could see clearing false rules in IDS/IPS being a big problem with that many firewalls to handle, and that can happen anytime there is a change to the rules (might be nightly). I have to go in and check/bypass rules every once in a while from updates to Snort or ET rules.
It sounds to me like the typical pfsense install is not a good fit for this client. You could contact Netgate and see if they have something that does fit the needs.
I love to play with new products and run different products in different LAB’s to learn.
I’ve been working with Check Point firewalls for 7 years now and was wondering what other open source firewalls that are out there.
Most of my customers make rules changes 10-50 times a day. 1 change could apply for 3 firewalls.
I don’t count IPS/security changes.
