What is your response to someone telling you "pfSense is not a NG firewall and you should be using one"?

I’m just wondering for those of you who deploy pfSense regularly to business environments, how do you respond to that comment? I’m fairly new to the security business and pfSense is really the only platform I know well(I know UB too, honestly). I was recently having lunch with an acquaintance who runs a medium sized MSP business. He sells Sonicwall and has for a long time. He told me he likes pfSense, but “it’s not a next gen firewall. It’s great, but a bit old-school. You really ought to be selling NG equipment”.

Just coming here for some reflection is all, really.


I would ask what features makes it next generation? IDS/IPS, site filtering, etc.?

Also are clients requesting a next gen. device an what are they looking for in the feature department? This second question is probably the more important question.

I would love to try Cisco ASA or Sophos but the price is very high that I can’t even recommend it…
It always depends on the use case of the company.

I always find when challenged on the Firewall Untangle or pfSense/Netgate that bringing up the licensing and subscription/maintenance fees for Cisco, Sophos, or Palo Alto tends to bring them back to earth.

Some business may benefit frrom SD-WAN routers.

That is a device designed specifically for connecting branches together?

gateway antivius I’m told. Also IDS/DPI but pfSense has DPI I thought. Actually it also has IDS doesn’t it?

Oh heck yeah. My buddy did an install recently and the client requested Cisco. He said the 24p poe switch was something like $2200.

That’s cheap for Cisco, I’m begging for $5k to $6k each for 48 port switches, either Cisco or Extreme, depends on how “compatible” I want to be with some software support contracts. My Enterasys C5 switches cost $5k when I bought them too many years ago.

Yes pfsense has Suricata or Snort and you can license the good rules or stay on the community version.

As far as virus scan on all connections, there are issues with that and Tom has spoken a lot about this issue. The issue is that once you get into HTTPS, the data is encrypted at the server and the client. How can an AV scan the traffic in the middle? You can set up pfsense with it’s own certificate and use it as a “man in the middle” to decrypt traffic, scan it, and re-encrypt it. If another solution is saying something different, then they are either really good, or lieing to you and using man in the middle.

There are also the Netgate NG products in the TNSR line, I have not done any research into these products.

And Tom says that if you need a lot of site filtering, he goes with Untangle. Third party e2guardian on pfsense works, but more difficult to maintain because it is third party unofficial. Man in the middle still applies to filtering if you are using encrypted DNS, again stuff is encrypted at server and client, so the middle can not know what the traffic is doing without decrypting it. e2guardian grabs unencrypted DNS just fine but could be more optimized when you get into big lists of exceptions, at least I’m finding some issues here and there with my exceptions.


Having one client only working with Palo Alto - strictly - I love it, the deep package inspection is from another planet if you only worked with “Free” IDS/IPS Systems before. You can have such a fine grained controll over the traffic and what clients can do and what not. BUT: It’s ridiculous expensive, not only the hardware $6000 for the +1G Model, but even more the yearly licenssing.

So talking to a client is actually easy;-If 4-7k +/- a year is peanuts for you, go for the big AAA Brand full support tiers. If not there are options we can help you to keep the network safe. So you really need that Lamborghini or is a good Sedan fine ?

I found in the last years specially some “I have big IT Knowledge” Management guys tend to tell everything like pfsense, unifi or other things not from the high charging AAA Brands is crap. I have no idea where this bad blood comes from.

1 Like

How do you do deep packet inspection if the traffic is encrypted?

Palo Alto for example not only check the content of the packet but also the headers, target and source, ports and a lot of meta data beside the actual content to put traffic in a specific category.

Most big companys go a step further and install Certificates on their clients devices so that’s Easy for them to look into the traffic.

I personally do not like that “man in the middle” even it is done in a lot of big corps. They argue security over privacy, but in my eyes you do not need to decrypt everything the client is doing. There are other ways.

I’m in EU so Privacy and GDPR is a good argument for me to talk people out of that Idea to “unpack” and sniff everything. I just say: “Well technically you could, but if you are allowed to do in terms of Privacy and GDPR you should to talk to your lawyers, I can’t give any advise here.” Most time the discussion is over then and they work with blocklists :slight_smile:


For a personal device used for work purposes, under a BYOD arrangement, then I can agree that having a company root certificate installed so they can decrypt all traffic may be an invasion of privacy - you can’t stop all your personal apps from doing whatever background checks they do, even if you aren’t using the device for personal reasons while on the clock. But for a company owned device provided for the purpose of doing work, which employees are told to not use for personal purposes, there is no expectation or right to privacy. An employee doing anything on that device that they don’t want to be inspected is already misusing the company’s equipment and/or time.

1 Like

Without a certificate proxy, at best you can use DNS to see what website the host requested I.E https://www.google.com, and what node responded (google.com), but not what’s being requested.

The other way is using a proxy server that acts as an intermediairy with a certificated. I.E The host request https://google.com via intermediate cert tunnel, the proxy establish the actual https via googles registered cert. All traffic is still encrypted from those outside access to the proxy.

Well, your friend is right.
If you want all the bells and whistles and state-of-the-art NGFW features and security and speed, than you will have to pay for it because maintaining the lists for all kind of threats (bad IPs, viruses, bad websites, etc) is a 24/7 job that no “free” stuff on the Internet can cover adequately.
Yes the plug-ins you can add in pfSense is cool and does work for some threats, but it is a far cry from what CheckPoint, Juniper, Palo, Fortinet, etc can offer in term of coverage and ease of use if you have a business to manage and protects to run and don’t want to get ransomwared by a miss-click from one of your users.
Plus, having IPS/IDS/AV/WEB/DeepCertificateInspection enabled requires processing power that pfSense can only get from the CPU only vs specialised ASIC on commercial firewalls. If the security AND speed is a must when using all these security features than it is a major selling point.

It is also the reason why I switched from pfSense to Fortinet. The same 600$ FG-60F from Fortinet runs circle around Netgate SG-5100 and the ease of use is miles ahead. Try to route at 10Gbps with IPS, AV and Web Filtering while videobroadcasting and voice and you will understand quickly the difference.

I still use pfSense for my labs and other personal stuff, but anything commercial is now is behind a Fortigate firewall now.

Aside from the fact that almost all of the major manufacturer firewalls have ALL been hit by numerous 0 day attacks, Fortigate one of the frequent names mentioned. Don’t get me wrong, I believe in the stability of these items but nothing is perfect. I’ve used and evaluated many of the major manufacturers but hate the piecemeal approach towards licencing which makes it almost impossible for smaller entities to be able to afford all the multiple bells and whistles that they need to implement to truly best-secure their networks and equipment.

pfSense was one of my best options for multi-wan, vpn, and many of the bells and whistles that help me keep a few choice systems operational.

So what happens now with DNS over TLS/HTTPS? That seems to be implemented by all the major web browsers now, except maybe Safari. Firewalls won’t be able to see DNS requests anymore, right? At least not from those browsers if that setting is enabled.

I’ve heard conflicting statements from IT pros on the issue of encryption and firewalls, IPS, and IDS systems. Everything from “it’s over” to “not a big deal”. What can firewalls and IPS see exactly, in a pervasive encryption situation? IP addresses must still be exposed, right, in order to route traffic? What else is not encrypted when you have HTTP/2 with TLS, which I assume is on top of TCP and say IPv6, on top of Ethernet? What’s exposed in that scenario, beyond an IP address?

I’ve also read that TLS handshakes or session establishment are transmitted in the clear, which surprised me. If a user has been to a site before, doesn’t the browser retain a key or something for all subsequent sessions, so that it can be encrypted from the get-go?

On the man in the middle method of certificate injection, I think it’s supposed to break lots of sites. When I did it with traffic tools like Fiddler it broke sites. I wonder if it works better with Wireshark.

Fortigate as any other commercial brand and pfSense included is not perfect security-wise, but you are closer to that said perfection with them then without. And I really doubt your comment about it seeing Fortinet’s Fortigate mentioned frequently unless you have links to said things.

This is fixed by TLS 1.3, the SNI is now encrypted as well. The way I understand it, the web server now uses one certificate for itself, and a separate certificate for the actual website you’re reaching. This is because a server can have multiple websites.

Just like a lot of other branded names, there are often several.

There were others, just haven’t searched for them.

As I said, branded names being more widespread are often a higher target footprint but my comment still stands - it’s almost impossible to be totally secure.