Tracking flows
-
Hey everyone,
Is there a way to track flows as they go through a firewall and to figure out if traffic is leaving a firewall but not getting a response.
For some background, i am dealing with a small-ish deployment of pfsenses and figuring out why return traffic isnt happening is a pain. Maybe im overlooking a tool or feature in pfSense? The filter log tells me traffic matched a rule and its sent out but i cant figure out if the flows ever worked.So for example, for those who have dealt with Palo Alto you can use the Monitor tab to search for all flows going through the firewall. One of my favorite searches is ( bytes_received eq 0 ). I can find all flows that leave the firewall but do not come back hence no return traffic.
Is there something i can leverage in pfSense. I have flow logs going to a syslog collector but that doesnt help much.
-
@michmoor The NTopNG package can help you here - it’s only a “near live” tool, so you have to do it while you are having the flow problem. But configure it to remember flows for a couple of minutes after they either where closed or failed will allow you to see all flows with only outbound trafic.
Set it up to only monitor your LAN (client) interface :-) -
@keyser At least theres a reason for ntop's community version to be installed otherwise i question why its even in the repo
I'll give it a shot. Thanks for this.
