Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Next generation feature - L7 application filtering

    Scheduled Pinned Locked Moved Firewalling
    21 Posts 10 Posters 13.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VladimirJirasek
      last edited by

      Hi all,

      I am relatively new to PfSense. Previously, I have managed Cyberguard, Cisco PIX, IPTables, FortiGate and PaloAlto firewalls. Specifically, the last two bring interesting capability for firewall rules base - add application context to each rule.

      I wonder why PfSense stopped a project to deliver the same capability. I know that Snort rules can be adjusted to deliver the same functionality but at what cost: a lot of administration leading to mistakes. Many web based applications use https protocol to deliver rich application interface to users. Imagine you could edit each firewall rule and specify an application (or applications) to match the rule; in addition or instead of a port number! Allow users to access dropbox to download but not upload any content? Not a problem :)

      Please vote to indicate you position.

      Warm regards

      Vladimir

      1 Reply Last reply Reply Quote 0
      • G
        GomezAddams
        last edited by

        @VladimirJirasek:

        Hi all,

        I am relatively new to PfSense. Previously, I have managed Cyberguard, Cisco PIX, IPTables, FortiGate and PaloAlto firewalls. Specifically, the last two bring interesting capability for firewall rules base - add application context to each rule.

        I wonder why PfSense stopped a project to deliver the same capability. I know that Snort rules can be adjusted to deliver the same functionality but at what cost: a lot of administration leading to mistakes. Many web based applications use https protocol to deliver rich application interface to users. Imagine you could edit each firewall rule and specify an application (or applications) to match the rule; in addition or instead of a port number! Allow users to access dropbox to download but not upload any content? Not a problem :)

        Please vote to indicate you position.

        Warm regards

        Vladimir

        If you've administered Palo Altos, you'll remember that there are thousands of applications that the Palo can identify, and that list grows by dozens every month. Someone (probably several someones) has to work hard to figure out how to identify these apps based on their network fingerprint. That isn't easy or fun. There isn't much incentive for anyone to maintain this database for free. Not to mention the huge amount of bandwidth required to distribute these updates to every pfsense instance in the world.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          pfSense 2.2.x had L7 filtering, but it was buggy and very slow from what I understand.

          1 Reply Last reply Reply Quote 0
          • N
            Nullity
            last edited by

            Snort seems like it is a better option to invest time & money in.

            If pfSense could seamlessly incorporate better L7 functionality than Snort I would likely use it, but that seems very unlikely.

            Please correct any obvious misinformation in my posts.
            -Not a professional; an arrogant ignoramous.

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              Missing a "No, I'm fundamentally opposed for logical reasons" option. Same reason I'm against transparent HTTPS.

              1 Reply Last reply Reply Quote 0
              • J
                Jonb
                last edited by

                Snort doesn't replace Layer 7 in PFsense from my point of view.

                It should be able to traffic shape on Layer 7,
                Application identify for firewall rules
                Report on bandwidth usage (Top applications or categories as this could be v large)

                Would be a really nice feature one of which paid for products do. The key thing is PAID for products and I appreciate how much effort it takes to identify and categorise traffic so maybe this is a subscription system for ident list but not function not sure.

                Ether way would be a really nice feature to have and keep PFsense up with the "Next-Gen" firewall (sorry I hate the term).

                Dev thoughts on this would be cool.

                Hosted desktops and servers with support without complication.
                www.blueskysystems.co.uk

                1 Reply Last reply Reply Quote 0
                • G
                  GomezAddams
                  last edited by

                  You may want to have a look at Sophos UTM (they have two different versions, and I'm not sure what the difference is). They are free for 50 IP addresses and under.

                  They seem to have a pretty extensive list of applications to filter on.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Soyokaze
                    last edited by

                    Voted for "Yes, I need such a functionality now."

                    Not for filtering\limiting, but for REPORTING.

                    Need full pfSense in a cloud? PM for details!

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jonb
                      last edited by

                      The Sophos UTM isn't my thing.

                      Hosted desktops and servers with support without complication.
                      www.blueskysystems.co.uk

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Those features are really often supported or tuned to be f* fast by using ASICs or FPGAs from
                        well known vendors likes Xillinx or others and only one of these FPGAs could be really expensive
                        that makes it more or less more expensive for all customers or only a smaller group of them are
                        using them then. For sure a add in or add on card with a FPGA could be done by ADI for sure
                        but then this must be also profitable for them and not only for us.

                        If I need a Next-Generation Firewall with DPI capabilities, application scanning and identification
                        based on Layer 7 I will go to PaloAlto and buy one!

                        Ether way would be a really nice feature to have and keep PFsense up with the "Next-Gen" firewall (sorry I hate the term).

                        I love the term Next-Gen firewall, what the difference makes we all know, but to get informed
                        only by the name or having something I am able to search or ask for is better then nothing or
                        only talking about firewalls that are coming beside with this or that function.

                        1 Reply Last reply Reply Quote 0
                        • J
                          Jonb
                          last edited by

                          You are very wrong about needing an asic.

                          Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

                          As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

                          But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.

                          Hosted desktops and servers with support without complication.
                          www.blueskysystems.co.uk

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            You are very wrong about needing an asic.

                            It will be able to pass through or do nearly the entire workload of;

                            • IDS/IPS rules
                            • IDS/IPS compression tasks
                            • Layer 7 DPI tasks (this thread will be based on talking about)

                            Fortinet do a VM basic unit with impressive stats. Asic is lower latency and more efficent but not a requirement to deliver such functions. A large amount of hardware firewalls mainly use them for the high throughput as it works out cheaper than more x86 power.

                            Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
                            only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
                            with good skills to write code for this ones. There is all other but nothing called cheap.

                            As for not liking the term next gen firewall is because it doesnt 100% describe functions. Each firewall manufacturer marketing department like to use to loosely describe why they do and how they function.

                            An application based firewall will be in my eyes and for my poor understanding a Next-Generation Firewall
                            and not a UTM device with application filtering capabilities. For sure others might be seeing this different.

                            But ike saying it is a cloud router. And that means…... what? Most of the time there is some service downloaded from the net or offloaded but what you don't know.

                            MikroTik as an example was calling one of their models Cloud Core Router, but they mostly counting
                            the TCP/IP packets per second running through that device and then they are convert it into MBit/s or
                            GBit/s back and then really often their customers will be counting on that numbers and are really
                            disappointed about the real throughput. A Cloud based and offered service to customers or clients
                            is a totally other term and thing in my eyes.

                            1 Reply Last reply Reply Quote 0
                            • W
                              W4RH34D
                              last edited by

                              Philosophical question here.

                              To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

                              I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

                              Did you really check your cables?

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nullity
                                last edited by

                                @W4RH34D:

                                Philosophical question here.

                                To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

                                I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

                                Absolutely, but the interesting traffic-shaping happens at the router when practically every client is considered an adversary, like a virus-infected or bittorrent client.

                                Please correct any obvious misinformation in my posts.
                                -Not a professional; an arrogant ignoramous.

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  Guest
                                  last edited by

                                  I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

                                  If I set up Snort sensors and a server in the LAN (network based IDS) and then on top I set up also
                                  OSSec agents on the client machines too (host based IDS) I don´t want to have the application filtering
                                  on the client too, this must or should be done then on the firewall device that is identifying the applications
                                  that generates traffic to and from the Internet. My personal point of view.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    Jonb
                                    last edited by

                                    Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

                                    If it is is just want application control you want allow Sophos already does this.

                                    Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.

                                    Hosted desktops and servers with support without complication.
                                    www.blueskysystems.co.uk

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      Jonb
                                      last edited by

                                      Cheaper? A greater or bigger model of the Xillinx FPGA family is at the price for something around $3.000
                                      only for that FPGA! And what is now cheap on using them? Not really encountered to hire good developers
                                      with good skills to write code for this ones. There is all other but nothing called cheap.

                                      When I say cheaper money doesn't always come into it. It was agreeing with what you said about needing a FPGA but not 100% of the time.

                                      Low throughout make x86 perfect for software based functions IDS, layer 7 etc. However the more throughput needed x86 begins to get uneconomical for power usage, latency heat etc.

                                      P.S I love the microtik routers but issue is you have to look at throughput vs packet size like all router throughput.

                                      Hosted desktops and servers with support without complication.
                                      www.blueskysystems.co.uk

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        W4RH34D
                                        last edited by

                                        @Jonb:

                                        Trubble with doing it on the client side is how you manage that. If you want to traffic shape you need to control that at the last device on the choke point which is the router.

                                        If it is is just want application control you want allow Sophos already does this.

                                        Whole idea of an application firewall is you can easily control and report from a central point. Doing everything from a client just make much of the process complex due to getting the live data in and out.

                                        I guess it depends on what the client's are capable of.  I think norton has some sort of management interface.
                                        OSX doesn't have that but their firewall is application based anyway.

                                        If you want reporting of what is going on you'll need to have a syslog server going.
                                        As far as traffic shaping - I'm not an insane scale or anything.  CODEL been great for me.

                                        Did you really check your cables?

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Soyokaze
                                          last edited by

                                          @W4RH34D:

                                          Philosophical question here.

                                          To spare the one IT guy folks out there.  Wouldn't it make more sense to have the application portion of the firewall on the client and not the router?

                                          I figured as long as you've got snort on there and the only ports open that you want traffic through then the client can do the work of deciding if that traffic is good or bad.

                                          Been there, done that. Microsoft ISA/TMG.
                                          While the whole idea is okay, and even deployment in tightly controlled environment is not a very big PITA…
                                          It works good only in "tightly controlled environment", read - AD, GPOs, workstations being deployed with in-house built images, homogeneous environment...
                                          Guest wifi network? Nope.
                                          Servers? Nope.
                                          BYOD? Oh, forget it.
                                          Non Windows machine? Nope.

                                          So no, client based solution is not a very viable solution.

                                          Need full pfSense in a cloud? PM for details!

                                          1 Reply Last reply Reply Quote 0
                                          • W
                                            W4RH34D
                                            last edited by

                                            I find that odd.

                                            With the kind of requirements IE - milking the bone for all it's worth - you'd think there'd be some strict controls downstream as well.

                                            Maybe I'm an idiot, though.

                                            I don't see one without the other.

                                            It's like having a very good symphony conductor (pfsense) and one of the world's best symphonies (managed clients) and for some reason someone wants to shoe-horn in some middle school saxophone players and still wants it to be Mozart.

                                            Did you really check your cables?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.