Pfsense 2.3.2 ( please help )
-
Hello Guys
I decided to put a pfsense ( Squid + squidguard + snort ) in my network, i tired it on a virtual lab and everything is ok as far as filtering/ cache / alerts are concerned, but i have to say that there are lot of options i don't get but anyway i'm doing researches ( videos, forums…) now i want to prepare the deployement of pfsense in production environement, so i prepared an old machine and installed Pfsense on it, now i don't get some points, as you can see in the picture i have 2 sites A & B we already have a firewall ( Cisco ASA ) in both sites, site B gets internet from site A ( the 2 sites are linked with a fiber link managed by our ISP...) could you please give me a hand on this particular case, the best postion to put pfsense ( before or after firewall ) the configuration of interfaces and gateway, fyi i can't change my sites DHCP plan it has to be 172.22.64/65.FYI my actual static route on the asa ( without pfsense in between...) is 0.0.0.0 / 0.0.0.0 / 90.xx.xx.aa
http://imgur.com/a/NyjZb
Thank you very much for your time
-
Is pfSense just acting as a web proxy and IDS?
-
Yes it is, thats what i want to using it for
-
Well then, you could configure it as a standalone device with just a LAN port instead of a router, and configure the Ciscos to pass web traffic through it.
-
Since you said you are fumbling through Snort/Squid, etc trying to learn them, do yourself a favor and read through the Snort Rules under the Categories Tab of the interface. Some in there may not pertain to your organization. The best security would probably be to have them all on but categories like "Games" would likely load unnecessary rules and put extra overhead on the system. I'm not sure why you wouldn't want people playing StarCraft in the office but you don't need every packet evaluated against those rules even if you didn't. :) Chat could be disabled if you're not having a problem. No on-prem email server? Consider disabling POP or SMTP. The more you can disable the better the system should perform, especially on config reloads. By default we have like 18 groups disabled when we install at a clients and add some back in if they need. And make sure to add supressions or your logs will overflow with useless info. Search around here and you should find some good info on those.
Also, know that squid, with transparent HTTP proxy enabled, works pretty well out of the gate but only on HTTP traffic, not HTTPS traffic. If you want HTTPS filtering then you'll have a lot more to work through. Add some extra definitions into the Freshclam section of Antivirus under Squid. Search around here for SaneSecurity as we had a thread with that info floating around not long ago. It'll greatly increase the effectiveness.
Once you have things set up, make sure you try some speed tests and downloaders and Quickbooks and Firefox. It has been my experience that snort blocks them. You can easily add the exclusions from the Rules and Block tabs of Snort. You may also want to consider altering the SquidGuard block pages to something that reflects your organization and your policy as well as information on who and how to contact in the event of a false positive. Also check things like LogMeIn and GoToMeeting to see if they have problems getting through your new Proxy. With all that addressed you should have things mostly under control.
Most of all, Good Luck! Personally, I'd put your new filter outside of your Firewall if you could as it likely has a lot more power than the ASA (they are generally over featured and under powered) to free its resources up, but I'm not sure exactly how you'd do that without long consideration. It's probably easier to have it on the LAN and force all traffic to filter through it.