Why doesn't pfSense change to a Application Layer 7 firewall solution? Or at least give a mode to choose it?

riahc3

In 2019, with all the advancements in communications and protocols, port blocking and forwarding isnt enough. All big players use Application Layer 7 firewalling instead of ports.

Why doesnt pfSense change to this model? Which is better, more secure, and Ill even go as far as it say alot more simple to setup.

chrismacmahon

We have OpenAppID in Snort: https://www.netgate.com/blog/application-detection-on-pfsense-software.html

riahc3

There are several issues with this:

1: Its a addon package, not a out of the box feature. If dev stops supporting it or integration with pfsense, bye bye L7.

2: For 100% functionality, it seems you need to get a paid upgrade where all appid is available and updated instantly.

3: From reading the guide, it seems you need to write rules in two places.

Look how PA does this:

https://knowledgebase.paloaltonetworks.com/servlet/rtaImage?eid=ka10g000000Cyb6&feoid=00N0g000003VPSv&refid=0EM0g000001AeSC

bmeeks

@riahc3 said in Why doesn't pfSense change to a Application Layer 7 firewall solution? Or at least give a mode to choose it?:

There are several issues with this:

1: Its a addon package, not a out of the box feature. If dev stops supporting it or integration with pfsense, bye bye L7.

2: For 100% functionality, it seems you need to get a paid upgrade where all appid is available and updated instantly.

3: From reading the guide, it seems you need to write rules in two places.

Look how PA does this:

https://knowledgebase.paloaltonetworks.com/servlet/rtaImage?eid=ka10g000000Cyb6&feoid=00N0g000003VPSv&refid=0EM0g000001AeSC

And the cost differential between pfSense and a Palo Alto firewall is how much exactly ... ? It takes a lot of effort to maintain a current Layer 7 DPI functionality in a firewall. And besides the initial hardware cost for the PA, you then have $1000 plus annual subscriptions for the filtering rules themselves.

Snort with OpenAppID is an essentially free option (if you discount the relatively cheap hardware it can run on). Granted it is not just "click on" and sit back like the PA or Check Point products, but it does work basically the same as the PA stuff once configured with the required rules.

johnpoz

@bmeeks said in Why doesn't pfSense change to a Application Layer 7 firewall solution? Or at least give a mode to choose it?:

you then have $1000 plus annual subscriptions for the filtering rules themselves.

I think you forgot the extra 0 in your plus cost there ;)

Sure PA makes a great product - don't think anyone going to dispute that.. If your IT has the budget to run PA, then sure go ahead ;)

To be honest I don't think Pfsense is trying to be a 1:1 swap out sort of device for a company running PA stuff.. Now if the company wanted to provide great security at a fraction of the cost ;)

stephenw10

Pull requests accepted.

Steve

bmeeks

@johnpoz said in Why doesn't pfSense change to a Application Layer 7 firewall solution? Or at least give a mode to choose it?:

@bmeeks said in Why doesn't pfSense change to a Application Layer 7 firewall solution? Or at least give a mode to choose it?:

you then have $1000 plus annual subscriptions for the filtering rules themselves.

I think you forgot the extra 0 in your plus cost there ;)

Sure PA makes a great product - don't think anyone going to dispute that.. If your IT has the budget to run PA, then sure go ahead ;)

Probably correct, but with a very abbreviated web search I found some annual PA subscriptions listed for URL filtering and a handful of other similar things for like $1400 or so each annually. Most of their stuff is like Check Point (of which I am more familiar having worked with that in my past): they eat you alive with the "support and maintenance" contracts.

stephenw10

Let's just say that if anyone is imagining:

#Switch to layer 7 filtering
- firewall_layer=3
+ firewall_layer=7

...then unfortunately they are very very wrong!

Steve