Notification when a connection is established
-
@mikeisfly said in Notification when a connection is established:
Again I'm just looking for a particular functionality pfSense.
There is no such built-in functionality within pfSense (nor any other firewall that I am aware of). The way to do this is to send all logs to an external server or SIEM and then parse the logs there and fire alerts on specific traffic from tools on that external server.
There are many options in the external logging and SIEM world from free to $100,000 USD and more.
-
@bmeeks said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Again I'm just looking for a particular functionality pfSense.
There is no such built-in functionality within pfSense (nor any other firewall that I am aware of). The way to do this is to send all logs to an external server or SIEM and then parse the logs there and fire alerts on specific traffic from tools on that external server.
There are many options in the external logging and SIEM world from free to $100,000 USD and more.
Thank you. Maybe this is something the development team may want to look at to make the product stand out even more. Not sure who is looking for the feature but it occurred to me a few weeks ago, that it would be nice to have.
-
So like an alert-on-match option maybe?
This is the first time I've seen it requested so there may not be much drive but I could see that being useful.
Steve
-
@stephenw10 said in Notification when a connection is established:
So like an alert-on-match option maybe?
This is the first time I've seen it requested so there may not be much drive but I could see that being useful.
Steve
Yes, that would be awesome.
-
@bmeeks said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Again I'm just looking for a particular functionality pfSense.
There is no such built-in functionality within pfSense (nor any other firewall that I am aware of). The way to do this is to send all logs to an external server or SIEM and then parse the logs there and fire alerts on specific traffic from tools on that external server.
There are many options in the external logging and SIEM world from free to $100,000 USD and more.
+1 on what Bill said. I can personally recommend an ELK setup which you can send the pfSense logs to. I believe you can then setup alerts on a particular event. ELK is free and can be easily setup on Linux since it's very well documented (even I was able to do it). I've never used ELK for alerting, but I might eventually. Right now it's only for super fast log searches and nice visuals to quickly see things.
-
@mikeisfly said in Notification when a connection is established:
Maybe this is something the development team may want to look at to make the product stand out even more.
I can see this been useful on the camera as part of the camera's event monitoring...just not on a firewall. The day I get that notification is the day the firewall goes in the trash bin. I even block my cameras from going out to check for firmware update.
-
@NollipfSense said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Maybe this is something the development team may want to look at to make the product stand out even more.
I can see this been useful on the camera as part of the camera's event monitoring...just not on a firewall. The day I get that notification is the day the firewall goes in the trash bin. I even block my cameras from going out to check for firmware update.
Not sure why getting a notification about a event that happened from a connection you explicitly allowed would be a bad thing? I'm looking for this functionality as more of a tracking tool. Like with any service the development team might implement you don't have to use it.
-
@Raffi_ said in Notification when a connection is established:
@bmeeks said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Again I'm just looking for a particular functionality pfSense.
There is no such built-in functionality within pfSense (nor any other firewall that I am aware of). The way to do this is to send all logs to an external server or SIEM and then parse the logs there and fire alerts on specific traffic from tools on that external server.
There are many options in the external logging and SIEM world from free to $100,000 USD and more.
+1 on what Bill said. I can personally recommend an ELK setup which you can send the pfSense logs to. I believe you can then setup alerts on a particular event. ELK is free and can be easily setup on Linux since it's very well documented (even I was able to do it). I've never used ELK for alerting, but I might eventually. Right now it's only for super fast log searches and nice visuals to quickly see things.
Thanks for the suggestion.
-
@mikeisfly said in Notification when a connection is established:
@NollipfSense said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Maybe this is something the development team may want to look at to make the product stand out even more.
I can see this been useful on the camera as part of the camera's event monitoring...just not on a firewall. The day I get that notification is the day the firewall goes in the trash bin. I even block my cameras from going out to check for firmware update.
Not sure why getting a notification about a event that happened from a connection you explicitly allowed would be a bad thing? I'm looking for this functionality as more of a tracking tool. Like with any service the development team might implement you don't have to use it.
Okay, got you!
-
@mikeisfly said in Notification when a connection is established:
Not sure why getting a notification about a event that happened from a connection you explicitly allowed would be a bad thing? I'm looking for this functionality as more of a tracking tool. Like with any service the development team might implement you don't have to use it.
I think some of the responders in this thread initially misunderstood what you wanted. You just want to know when the camera accepts an allowed connection.
I think this type of notification should be something the endpoint device (the camera in this case) does rather than the firewall. You really want the firewall concentrated on watching traffic and processing packets as fast and efficiently as possible so as to maximize security and throughput. If you give the firewall a lot ancilary tasks that instead really should be something a SIEM or the endpoint device handles, then you start to load the firewall up with a lot of baggage. That is bad for two reasons. First, the extra code and associated libraries just provide a larger attack surface; and second, a firewall busy analyzing logs and sending email notifications runs out of time slices to handle packets efficiently and so throughput suffers.
There is a reason that the big commerical vendors do this type of stuff either with their own separate external tool (Checkpoint's SmartCenter, for example) or refer their users to the various SIEM tools out there (ArcSight being a biggie in the commercial market).
-
@bmeeks said in Notification when a connection is established:
@mikeisfly said in Notification when a connection is established:
Not sure why getting a notification about a event that happened from a connection you explicitly allowed would be a bad thing? I'm looking for this functionality as more of a tracking tool. Like with any service the development team might implement you don't have to use it.
I think some of the responders in this thread initially misunderstood what you wanted. You just want to know when the camera accepts an allowed connection.
I think this type of notification should be something the endpoint device (the camera in this case) does rather than the firewall. You really want the firewall concentrated on watching traffic and processing packets as fast and efficiently as possible so as to maximize security and throughput. If you give the firewall a lot ancilary tasks that instead really should be something a SIEM or the endpoint device handles, then you start to load the firewall up with a lot of baggage. That is bad for two reasons. First, the extra code and associated libraries just provide a larger attack surface; and second, a firewall busy analyzing logs and sending email notifications runs out of time slices to handle packets efficiently and so throughput suffers.
There is a reason that the big commerical vendors do this type of stuff either with their own separate external tool (Checkpoint's SmartCenter, for example) or refer their users to the various SIEM tools out there (ArcSight being a biggie in the commercial market).
I get your point, and your point is well made. I can see if you are tracking thousands of connections 24/7. I more or less wanted to prove that this software company I was dealing with never attempted to access the camera I gave them access too, on the flip side if they did access the camera I would monitor the connection and when they were done I would shut down the port forward that I created. In general I thought it might be a good idea for trouble shooting kind of like a debug or a packet capture. While you wouldn't run it 24/7 because of the resource drain it could provide a good trouble shooting tool. Like a SNMP trap on a TCP connection.
-
Mmm, it would have to be limited in some way because you could easily end up sending thousands of emails.
I could imagine situations where it might be useful.
-
@mikeisfly said in Notification when a connection is established:
or a packet capture.
Check a build-up of of such a packet.
You will have your router's MAC (= pfSense), the cameras MAC, the cameras's LAN IP and the IP (WAN IP) of the visitor.
Not the payload, as it is all TLS these days (well, the camera should send over TLS, other scrap it).
At most, you could see who - from the outside world - visited your device. If it isn't recording, as you can check using the same access time, then you will not know what they saw.Btw : One of world's most famous and most used free programs, fail2ban, can do what you want right out of the box.Comparable programs exists.
Btw : my DVR's - see above - logs user access by login code ... everything is already there.