502 Bad Gateway when selecting Suricata IDS / Interface LAN - Categories / LAN Rules

JGdgZPQatDDjpA

Looking for solution or a noob guide on how to troubleshoot this issue.

bmeeks

Need a little more info to clarify what you are doing for me.

So you go to Suricata under SERVICES in the pfSense menu.
Then on the INTERFACES tab that opens you click the icon to edit a Suricata interface (you can also just double-click on the row to edit).
Then you click the CATEGORIES tab. Is that when you get the Gateway error, or are you clicking something else on the tab?

JGdgZPQatDDjpA

@bmeeks

#1 and #2 are correct.

#3 I am selecting <interface> Rules. Get 502

In the system log I have a nginx entry which has the following Message...

2021/06/24 18:09:21 [error] 85337#100126: *1 upstream prematurely closed connection while reading response header from upstream, client: x.x.x.x, server: , request: "GET /suricata/suricata_rules.php?id=0 HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "XXXXXXXX", referrer: "https://XXXXXXXX/suricata/suricata_rulesets.php?id=0"

bmeeks

What kind of hardware to do you have? Is it possibly a Netgate SG-3100 or SG-1000? If so, there is a known issue with PHP crashing on that CPU platform when certain PERL regex functions are called. Those functions are called by the Suricata GUI code that builds the web page when you click the RULES tab.

If that is your problem, there is a patch you can apply to pfSense to work around the issue. This forum post has the details for installing the patch: https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/24.

JGdgZPQatDDjpA

@bmeeks said in 502 Bad Gateway when selecting Suricata IDS / Interface LAN - Categories / LAN Rules:

SG-3100

Yep a SG-3100

bmeeks

@jgdgzpqatddjpa said in 502 Bad Gateway when selecting Suricata IDS / Interface LAN - Categories / LAN Rules:

@bmeeks said in 502 Bad Gateway when selecting Suricata IDS / Interface LAN - Categories / LAN Rules:

SG-3100

Yep a SG-3100

Follow the instructions in that post I linked. First install the System Patches package, and then that PHP patch (using the System Patches package).

Be sure to either reboot the firewall, or restart php-fm after applying the patch. That should fix it for you. This patch is included in the upcoming releases of pfSense and pfSense+.

JGdgZPQatDDjpA

@bmeeks

In process...

Darn thing gave me the 3 endless flashing blue lights

Hard rebooted it. Yes not a good idea, but its back up

and.... The patch fixed the issue.

Thank you!!!

bmeeks

@jgdgzpqatddjpa said in 502 Bad Gateway when selecting Suricata IDS / Interface LAN - Categories / LAN Rules:

@bmeeks

In process...

Darn thing gave me the 3 endless flashing blue lights

Hard rebooted it. Yes not a good idea, but its back up

and.... The patch fixed the issue.

Thank you!!!

Yeah, my experience with the SG-3100 is that it takes a LONG time to boot, and every now and then, you need to hard cycle the power (after waiting a very long time).