PFSense Logging for Microsoft Cloud App Security

jpozzoli

I want to experiment with MCAS and part of that is the ability to upload log files from on-prem firewalls to Azure. It will then analyze those logs and discover what kind of cloud-based services users are using (Box, AWS, Slack, etc.).

Based on this, I have two questions: what type of log does PFsense output (I realize I will have to syslog this off somewhere)?

And two, would I need to create an "allow all" rule at the bottom of my rules and turn on logging for that to generate the needed traffic?

Here is a link to the relevant portion of MCAS talking about this: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

FWIW I have a Netgate SG-1100 on the latest software.

Thanks in advance,
John

Grimeton

https://docs.netgate.com/pfsense/en/latest/monitoring/log-settings.html

stephenw10

This looks like a more relevant page: https://docs.microsoft.com/en-us/cloud-app-security/custom-log-parser

Interestingly it looks more like netflow data would be better there. The firewall log does not record data totals. It also doesn't log passed traffic by default.

Steve

anx

Hi Guys,

It is very good idea! did you find solution to setup this ? thanks