• We are using (and really loving) pfsense in our data center.

    I'm running 2 dl360g8 with 192gb of ram each.

    I've ram disks setup (10240) and maxed out all the wan preproc options.

    What else can I do? i'm only using 2% of the memory.

    We also get this error "Allowed memory size of 402653184 bytes exhausted (tried to allocate 79949242 bytes) in /usr/local/www/csrf/csrf-magic.php on line 161"

    from all the alerts we generate.

    The snort alerts page is slow, maybe we can put this in memory as well?

    Looking for ideas.

  • LAYER 8 Netgate

    192GB is completely wasted RAM in a firewall. You will never need that. Use those hosts for hypervisors or something and use something more modest for your firewalls.

    The message you are seeing is php memory being exhausted, not system memory.

    It looks like you have some sort of loop in CSRF detection.

  • I get we won't use it all...we just got a smoking deal on the servers. Hoping to use more ram drives to speed things up where we can.

    We have a ton of alerts for this firewall, when we get over 20000 alert entries to track down a false positive, thats where we get the error is on the alerts page.

  • LAYER 8 Netgate

    Right. That's where the alerts such as PHP memory overflows go.

    You'll need to provide more details, but a CSRF overflow like that is generally some sort of loop regarding the webgui connections.

  • For high alerts traffic like that you really need to export the logs off to an external processor and access them there. There is just not enough allocated PHP memory in the pfSense system to handle huge string arrays which are what get created when looking through a huge alerts list in the GUI.

    You can use the Barnyard2 tab to export logs to a remote syslog server. You could also probably configure something like an ELK stack and put an export client on pfSense and offload logs that way.