Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardening guidance for pfSense (PCI DSS)

    General pfSense Questions
    4
    5
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haydenj
      last edited by

      Hi,

      We use the official pfSense AMI in AWS environments that need to comply with PCI DSS.

      One of the requirements I have to meet requires me to develop a configuration standard for pfSense (a document which describes how it should be configured), and this standard must be based on industry accepted sources. The source can be the vendor.

      Are there any official security best practice guides or hardening guides from Netgate I can use to help?

      Lots of solid community guides out there but unfortunately they won't be accepted by the auditors as a source.

      Thank you

      Hayden

      R 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        This is probably the closest thing we have to that:
        https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html

        Steve

        1 Reply Last reply Reply Quote 1
        • R
          RobH 0 @haydenj
          last edited by

          @haydenj said in Hardening guidance for pfSense (PCI DSS):

          Hi,

          We use the official pfSense AMI in AWS environments that need to comply with PCI DSS.

          One of the requirements I have to meet requires me to develop a configuration standard for pfSense (a document which describes how it should be configured), and this standard must be based on industry accepted sources. The source can be the vendor.

          Are there any official security best practice guides or hardening guides from Netgate I can use to help?

          Lots of solid community guides out there but unfortunately they won't be accepted by the auditors as a source.

          Thank you

          Hayden

          Hayden,

          I am very familiar with PCI DSS 3.2.1 and prior, and although I have not had a chance to dig deep into 4.0, I did a quick scan through the new DSS and I do not see any requirement for the use of industry standard firewall hardening. Can you point me to where you got this information?

          H 1 Reply Last reply Reply Quote 1
          • F
            flat4
            last edited by

            following

            1 Reply Last reply Reply Quote 0
            • H
              haydenj @RobH 0
              last edited by

              @robh-0 Hi Rob, requirement 2.2 in PCI DSS v3.2.1 is to create configuration standards for all in-scope system components. Here is the requirement text:

              2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:

              • Center for Internet Security (CIS)
              • International Organization for Standardization (ISO)
              • SysAdmin Audit Network Security (SANS) Institute
              • National Institute of Standards Technology (NIST).

              As an update, I've now been advised that I can use the firewall STIG to create my configuration standard (Firewall SRG - Ver 2, Rel 2 https://public.cyber.mil/stigs/downloads). It's not pfSense specific so it will be a case of going through and applying the recommendations to pfSense where applicable.

              So for me this is sorted out - thanks for your responses.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.