Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Monitoring outgoing traffic

    General pfSense Questions
    4
    9
    979
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lewis
      last edited by

      Something I've wanted to do in terms of security is monitoring outgoing traffic to make sure it's all legit.
      Does anyone know of some article/s or docs that offer some good suggestions on best practices using pfsense.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @lewis
        last edited by

        @lewis Actual packets? (Mostly encrypted connections nowadays)
        DNS lookups?
        Traffic volume? (Bytes)
        IDS like Suricata? (Mostly encrypted connections nowadays)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @SteveITS
          last edited by

          @SteveITS
          To be fair i think when most people think about monitoring traffic they are talking about sites visited not necessarily digging into encrypted traffic.
          I see Client-A going to Youtube.com and pulling 500MB of traffic. That is monitoring. I dont think people are trying to see what video is being watched.
          NetFlow collector is monitoring.
          For example:
          1a49d1c0-6f39-4818-80ce-c925b9fb1d9a-image.png

          @lewis
          pfsense has no native way of tracking flows going through the firewall. Most of the heavy lifting will be on you (no turn key solution here) on standing up a netflow collector and spanning switchports.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          P 1 Reply Last reply Reply Quote 2
          • L
            lewis
            last edited by

            Nothing specific then, that's what I was wondering. I do use netflow and check it regularly.
            Monitoring DNS would not be useful as servers are connecting all over the place for updates, software they have installed.

            I was thinking or wondering if there were any common things to monitor for. For example, I would like to monitor all outgoing ssh traffic because there should be none what so ever unless from an admin or two. All other traffic, only netflow can help.

            So I guess my question becomes more specific, wanting to monitor all and any outgoing ssh traffic perhaps.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @lewis
              last edited by

              @lewis said in Monitoring outgoing traffic:

              So I guess my question becomes more specific, wanting to monitor all and any outgoing ssh traffic perhaps.

              Several ways to go about it off the top of my head and depends on what you mean by "monitor".
              Do you want to get alerted every time there is an outbound ssh connection?

              Do you want to do some type of reporting where you can view over the last few hours how many outbound ssh sessions there were and to where?

              Like i said there is no turn key solution on pfsense so your netflow collector of choice should be able to provide that level of detail and/or reporting for you. There are plenty of commerical solutions to choose from but if this is for a home lab space then...choices are extremely limited if any at all.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 1
              • L
                lewis
                last edited by lewis

                It's for an office where I'm almost sure they aren't as security minded as they state they are.
                I just want to monitor/log outgoing ssh connections and to their destinations to make sure there isn't anyone already on the network.

                I do have ntopng installed on this firewall but it might be overkill for what I'm looking for. I'll have to dig into it's documentation though I seem to recall it doesn't do that. I've read I might even be able to create a rule that could log these.

                As I said, I just wondered if there might be some thoughts on it and it seems I got them so can move on.

                Thanks again.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @lewis
                  last edited by

                  @lewis said in Monitoring outgoing traffic:

                  I do have ntopng installed on this firewall but it might be overkill for what I'm looking for. I'll have to dig into it's documentation though I seem to recall it doesn't do that.

                  I absolutely do not recommend ntopng on the firewall for one simple reason: Its useless. The latest community edition of ntopng in FreeBSD is not at all what it used to be. It doesnt track top talkers over time on an interface. Its just live flows which is just OK if you are tracking something down in real time but absolutely useless if you want to track something like outbound ssh sessions over time. You would need to upgrade to the Pro or Enterprise version but there is no way to pass the license key into the pfsense ntopng build. There are workarounds though.

                  If you are logging your firewall rules than hve those logs sent to a syslog server such as graylog. From there you can build a dashboard where you can see over time flows that go out on port 22. Thats as good as its going to get.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 2
                  • L
                    lewis
                    last edited by

                    Yes, it's being used mainly to view flow in real time.
                    I did come across a rule that would allow logging so I think I'll do as you suggested.

                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfsvrb @michmoor
                      last edited by

                      @michmoor That's a really nice looking flow chart/graph. Is that something you have as a plugin on pfSense? I've been looking for a way to get that for a long time.

                      I too agree with your statements on NtopNG being useless for anything other than realtime flows.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.