suricata sync
-
Hi , i have two pfsense's with HA , configured on master that suricata to sync with backup server , is it possible that config backup server to sync with master ? in pfsense is told that cause loop. i appreciate that guide me how to config it if is possible
Thank you
-
If I'm understanding your question properly, "no" you can't have master sync with backup and backup sync with master as that will produce a loop. Typically the SYNC tab in Suricata expects a single "master" to send its configuration to multiple "slaves". One hard requirement is that the "slaves" have identical hardware (NICs for sure) and the interfaces are configured exactly the same (meaning if LAN is on NIC
em1in the master, it must also be onem1in all the slaves, etc.).The sync process literally copies the entire XML config section for Suricata from the
config.xmlof the master to theconfig.xmlof all the slaves. Thus the destination targets will be exact clones of the master. That's why the hardware configurations must be identical on the master and all the slaves. -
@bmeeks Thank you
-
@bmeeks said in suricata sync:
interfaces are configured exactly the same (meaning if LAN is on NIC em1 in the master, it must also be on em1 in all the slaves, etc.).
Just to clarify, is this a Suricata limitation? It used to be a limitation for pfSense HA state sync but that was removed a few versions back. I took a quick look and our config binds to "<interface>lan</interface>" not "igc0."
-
@SteveITS said in suricata sync:
@bmeeks said in suricata sync:
interfaces are configured exactly the same (meaning if LAN is on NIC em1 in the master, it must also be on em1 in all the slaves, etc.).
Just to clarify, is this a Suricata limitation? It used to be a limitation for pfSense HA state sync but that was removed a few versions back. I took a quick look and our config binds to "<interface>lan</interface>" not "igc0."
Yes, it is a Suricata limitation because the physical interface names are part of the logging and configuration paths. If those do not match precisely, the configuration will break.
-
@bmeeks OK thanks, glad I asked. The one time we've replaced an HA setup we opted to replace both routers so it didn't break, but I guess that was a lucky choice. And we didn't notice anything not working while a temp router was in use for a week.
Is it possible for it be modified at some point to use the logical/internal interface names so it's more flexible like HA? (opt1, not OPT1_MGMT or whatever the admin types in as a display name)
(sorry to hijack the thread, we can break this out if desired...)
-
@SteveITS said in suricata sync:
Is it possible for it be modified at some point to use the logical/internal interface names so it's more flexible like HA? (opt1, not OPT1_MGMT or whatever the admin types in as a display name)
Possible -- yes.
Wise -- not really.
It's a paradigm breaking change in both packages. Everything related to the uniqueness of interfaces is prefaced off the physical NIC name (plus the VLAN number suffix if present). For a greenfield install it would be no problem (once all the code was changed and tested). But for existing installs just updating, the chance of totally breaking the configuration is very high. Directories would have to be renamed and
config.xmlpaths changed. The only way that could ever work because of the way PHP caches source files is the user would have to totally remove the package, then install it again so the conversion code could run with a guaranteed-updatedsuricata.inccommon functions include file.All in all a lot of work for very limited gain (would help only a tiny handful of users, but could potentially break everyone's configuration during migration to that version).
-
@bmeeks I created a new thread: https://forum.netgate.com/topic/185153/suricata-interfaces-on-ha-setup-need-to-be-identical
