Synchronizing
-
Hey,
we have mutliple sites in operation, each with a PFSense.
I have a central firewall-rule-list, who is allowed to speak with whom, no matter what source and destination is,
I want to put all these rules to every internal interface on every PFSense automated.
Most of the rules won't apply, as the source doesn't fit the interfaces VLAN, but with this automation, I only would need to maintain one list, instead of all firewall on all sites.
Is there any option or possibility to obtain this in PF?thanks a lot guys!
-
@itBJA I expect not…HA sync might be closest, but AFAIK it requires the other firewall(s) to have all the same interfaces. Nexus exists but I haven’t seen anything about common rules. One can restore sections of a config file, maybe that will work as a rule import?
-
I tried it with the aliases first, but forgot that there are port aliases also and I killed my other PF... lol
Problem is when backing up and restoring rules that this applies also to the WAN interface.
So this is a showstopper, as all rules are overwritten and I can't restore only the internal interfaces.
We implement microsegmentation on the clienst and servers, so I will have to maintain all rules on every firewall and also in the MS-rules, what is a huge effort.
I was hoping to find something I can program and maintain centrally.HA is only per site, as the FW states are synchronized.
-
@itBJA "Synchronize states" is a checkbox. One can also choose to sync rules and not aliases. It would presumably break if any firewalls had an extra or missing interface. And you'd probably have to daisy chain 1->2->3>etc. Overall pfSense wasn't designed to work this way so you'd be fighting it.
MS-rules being Windows? That at least should be possible via group policy for AD environments.
-
Hi,
Microsegmentation is done with Enginsight over all clients and servers, no matter which OS.
I'm trying myself to find a solution.