Solid monitoring and rule problem finding
-
Hi all,
I've moved from Microsoft's ISA 2004 to pfSense, and I'm loving it. It's solved a host of problems I had. However, there's one thing I haven't found an easy way to do, that's slowing me down a little.
In ISA, there's a great tool to see what traffic is being allowed and blocked, you can watch a specific IP, or a specific port (plus various other filters) and see everything that's being allowed, blocked, etc, and what rule is causing it. So far, I've only seen the Firewall Log, which is nowhere near as useful as the feature in ISA.
Is there an addon that can help with this, or should I look at syslogging to another server that could offer me this realtime filtering?
-
did you try the firewall-log-filter ?
-
Do you mean selecting "Show raw filter logs" on the settings page? That doesn't seem much better.
-
i think what trendchiller meant was the:
diagnostic –> states --> upper right corner "Filter"-field -
correct ;)
-
Yeah, I have seen that, but thanks for reminding me. However, connections that have been refused will not show here, naturally… which is part of the equation.
-
well, thats correct…
you're right... -
I'm assuming you must be running 1.0. In 1.2, you can switch the firewall log screen to dynamically refresh using AJAX, and if you hover over a rule it has a pop up that shows you what rule is responsible for the block/pass. It also lets you pause the dynamic updates. The only major difference between ISA's real time log display and what pfsense 1.2 will have is the ability to filter the display. That's likely to come in the next version after 1.2.
-
I am using 1.2. I've used the Dynamic refresh, but I don't find it actually refreshed properly. If I hit F5, I get a whole lot more all of a sudden.
But… with the ability to filter by hosts and ports, and a better refresh... that tool would be great :) Thanks.
-
The dynamic refresh might not work quite right just yet. I'll take a closer look at it.