Enterprise style Central Management Interface - {Now $1900}



  • I would like to see a solution for pfsense similar to what is available for m0n0wall.  See:  http://m0n0wall-cmi.sourceforge.net/.  I would like to be able to securely maybe via SSH to manage all of my pfsense firewalls from one central device.  I hoping it will be easy to port over to pfsense since there are similarities between the 2 products.  I would also like the ability in the product to automatically have the device perform a backup of the remote firewalls config automatically if it checks and can see a change was made to the config.  Ability to automtically ping and email if a firewall is not available for some reason.  IMHO This type of solution would really be an incredible addition.

    So to be exact I would like the following features:

    1. Manage all aspects of each pfsense firewall from central location (Like m0n0wall).
    2. A heads up of all pfsense with green light if able to communicate with central management device. and system health.  (Version running not necessary but would be nice)  If unable to communicate send email alert via smtp.
    (This might be done by pinging the interface either internally or externally.  (See 3 for options)
    3.  Secured access via VPN or SSH.
    4. Ability to automatically create backups of each firewall automatically or when a change is noticed by the device.  With ability to limit number of backups to a specific amount so they start to drop off to conserve space.
    5. Web Log file with snmp capability.

    Hope others will find this to be a great addition and jump on board and add more to the bounty.

    Thanks,

    Mark



  • I would also love to see something like this for pfSense. I can add $200 to the bounty. If there is sufficient interest here, someone should get in contact with the author of m0n0wall-cmi to see if it is something he would be interested in undertaking.



  • Hi,

    I'm the author of m0n0wall-cmi.

    m0n0wall-CMI was first developped inside the firm I was working for. Now I've left this firm to start freelance activities and I will just have some time to update and maintain the original project…

    Although, this bounty should not take that much work IMOH.. I don't know that much about pfsense but AFAIK, it is managed also with a XML system. m0n0wall-CMI is developped in an object way and could be easily used to manage some pfsense boxes. In another hands, it has taken 3 month of active development (almost full-time job) and is not yet completed. I got a huge TODOLIST for this project also...

    I can't say yet if I could manage to get this port done in a near future, even if while starting developing this project, making it compatible with pfsense was in my mind. What I could say is that if someone is willing to help me in this development and know well PHP5 OO, I'm willing to provide base work, help and even integrate the work into m0n0wall-cmi itself to have it managing multiple firewall :)

    I will check this forum for update of this bounty and see if it has a lot of interest... then I'll maybe reconsider the time I have to give to this :)

    Anyway, thanks to Mark for having forwarded me this post..

    Cheers!

    Gouverneur Thomas
    thomas@gouverneur.name
    http://thomas.gouverneur.name



  • I am adding another $300 to the bounty.



  • I'm also interested in the Central Management Interface for PFSense. I will add another $100.00 to the bounty perhaps more in the future.

    I would like to offer help as well. First thing I'm interested in is to add support for PHP PDO. This would make it easy to offer other database support such as SQLite, PostgreSQL, ODBC, and more.



  • I'am nothing contribute to this bounty, because for me it is not earnest
    Best Regards
    Heiko



  • @heiko:

    I'am nothing contribute to this bounty, because for me it is not earnest
    Best Regards
    Heiko

    I have great respect for heiko you have sponsored some great features for PFSense. I don't understand your comment?

    The Central Management in my mind is to create one place that centralizes the backup and restore, and can monitor the devices being managed. This looks like it can do more than that with m0n0wall right now. My goal in supporting this would not be in any way to replace the local interface in anyway but rather to  ease the management of larger deployments.

    Please take no offense I hold you in high regard as well as all those that are helping with the PFSense project.

    Best Regards



  • I think perhaps it is a language issue. I think he may have meant 'interest'  (as in he has no interest in this bounty) and not that the bounty was not earnest.

    earnest

    1. serious in intention, purpose, or effort; sincerely zealous: an earnest worker.
    2. showing depth and sincerity of feeling: earnest words; an earnest entreaty.
    3. seriously important; demanding or receiving serious attention.
    4. full seriousness, as of intention or purpose: to speak in earnest.


  • Maybe he meant it is not something needs at this moment.  He is responding to a message I sent him to see if he might be interested in joining in on the bounty.  I tend to agree that it is just a language thing.

    Mar



  • @kapara:

    He is responding to a message I sent him to see if he might be interested in joining in on the bounty.

    Now it makes more sense. Thanks for clarifying.



  • Heiko is a great supporter of the project, this was really just some translation problem here. I already know him for a long time.



  • Sorry, Sorry, for misunderstanding my posting , it is not an offense from me. I have great respect to all of the folks here that supports pfsense.
    As a matter of course i wish that this bounty will do successfully…....

    But for me, at the moment i will not contribute money to this bounty so for this Thread I´m sitting on the sidelines.....

    Once more, sorry for misunderstanding.

    Good luck, I wish you success!

    Greetings
    Heiko



  • I had started something like this in .NET, windows based interface. With failover notification, automatic backups with SQL storage, SSO to every pfsense.
    My wish was to rebuild the object model of pfsense configuration into .NET and then manage to build configuration files (rules, alias…) then send them to each box.
    The best (I suppose) would be to use XML-RPC calls to every box but I have not yet tested it.

    SSO was easy to make with form based developpement, do not know how to handle it with web development...forged POST as link perhaps...
    Was also thinking about using mod_proxy/mod_rewrite of Apache to "reverse proxyfie" acces to each box, using some wget scripts to centralize graphs....many ideas... who wants to talk about it :-p IRC ?

    I going to (re)work on this soon, I will think about it for real ;-)



  • Has also thinking about using mod_proxy/mod_rewrite of Apache to "reverse proxyfie" acces to each box, using some wget scripts to centralize graphs….many ideas... who wants to talk about it :-p IRC ?

    take a look at syweb/symon/symux it does that for you.



  • Any solution which would be used should only use open source software.  Going to a proprietory paid solution ie..SQL would turn away many people from using and or joining into this solution.  If you are talking about an open source for of SQL like mySql then I stand corrected.

    Thanks,

    Mark



  • I am also scratching my head at why there has not been more interest in this bounty.  I would think there are more than just one or two people who have pfsense deployed in multiple locations or use them as a managed service to multiple customers.  Maybe people are using other third party solutions which allow them to do this.  In any case I think this would be very beneficial and open this product up to a more enterprise type enviroment because having to manage each one seperately or getting detailed status information or reporting from each one would be time consuming.  Just me 2 cents…......

    Mark



  • I'm adding a requirement to the amount I committed to in this bounty.

    Requirement:
    Central Management needs to be developed in PHP.

    Why:
    1. PFSense's web interface is written in PHP.
    2. PHP is Multi-platform capable on nearly every OS imaginable.
    3. It would require a smaller learning curve for development if it did not require knowledge of two languages to handle modifications to PFSense and the Central Mangement.
    4. I want to reduce my dependency on Microsoft.

    I'm not opposed to there being a .Net option. I also applaud your effort in building it. I just don't want it to be the only option.

    P.S. I know several languages including both PHP and C#.



  • @Juve:

    I had started something like this in .NET, windows based interface….

    Alright Juve, time to take down that BSD avatar :)



  • Like I said "I had started"… which means I stopped it (more than one year ago).

    ;D

    I was thinking about MySQL + PHP/and/or Mono (I like C#). I see two sides, the frontend wich would be in PHP (easy to code and fast), and the backend which would be more sophisticated with multithreading capabilities, plugin (monitoring sensors/actions) interface with hot loading/unloading using relfexion, storage using MySQL, configuration using XML.Link between front and back using webservice (SOAP) in order to split roles...

    Scott, I was asked to do it windows based ;-)
    ;)



  • Anyway all that staff for such thing is overkill/overengineer. Using mysql/SOAP/and all that staff seems too much for a thing that has already been done in php.



  • Yes but when you have to manage 100+ pfsense boxes you have to have something you can rely on… modularity, scalability and so on.
    So, If I have to do something, I will start to think about the "ideal" design.



  • Hi Juve,

    So are you saying this might be a bounty you would take on?  Honestly I am unfamiliar with the scope of a project like this is and if it would be an easy thing to do or a very difficult.  I don't understand the underlying aspects of pfsense.  Not a programmer. 100+ pfsense boxes?  That is alot.

    Mark



  • It is something I would like to do, but I'm afraid I can't get enough time to make it good (I'm already busy at 110%, you know what it is, in IT services you have to do twice the job you are asked to.. for the samed price of course).
    I don't want to tell you I'm going to make it and then let you wait for 10 months… this is a disrespect. I'm not either looking for money, I if do it will be for free and for the community, money should go to pfsense coders like scott,hoba,cmd etc.
    I have already 30+ boxes to manage and plan to have some more ;-). That 's why I'm replying here, which is perhaps a mistake and should go onto General discussion thread since I'm note willing to take on that bounty "as" a bounty.
    I'll try to get on IRC soon to discuss about that kind of central management area, and then perhaps make a team to build something "useful"  ;)



  • Here is a neat example from watchguard.  http://www.watchguard.com/products/wsm.asp  At least it is a visual of what I am looking for.

    Except their product is $6000 just to manage 50 clients…not too mention the cost of the box needed!



  • http://www.astaro.com/our_products/astaro_command_center might be worth a look as well. There is a livedemo on their site as well.



  • Ok guys, Im a pfSense developer. Ive been looking into this feasibility while also working on a similiar concept. Ive got time to invest so can we compile a list of specific features youd like so I can review everyones needs.



  • Hi Hoba,

    That product looks like a replacement for pfSense.  Not something which would let me manage multiple units from one location.

    Hi Dingo,

    Great to hear that!!!!  I have to go to work but I will respond in a little while.  Thank you for taking interest in this bounty.

    Mark



  • @kapara:

    That product looks like a replacement for pfSense.  Not something which would let me manage multiple units from one location.

    Astaro is a linux based firewalldistribution, that's right but they offer a commandcenter that you can control multiple astaro units with. I didn't say switch to astaro, I just said if something like that has to be developed for pfSense it can't hurt to have a look at similiar existing products. It's the same like the watchguard controlcenter that was psoted here. Watchguard is a replacement for pfSense as well.



  • Hi Hoba,

    ok…so you meant as an example.  Thanks for the suggestion.  I appreciate any help.  Sorry for the misunderstanding.



  • Just a thought real quick….Curious how this will be applied to pfsense.  As part of the system?  Separate product entirely?  As a plugin?

    Thanks,

    Mark



  • The best way would be for it being available as a package running in a jail with the option to disable all the GUI at the other, controlled, hosts. Since it is not needed on them.

    Just my 2c



  • Considering that 1.3 will offer the ability to run pfSense as an appliance (single NIC) I would think that making this a package that could be installed on a pfSense appliance would make the most sense.  I certainly wouldn't want something this powerful sitting on my edge firewall where someone might get a hold of it.



  • @submicron:

    Considering that 1.3 will offer the ability to run pfSense as an appliance (single NIC) I would think that making this a package that could be installed on a pfSense appliance would make the most sense.

    I was thinking the same exact thing. A package to run on the new appliance would be perfect when its available. Until that time a standalone version that can run on its own would be good so we can get started now.

    I've now downloaded the m0n0wall-cmi code from http://m0n0wall-cmi.sourceforge.net/. I don't think there would be any reason to start over. We should leverage the 3 months of full time coding that was spent to create it. In fact it would be great to maintain that packages ability to manage m0n0wall and extend it to also manage PFSense. By doing this we should be able to leverage a larger audience of users and developers to improve it from both m0n0wall and PFSense. Since PFSense was based on m0n0wall that should give us a nice jump start.



  • Here are my requirements for the bounty:

    1. Manage all aspects of each pfSense firewall from central location (Like m0n0wall CMI).
    2. A heads up of all pfsense systems with green light if able to communicate/Red if not with central management device.
        Possibly in a tree like format where the icon would turn red or a list format.
        Red would be based on rules..ie connection from CMI down, CPU high, low memory, point to point tunnel down, unusually high traffic for entended    period of time based on rules.
    3. Email notification (SMS notification if possible) when a rule has either a threshold passed or unable to perform the task requested in the rule..ie Ping
        Email notification….via smtp with potential username/password
    4.Connection from CMI to remote systems must be secure (Probably doesn't need to be mentioned but....)
    5. Ability to schedule automatic backups and perform manual backups.  Possibly better than automatic is have the system check the file and if it is newer to back it up.
    6. Have RRD graphs available for connections from CMI to remote locations.
    6.  Logging of system to a web based log like in pfSense with ability to filter based on firewall and type of events and export.  (I really like the idea of going to one location for all information rather than having to constantly switch)
    7. Ability to send log info to syslog for further diagnosis.
    8. I would like the install to be as simple as installing pfSense itself or adding a plugin.
    9.  I really think a one stop shop solution would be best (All services provided within the same box) since this unit will not be acting as a firewall. Prefered but not required.
    10.  Would be great but not required is mobileweb..ie Iphone or PocketPC web like interface for remote management via Phone.

    Please excuse me if my list is not realistic.  Any suggestions or comments would be much appreciated.

    Thanks,

    Mark



  • Hi ermal,

    What if the CMI console was unable to access the local pfSense.  Would that prevent someone from accessing it locally if they had to?

    Mark



  • My implementation does not run on pfSense. It is a standalone application to manage infrastructure. it should not be run physically on the pfSense firewall itself, but yes could probably be turned into a "application". CMI is a good start but Im going way further down the road then CMI has gone so far.



  • Just as a suggestion I have used Checkpoint firewall in the past and the way they have done it is:

    The main firewall holds all the settings
    Then the remote firewalls have their info pushed out to them

    But to manage all of this there is an exe application that connects to the main firewall. All the config and rules you create you then select what firewall these rules apply to. After you hit save it prompts what firewalls to update after hit ok and it rolls out.

    This thing I did like about the Checkpoints is that they had a drag and drop firewall creation in the app which did speed things up.

    If any screen shots are helpfull I can post.



  • I see one issue with this bounty and probably similar to others is if it were to be completed, it would probably require tremendous maintenance since anytime items might be changed or added into pfSense they would have to be updated in this solution.  And due to the fact that people would become heavily dependent on this interface it would probably need to be either updated or patched with each release.  That may or may not require support from the core pfSense team.  This solution might be easier if we were to use 1.3 as an appliance because (Correct me if I am wrong) anything that were accessible via the pfSense gui would be fairly easy to add to this appliance since its guts would be fairly similar or how a call is made would be similar when making a request via the web interface. (Correct me if I am wrong please). My concern about this solution being a separate application,  ie…not built similarly to the existing pfSense is it would make it very time consuming to update and might decrease the amount of people who could work on it or that would be willing to support updating it.  Dingo, You mentioned that with your solution you would be looking far past what the m0n0wall-CMI is capable of doing or what it could do.  My question is does your solution have the possibility to eliminate the desire of other to be willing to contribute time to this solution?  I am not a programmer and could be completely off track, and if so would be more than happy to be corrected.  Maybe explaining more about how your solution would work would be a good idea.

    Thanks,

    Mark



  • My solution takes into account future growth, it accomodates data structures based on the xml config file
    by dynamically loading data, and parsing it for variables. Though i am not conceptually happy with the way mono
    interacts with its hosts via backup/restore, I believe a SSL pipe for communication of XML data is a more likely solution
    the system would have to be keep in sync with pfSense releases, or automated enough to update itself  when new
    releases came out. It must also understand packages installed, and hopefully be capable enough to also configure them.
    it will be syslog capable. so all your logs are belong to us…. it should also be portal capable of digging into host rrd traffic
    graphs also, something i need to research more deeply. I also belive at some time managed firewalls should be webless,
    meaning no http running. now all this requires some interaction with the developer team and buy in from the design perspective.
    they should also be monitorable, and you should be able to mass depoly templates to all managed systems in emergencys
    like new firewall rules, or config data to mass update all systems. I am of the old school where i belive in the minimal processes should
    be running or installed on a firewall. Though we all have our needs. This will be a centralized system, though it might be designed to run
    on a pfSense appliance as a base



  • just one suggestion, if any of you are going to make an "application/binary" instead of web based for this, please make it OS-Independent.. Not everyone use windows or even have a legal windows license..

    I would prefer a GTK/QT based app, as it can run on most systems. but overall i would prefer it to be web based with alot of ajax..

    I might chip in some money for this if it looks good enough feature-wise.


Locked