Enterprise style Central Management Interface - {Now $1900}
-
Anyway all that staff for such thing is overkill/overengineer. Using mysql/SOAP/and all that staff seems too much for a thing that has already been done in php.
-
Yes but when you have to manage 100+ pfsense boxes you have to have something you can rely on… modularity, scalability and so on.
So, If I have to do something, I will start to think about the "ideal" design. -
Hi Juve,
So are you saying this might be a bounty you would take on? Honestly I am unfamiliar with the scope of a project like this is and if it would be an easy thing to do or a very difficult. I don't understand the underlying aspects of pfsense. Not a programmer. 100+ pfsense boxes? That is alot.
Mark
-
It is something I would like to do, but I'm afraid I can't get enough time to make it good (I'm already busy at 110%, you know what it is, in IT services you have to do twice the job you are asked to.. for the samed price of course).
I don't want to tell you I'm going to make it and then let you wait for 10 months… this is a disrespect. I'm not either looking for money, I if do it will be for free and for the community, money should go to pfsense coders like scott,hoba,cmd etc.
I have already 30+ boxes to manage and plan to have some more ;-). That 's why I'm replying here, which is perhaps a mistake and should go onto General discussion thread since I'm note willing to take on that bounty "as" a bounty.
I'll try to get on IRC soon to discuss about that kind of central management area, and then perhaps make a team to build something "useful" ;) -
Here is a neat example from watchguard. http://www.watchguard.com/products/wsm.asp At least it is a visual of what I am looking for.
Except their product is $6000 just to manage 50 clients…not too mention the cost of the box needed!
-
http://www.astaro.com/our_products/astaro_command_center might be worth a look as well. There is a livedemo on their site as well.
-
Ok guys, Im a pfSense developer. Ive been looking into this feasibility while also working on a similiar concept. Ive got time to invest so can we compile a list of specific features youd like so I can review everyones needs.
-
Hi Hoba,
That product looks like a replacement for pfSense. Not something which would let me manage multiple units from one location.
Hi Dingo,
Great to hear that!!!! I have to go to work but I will respond in a little while. Thank you for taking interest in this bounty.
Mark
-
That product looks like a replacement for pfSense. Not something which would let me manage multiple units from one location.
Astaro is a linux based firewalldistribution, that's right but they offer a commandcenter that you can control multiple astaro units with. I didn't say switch to astaro, I just said if something like that has to be developed for pfSense it can't hurt to have a look at similiar existing products. It's the same like the watchguard controlcenter that was psoted here. Watchguard is a replacement for pfSense as well.
-
Hi Hoba,
ok…so you meant as an example. Thanks for the suggestion. I appreciate any help. Sorry for the misunderstanding.
-
Just a thought real quick….Curious how this will be applied to pfsense. As part of the system? Separate product entirely? As a plugin?
Thanks,
Mark
-
The best way would be for it being available as a package running in a jail with the option to disable all the GUI at the other, controlled, hosts. Since it is not needed on them.
Just my 2c
-
Considering that 1.3 will offer the ability to run pfSense as an appliance (single NIC) I would think that making this a package that could be installed on a pfSense appliance would make the most sense. I certainly wouldn't want something this powerful sitting on my edge firewall where someone might get a hold of it.
-
@submicron:
Considering that 1.3 will offer the ability to run pfSense as an appliance (single NIC) I would think that making this a package that could be installed on a pfSense appliance would make the most sense.
I was thinking the same exact thing. A package to run on the new appliance would be perfect when its available. Until that time a standalone version that can run on its own would be good so we can get started now.
I've now downloaded the m0n0wall-cmi code from http://m0n0wall-cmi.sourceforge.net/. I don't think there would be any reason to start over. We should leverage the 3 months of full time coding that was spent to create it. In fact it would be great to maintain that packages ability to manage m0n0wall and extend it to also manage PFSense. By doing this we should be able to leverage a larger audience of users and developers to improve it from both m0n0wall and PFSense. Since PFSense was based on m0n0wall that should give us a nice jump start.
-
Here are my requirements for the bounty:
1. Manage all aspects of each pfSense firewall from central location (Like m0n0wall CMI).
2. A heads up of all pfsense systems with green light if able to communicate/Red if not with central management device.
Possibly in a tree like format where the icon would turn red or a list format.
Red would be based on rules..ie connection from CMI down, CPU high, low memory, point to point tunnel down, unusually high traffic for entended period of time based on rules.
3. Email notification (SMS notification if possible) when a rule has either a threshold passed or unable to perform the task requested in the rule..ie Ping
Email notification….via smtp with potential username/password
4.Connection from CMI to remote systems must be secure (Probably doesn't need to be mentioned but....)
5. Ability to schedule automatic backups and perform manual backups. Possibly better than automatic is have the system check the file and if it is newer to back it up.
6. Have RRD graphs available for connections from CMI to remote locations.
6. Logging of system to a web based log like in pfSense with ability to filter based on firewall and type of events and export. (I really like the idea of going to one location for all information rather than having to constantly switch)
7. Ability to send log info to syslog for further diagnosis.
8. I would like the install to be as simple as installing pfSense itself or adding a plugin.
9. I really think a one stop shop solution would be best (All services provided within the same box) since this unit will not be acting as a firewall. Prefered but not required.
10. Would be great but not required is mobileweb..ie Iphone or PocketPC web like interface for remote management via Phone.Please excuse me if my list is not realistic. Any suggestions or comments would be much appreciated.
Thanks,
Mark
-
Hi ermal,
What if the CMI console was unable to access the local pfSense. Would that prevent someone from accessing it locally if they had to?
Mark
-
My implementation does not run on pfSense. It is a standalone application to manage infrastructure. it should not be run physically on the pfSense firewall itself, but yes could probably be turned into a "application". CMI is a good start but Im going way further down the road then CMI has gone so far.
-
Just as a suggestion I have used Checkpoint firewall in the past and the way they have done it is:
The main firewall holds all the settings
Then the remote firewalls have their info pushed out to themBut to manage all of this there is an exe application that connects to the main firewall. All the config and rules you create you then select what firewall these rules apply to. After you hit save it prompts what firewalls to update after hit ok and it rolls out.
This thing I did like about the Checkpoints is that they had a drag and drop firewall creation in the app which did speed things up.
If any screen shots are helpfull I can post.
-
I see one issue with this bounty and probably similar to others is if it were to be completed, it would probably require tremendous maintenance since anytime items might be changed or added into pfSense they would have to be updated in this solution. And due to the fact that people would become heavily dependent on this interface it would probably need to be either updated or patched with each release. That may or may not require support from the core pfSense team. This solution might be easier if we were to use 1.3 as an appliance because (Correct me if I am wrong) anything that were accessible via the pfSense gui would be fairly easy to add to this appliance since its guts would be fairly similar or how a call is made would be similar when making a request via the web interface. (Correct me if I am wrong please). My concern about this solution being a separate application, ie…not built similarly to the existing pfSense is it would make it very time consuming to update and might decrease the amount of people who could work on it or that would be willing to support updating it. Dingo, You mentioned that with your solution you would be looking far past what the m0n0wall-CMI is capable of doing or what it could do. My question is does your solution have the possibility to eliminate the desire of other to be willing to contribute time to this solution? I am not a programmer and could be completely off track, and if so would be more than happy to be corrected. Maybe explaining more about how your solution would work would be a good idea.
Thanks,
Mark
-
My solution takes into account future growth, it accomodates data structures based on the xml config file
by dynamically loading data, and parsing it for variables. Though i am not conceptually happy with the way mono
interacts with its hosts via backup/restore, I believe a SSL pipe for communication of XML data is a more likely solution
the system would have to be keep in sync with pfSense releases, or automated enough to update itself when new
releases came out. It must also understand packages installed, and hopefully be capable enough to also configure them.
it will be syslog capable. so all your logs are belong to us…. it should also be portal capable of digging into host rrd traffic
graphs also, something i need to research more deeply. I also belive at some time managed firewalls should be webless,
meaning no http running. now all this requires some interaction with the developer team and buy in from the design perspective.
they should also be monitorable, and you should be able to mass depoly templates to all managed systems in emergencys
like new firewall rules, or config data to mass update all systems. I am of the old school where i belive in the minimal processes should
be running or installed on a firewall. Though we all have our needs. This will be a centralized system, though it might be designed to run
on a pfSense appliance as a base