I have a pfsense firewall, and I have checkmk 2.2.0
I have a specific firewall rule that allows a particular host to access any host on the Internet.
I would like a checkmk alert when this specific rule is active, hopefully as a warning/reminder that I need to turn it off.
Is there a way that check_mk can monitor the status of an individual rule and tell me if it’s enabled / disabled?
Thanks.
short answer: No
rules are not monitoring data.
if pfsense have an api you can write your own check for that
Bummer. Thank you very much.
if you have a lot of surplus energy, there’s a clear path to doing this:
There’s a SNMP Subagent + MIB for the pf firewall on OpenBSD.
Many years ago I tested it on FreeBSD and it worked fine.
If that is still the case, it’ll be rather easy to port it over to pfSense.
Then you have SNMP counters for the firewall rules, and can write checks against/for that.
Alternatively, don’t forget that it can send syslog notifications for firewall events. Those can be sent to Event console or other things. (just make sure you don’t log those syslog messages)
You’d need to check what of that is really worth monitoring. afterall, 99% of events are just a positive confirmation that the firewall did in fact do its job. operationally there might be other things that matter more.
Personally, I think it’s just much too unrefined to do anything useful with the pfSense logs. i.e. you need to have a table of the internal rule IDs for the default rules or you will never be able to track anything properly. The interface aliases are another thing that will be annoying compared to what a proper firewall sends via NetFlow etc.
It might still be worthwhile to run counters on pfBlockerNG tables when outgoing connections to hostile / low reputation entities are blocked. But please be really frugal in what you monitor or you’ll render it worthless (IMHO)
edit: seems I found the MIB. the domain name rings a bell, so it should be the right thing. obviously after like 20 years I’m not 100% sure whether it’s what I tested, but you can get a start from there.
OpenBSD SNMP MIBs :: packetmischief.ca
It’s one of the sadder facts of life that pfSense never got professionally-minded enough to integrate this and send some $$$ to the author.
I just recalled, the guy also had made a MIB for CARP which is a much more interesting target to monitor (just like HSRP/VRRP on others). I had a homegrown check for uCARP but that was trash TBH.
Seems there is an unofficial REST-api available.
maybe this could provide your needs:
https://pfrest.org/
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.