TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: pfSense
SUMMARY: Configuration Guide for pfSense firewalls
This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Firewall guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.
Vendor Information
Vendor |
pfSense |
---|---|
Supported Model Name/Number |
N/A |
Supported Software Version(s) |
CE - 2.7.1 and higher Plus - 23.09.1 and higher |
Collection Method |
Syslog |
Provider Name |
pfSense |
Additional Information |
https://docs.netgate.com/pfsense/en/latest/monitoring/logs/remote.html https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html
|
Please note that because of the way pfSense combines multiple logs it can take considerable time for the syslog to change from "Syslog-Generic" to "Syslog-pfSense". If the log type doesn't change over within 24 hours please contact us support@huntress.com
Device Configuration Checklist
-
Configure Remote Logging
-
Log into the pfSense GUI
- Click Status
- Click System Logs
- Click Settings
- Scroll down to Remote Logging Options and check the box to Enable Remote Logging
- Select an appropriate Source Address (usually the same subnet as the Huntress Agent enabled for syslog collection)
- Set IP Protocol to IPv4
- Add the IP address of the Huntress Agent in the format
x.x.x.x:514
- In the Remote Syslog Contents section, check the following boxes:
- System
- Firewall
- DNS
- DHCP
- General Auth
- Captive Portal
- NTP
-
- Configure Global Log Settings
- Click Status
- Click System Logs
- Click Settings
- Set the Log Message Format to syslog (RFC 5424)
- Find the following options and ensure they are checked:
- Log Packets from Default Block Rules
- Log Packets from Block Bogon Network Rules
- Log Packets from Block Private Network Rules
- Log Configuration Changes
- Find the following options and ensure they are unchecked:
- Log Packets from Default Pass Rule
- Web Server Log
- Click Save