pfSense Firewall

You can use pfSense Firewall as an open source tool for a secure network that also includes routing, VPN, and other features. You can configure pfSense to send both firewall and DHCP logs to InsightIDR. You must configure logging to a syslog server, or the InsightIDR collector.

Configure Syslog

You must configure InsightIDR as a remote syslog server so it can ingest the firewall logs from pfSense.

To do so:

  1. Sign in to your pfSense interface.
  2. From the top menu, select Status > System Logs and then choose the Settings tab on the right.
  1. Scroll down to the “Remote Logging Options” section.
  2. Check the Enable Remote Logging check box.
  3. Select the BSD log format
  4. Select the IP protocol you want to use.
  5. Enter the IP address and unique port of the InsightIDR Collector. For example, 10.1.20.24:10000
  6. In the “Remote Logging Contents” section, check on the Everything check box.
  7. Click the Save button to finish the configuration.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for pfSense Firewall in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the pfSense Firewall event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any advanced settings.
  8. Select Syslog as your data collection method and specify a port and a protocol.
    • Optionally choose to encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click the Save button.