pfSense Firewall

You can use pfSense Firewall as an open source tool for a secure network that also includes routing, VPN, and other features. You can configure pfSense to send both firewall and DHCP logs to InsightIDR. You must configure logging to a syslog server, or the InsightIDR collector.

Configure Syslog

You must configure InsightIDR as a remote syslog server so it can ingest the firewall logs from pfSense.

To do so:

  1. Sign in to your pfSense interface.
  2. From the top menu, select Status > System Logs and then choose the Settings tab on the right.
  1. Scroll down to the “Remote Logging Options” section.
  2. Check the Enable Remote Logging check box.
  3. Select the BSD log format
  4. Select the IP protocol you want to use.
  5. Enter the IP address and unique port of the InsightIDR Collector. For example, 10.1.20.24:10000
  6. In the “Remote Logging Contents” section, check on the Everything check box.
  7. Click the Save button to finish the configuration.

Configure the pfSense Event Source

Now you must configure the firewall event source in InsightIDR so the Collector can ingest the logs.

To do so:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any advanced settings.
  8. Select Syslog as your data collection method and specify a port and a protocol.
    • Optionally choose to encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click the Save button.