Some questions while trying out DynFi FW Manager

[bamypamy]

Hi, I have just started testing the dynfi FW Manager.
The installation was done quickly and the look and feel is great.

I manage about 78 firewalls, mainly pfSense CE, but also some Plus, OPNsense CE and an OPNsense Business.

From what I've read on the forum, the manager does not support the paid versions of pfSense and OPNsense. Is this still the case?

What about high availability?
Does the Manager support clustered firewalls?
Most of the 78 FW are set up in high availability with two nodes in the clusters.
I have set up the on-premise version and added my two test FWs which are clustered, but I see no indication that these firewalls are connected in any way.

Are virtual IPs supported?
We have a lot of CARP addresses as we are routing public networks to the firewalls and adding them as virtual IPs.
So far I have only been able to find the interface subnets and gateway IPs.

Is there an overview of the planned features?

Thanks for any answer.

[gregober]

I manage about 78 firewalls, mainly pfSense CE, but also some Plus, OPNsense CE and an OPNsense Business.

From what I've read on the forum, the manager does not support the paid versions of pfSense and OPNsense. Is this still the case?

Well, we can't guarantee long term support for firewall which have a closed source policy.
So while we do our best to support these OS, we can't guarantee that Netgate or OPNsense won't change their policy or inside code with major shift. This is the reason why we are providing "limited support" for these OS.

What about high availability?
Does the Manager support clustered firewalls?

Absolutely, clustered firewall from our point of view are just "two firewalls".
In order for DynFi Manager to be working seamlessly, you will have to make sure that the manager can access both devices.

Most of the 78 FW are set up in high availability with two nodes in the clusters.
I have set up the on-premise version and added my two test FWs which are clustered, but I see no indication that these firewalls are connected in any way.

That might be a good idea for improvement, at this stage we have no sign letting you know that your devices are clustered.
But we will try to see with the team how to make that happen - shouldn't be too difficult.

Are virtual IPs supported?
We have a lot of CARP addresses as we are routing public networks to the firewalls and adding them as virtual IPs.
So far I have only been able to find the interface subnets and gateway IPs.

VIP might not be drawn in the interface schema presented.
But you surely can connect devices using these IPs.

Is there an overview of the planned features?

Thanks for any answer.

Progresses are being made to further integrate firewall rule management at this stage.
We are also trying to see how to add support for LDAP within Manager's users.
Other small improvement are on their way and we have regular app upgrades.

[bamypamy]

Many thanks for the quick reply.

It would be ok not to be able to manage the paid versions as there are not that many.

About the VIPs.
What I am looking for is the ability to switch the CARP IPs and also see the current status. Are the IPs master or backup on the different nodes.

It would also be nice to be able to trigger a configuration synchronization between the master and the slave.
I am looking for a centralized way to update the firewalls.
But for clustered firewalls, I would like to be able to synchronize the configuration before the update and after updating the slave, switch the vIPs to the slave and then perform the update on the master.


The ability to manage firewall rules and also NAT rules centrally would be a big advantage and would make the Dynfi FW Manager even more interesting for me.

[gregober]

Many thanks for the quick reply.

It would be ok not to be able to manage the paid versions as there are not that many.

About the VIPs.
What I am looking for is the ability to switch the CARP IPs and also see the current status. Are the IPs master or backup on the different nodes.

We would be able to push this forward quite rapidly since it is a quite basic task.
This would allow you to have infos about Primary / Backup nodes in the GUI of the Manager (probably with a crossed link from each node).

It would also be nice to be able to trigger a configuration synchronization between the master and the slave.

Normally this part is automatically triggered in pfSense and has to be manually triggered in OPNsense.
So, It might be interesting to have such "sync feature" for OPN, can you confirm the scope you had in mind ?

I am looking for a centralized way to update the firewalls.
But for clustered firewalls, I would like to be able to synchronize the configuration before the update and after updating the slave, switch the vIPs to the slave and then perform the update on the master.

Is indeed feasible, but shall require more work…

The ability to manage firewall rules and also NAT rules centrally would be a big advantage and would make the Dynfi FW Manager even more interesting for me.

This is our main focus at the time.

We prioritize requests coming from our customers first, so we strongly encourage you to start subscribing to our offer.

[bamypamy]

Normally this part is automatically triggered in pfSense and has to be manually triggered in OPNsense.

Indeed, it's on pfSense and can be automated on OPNsense as well.
I guess it's just my inner Monk wanting to make absolutely sure the firewalls are synchronized before I start the update

We would be able to push this forward quite rapidly since it is a quite basic task.
This would allow you to have infos about Primary / Backup nodes in the GUI of the Manager (probably with a crossed link from each node).

That would be awesome.

This is our main focus at the time.

We prioritize requests coming from our customers first, so we strongly encourage you to start subscribing to our offer.

It's a chicken and egg problem.
I need to convince my boss to spend the money, but I need the features to do that

Can you give an estimate of when these features will be available?