Some questions while trying out DynFi FW Manager

[bamypamy]

Hi, I have just started testing the dynfi FW Manager.
The installation was done quickly and the look and feel is great.

I manage about 78 firewalls, mainly pfSense CE, but also some Plus, OPNsense CE and an OPNsense Business.

From what I've read on the forum, the manager does not support the paid versions of pfSense and OPNsense. Is this still the case?

What about high availability?
Does the Manager support clustered firewalls?
Most of the 78 FW are set up in high availability with two nodes in the clusters.
I have set up the on-premise version and added my two test FWs which are clustered, but I see no indication that these firewalls are connected in any way.

Are virtual IPs supported?
We have a lot of CARP addresses as we are routing public networks to the firewalls and adding them as virtual IPs.
So far I have only been able to find the interface subnets and gateway IPs.

Is there an overview of the planned features?

Thanks for any answer.

[gregober]

I manage about 78 firewalls, mainly pfSense CE, but also some Plus, OPNsense CE and an OPNsense Business.

From what I've read on the forum, the manager does not support the paid versions of pfSense and OPNsense. Is this still the case?

Well, we can't guarantee long term support for firewall which have a closed source policy.
So while we do our best to support these OS, we can't guarantee that Netgate or OPNsense won't change their policy or inside code with major shift. This is the reason why we are providing "limited support" for these OS.

What about high availability?
Does the Manager support clustered firewalls?

Absolutely, clustered firewall from our point of view are just "two firewalls".
In order for DynFi Manager to be working seamlessly, you will have to make sure that the manager can access both devices.

Most of the 78 FW are set up in high availability with two nodes in the clusters.
I have set up the on-premise version and added my two test FWs which are clustered, but I see no indication that these firewalls are connected in any way.

That might be a good idea for improvement, at this stage we have no sign letting you know that your devices are clustered.
But we will try to see with the team how to make that happen - shouldn't be too difficult.

Are virtual IPs supported?
We have a lot of CARP addresses as we are routing public networks to the firewalls and adding them as virtual IPs.
So far I have only been able to find the interface subnets and gateway IPs.

VIP might not be drawn in the interface schema presented.
But you surely can connect devices using these IPs.

Is there an overview of the planned features?

Thanks for any answer.

Progresses are being made to further integrate firewall rule management at this stage.
We are also trying to see how to add support for LDAP within Manager's users.
Other small improvement are on their way and we have regular app upgrades.

[bamypamy]

Many thanks for the quick reply.

It would be ok not to be able to manage the paid versions as there are not that many.

About the VIPs.
What I am looking for is the ability to switch the CARP IPs and also see the current status. Are the IPs master or backup on the different nodes.

It would also be nice to be able to trigger a configuration synchronization between the master and the slave.
I am looking for a centralized way to update the firewalls.
But for clustered firewalls, I would like to be able to synchronize the configuration before the update and after updating the slave, switch the vIPs to the slave and then perform the update on the master.


The ability to manage firewall rules and also NAT rules centrally would be a big advantage and would make the Dynfi FW Manager even more interesting for me.

[gregober]

Many thanks for the quick reply.

It would be ok not to be able to manage the paid versions as there are not that many.

About the VIPs.
What I am looking for is the ability to switch the CARP IPs and also see the current status. Are the IPs master or backup on the different nodes.

We would be able to push this forward quite rapidly since it is a quite basic task.
This would allow you to have infos about Primary / Backup nodes in the GUI of the Manager (probably with a crossed link from each node).

It would also be nice to be able to trigger a configuration synchronization between the master and the slave.

Normally this part is automatically triggered in pfSense and has to be manually triggered in OPNsense.
So, It might be interesting to have such "sync feature" for OPN, can you confirm the scope you had in mind ?

I am looking for a centralized way to update the firewalls.
But for clustered firewalls, I would like to be able to synchronize the configuration before the update and after updating the slave, switch the vIPs to the slave and then perform the update on the master.

Is indeed feasible, but shall require more work…

The ability to manage firewall rules and also NAT rules centrally would be a big advantage and would make the Dynfi FW Manager even more interesting for me.

This is our main focus at the time.

We prioritize requests coming from our customers first, so we strongly encourage you to start subscribing to our offer.

[bamypamy]

Normally this part is automatically triggered in pfSense and has to be manually triggered in OPNsense.

Indeed, it's on pfSense and can be automated on OPNsense as well.
I guess it's just my inner Monk wanting to make absolutely sure the firewalls are synchronized before I start the update

We would be able to push this forward quite rapidly since it is a quite basic task.
This would allow you to have infos about Primary / Backup nodes in the GUI of the Manager (probably with a crossed link from each node).

That would be awesome.

This is our main focus at the time.

We prioritize requests coming from our customers first, so we strongly encourage you to start subscribing to our offer.

It's a chicken and egg problem.
I need to convince my boss to spend the money, but I need the features to do that

Can you give an estimate of when these features will be available?

[hrx]

Hello Gregory,

I am currently in the process of building a PoC for one of our customers. Part of the PoC is to centrally manage the firewall rules. I would like to do this with DFM – and I have currently installed version 24.1.0 in a test setup. As far as I can see, the management of the rules has not yet been implemented, or at least it is not yet usable. Is there any time frame you can give us for when you might release a first functional version of the rule management?


Thank you in advance!


Kind regards,
Hagen

The ability to manage firewall rules and also NAT rules centrally would be a big advantage and would make the Dynfi FW Manager even more interesting for me.

This is our main focus at the time.

We prioritize requests coming from our customers first, so we strongly encourage you to start subscribing to our offer.

[gregober]

Hello Gregory,

I am currently in the process of building a PoC for one of our customers. Part of the PoC is to centrally manage the firewall rules. I would like to do this with DFM – and I have currently installed version 24.1.0 in a test setup. As far as I can see, the management of the rules has not yet been implemented, or at least it is not yet usable. Is there any time frame you can give us for when you might release a first functional version of the rule management?


Thank you in advance!


Kind regards,
Hagen

The way to handle firewall rules at this stage is through the use of aliases.
Aliases can be used extensively and managed centrally, allowing you to create some custom settings easily replicable on many devices.

We will start working soon on some new features and handling firewall rules is very high on the priority list.
Will certainly be available in 2025.

We are actually finishing LDAP integration.

[hrx]

The way to handle firewall rules at this stage is through the use of aliases.
Aliases can be used extensively and managed centrally, allowing you to create some custom settings easily replicable on many devices.

We will start working soon on some new features and handling firewall rules is very high on the priority list.
Will certainly be available in 2025.

We are actually finishing LDAP integration.

Hello Gregory,

thank you for the time frame. If I understand you correctly, your input is that the design of the rules from the outset (in which case we could start a new setup) should be set up in such a way that the aspects of source, destination and ports are assigned and controlled by aliases?

Kind regards,
Hagen