July 2024 Newsletter

pfSense Plus Software Version 24.08 Sneak Peek

TL;DR: MULTI-INSTANCE MANAGEMENT.
“Single Pane of Glass” Monitoring and Management Interface!
Yes, we know. We’re happy too.

pfSense Plus 24.08 will bring several exciting advancements, but one is a real standout because it addresses your #1 most frequent request: A “single pane of glass” monitoring and management interface that’s fast, secure, and affordable. We are happy to announce that pfSense Plus 24.08 will have an “Early Look” at the new Multi-instance Management (MiM) interface. The “Early Look” is your opportunity to provide feedback and guidance on what should be improved before general availability.

This fully functional “Early Look” allows you to manage up to three pfSense Plus instances via the MiM dashboard. This is just one of the many uses for Multi-instance Management, and we are excited for our customer base to experiment with this new option!

The following image shows an example of the MiM GUI:

Try it out, and let us know what you think!

During the “Early Look” and subsequent beta period, we are waiting for your feedback, which you can quickly email to us at product.feedback@netgate.com. We are stoked to get this much-requested functionality into the hands of our customers, and we want to hear from you!

pfSense Software Tip - Secure DNS

pfSense Plus and pfSense CE are used in home, SMB, Enterprise, and government installations. A simple firewall implementation usually just uses whatever DNS server is provided by the ISP, whether it’s a traditional ISP or your IT team. DNS configuration is easy to overlook during setup, but that could be the fatal mistake that allows an intruder or malware through the firewall. About 85% of malware uses (and abuses) DNS to develop its attack, according to IDC and other security researchers, but you can configure the DNS implementation on your pfSense firewall to provide much better protection, and it might be well worth the time to do so.

By default, DNS queries are not encrypted or authenticated and are thus available in plaintext as they travel from a client to a DNS resolver, DNS forwarder, or nameserver. This leaves them open to inspection and even attack.

DNSSEC is a set of security extensions for verifying the identity of DNS root servers and authoritative nameservers when communicating with DNS resolvers. It is designed to prevent DNS cache poisoning/spoofing, DNS tunneling, DNS hijacking, and other attacks. It also defends against NXDOMAIN, phantom, random subdomain, domain lock-up, and botnet-based CPE attacks. DNSSEC works by digitally signing data to help ensure its validity. Cloudflare published a blog post on DNSSEC in 2014.

DNSSEC allows you to detect whether DNS records have been modified during transmission. This protects your network from attacks in which DNS queries are changed, and users are redirected to fake websites. This protection only works for DNS zones that have DNSSEC enabled.

Since DNSSEC does not encrypt DNS traffic, network operators and ISPs can view DNS requests. This information can be used to create behavioral profiles, which are often sold for advertising purposes. Defeating this requires DNS over TLS.

DNS over TLS (DoT) is a standard for encrypting the communication between a device and its DNS server(s), making it impossible to eavesdrop, intercept or modify DNS messages traveling the “last hop.” The messages inside this encryption envelope are not checked for authenticity or integrity.

Configure DoT

While a traditional home ISP may or may not support DoT, there are plenty of other, more secure (and some free) DNS providers that may be more reliable and who promise not to track your internet activity. Cloudflare, Quad9, and Google Public DNS are good examples of this type of DNS provider. Configuring DoT should be considered the “bare minimum” DNS security improvement you make. The steps to accomplish this are pretty easy; you can find them here.

NOTE: This feature is only supported by the DNS Resolver. If the firewall currently uses the DNS Forwarder, convert to the DNS Resolver before proceeding. Also, when the firewall uses DoT, every DNS server used by the firewall must support DoT.

Make Sure Your DNS Service Supports DNSSEC

While pfSense enables DNSSEC by default, your ISP might not support it, which would then cause pfSense to default back to the less secure DNS mechanisms. We suggest switching to a DNS service that supports DNSSEC, as it is likely to provide greater security in other ways.

For the Enterprise: Time to Invest in DNS

There are many free DNS options, but Enterprises with a lot to lose might consider subscribing to a higher-end DNS service that can ensure your security, protect you from DDoS attacks, and provide many additional features; pfSense supports these higher-end services. If you are a “sensitive infrastructure Enterprise” such as a healthcare facility, a utility, or a civilian US government agency, you can have the best of both worlds (free and effective). Check out the US government’s “Protective DNS” service. It’s free to you, secure, fast, and global.

While the pfSense firewall can do a lot to protect your home, office, or agency, you must be aware of all possible threat vectors, and DNS is a huge one. If nothing else, stop using your ISP’s DNS by default, and turn on DoT because your ISP could be collecting and selling your data!

TNSR Software Version 24.06 - Release

We are excited to announce the release of TNSR software version 24.06! Some of the new features and enhancements in this release include:

TNSR ARM64 image for AWS and Azure

The new ARM64 image of TNSR software can lower your AWS and Azure infrastructure costs! The 24.06 release of TNSR has a Graviton and Ampere Altra option. Be on the lookout in the AWS and Azure Marketplace for new TNSR listings that are m7g (Graviton) and Dpsv5 (Ampere Altra) specific.

Remote Access VPN Enhancements

Multiple remote access VPNs
RADIUS assignment of client virtual IP addresses
Multiple client connections for a single user

Logging Enhancements

The improved logging in TNSR software allows system data to be retrieved using both the RESTCONF API and the CLI. Results can be filtered by category, service type, and date/time range. VPP logging now defaults to SYSLOG. TNSR logs can now be forwarded to remote logging hosts and products such as Splunk®.

Read the full blog here.

TNSR SoftwareTip - TNSR as Centralized VPN Concentrator

Either site-to-site or mobile, VPN is a tried and true way to secure your traffic across the otherwise hostile Internet. Finding a high-performance, reliable, and cost-effective VPN solution is like looking for a unicorn at a petting zoo; it’s hard to find one product with all three features, but TNSR software makes it easy. You are undoubtedly already aware that TNSR is a high-performance virtual router, but did you know that for an additional $0, it can also be your centralized VPN concentrator? It’s true, either on-premises using the Netgate® 6100, 8200, or new 8300, or in cloud using Azure or AWS. We recently released a short video showing an 8200 terminating 1,000 Mobile IPsec VPNs on an 8200. Imagine what the Netgate 8300 can do given it’s about 10x more powerful!

How Did We Do It With the Netgate 8200?

TNSR software is capable of handling thousands of remote clients without any additional optimizations, but the built-in Intel® QuickAssist Technology (QAT) accelerates the cryptographic and compression operations needed for IPsec by offloading the crypto portion of IPsec from the CPU. This is a big help when it comes to IPsec optimization and requires very little configuration.

For the Netgate 8200, the configuration is a single command:

For more details on how to configure QAT on TNSR, please read our documentation.

End of Sale for the Netgate 1537 and Netgate 1541

With the introduction of the Netgate 8300 BASE and 8300 MAX, we moved the Netgate 1537 and Netgate 1541 to end-of-sale (EOS) status in July 2024.

For our US partners, the Netgate 8300 MAX is our TAA-compliant appliance.

Trade Agreements Act (TAA) compliance means that the Netgate 8300 MAX meets the requirements to be eligible for procurement by the United States government.

Introducing the Netgate 8300 MAX

The Netgate 8300 MAX is designed for medium to large businesses, xSPs, and MSP/MSSPs with high connectivity and stability requirements. It is available with pfSense Plus or TNSR software.

The Netgate 8300 MAX, our TAA-compliant offering, comes with 32 GB DDR4 and two internal 500W power supplies (hot-swappable). The 8300 MAX offers unparalleled performance with its 2.0 GHz, 8-core, 16-thread Intel Xeon® D-1733NT processor equipped with the Intel AVX-512 instruction set. The Intel AVX-512 instruction set on the Xeon D-1733NT combined with Netgate's IIMB optimizes VPN encryption and decryption operations, increasing VPN throughput and reducing computational overhead. The 8200 comes equipped with quad 10G SFP+ ports, quad 1G SFP ports, and triple 2.5G RJ-45 ports, plus expandability to 25G and 100G ports via PCIe cards.

The Netgate 8300 MAX with pfSense Plus Software

When shipped with pfSense Plus software, the Netgate 8300 MAX includes free upgrades for the life of the hardware. This industry-leading software ensures the safety and security of business networks with advanced features such as support for multiple WAN connections (with load balancing and failover), all the routing and firewall features you need, multiple VPN options (IPsec, OpenVPN, WireGuard®), policy-based and route-based protocol support, monitoring, reporting, and more.

The Netgate 8300 MAX with pfSense Plus software starts at $3,999 for a single unit.

Buy Netgate 8300 MAX with pfSense Plus

The Netgate 8300 MAX with TNSR Software: Netgate’s First 100G+ Secure Router

When powered by TNSR software, the Netgate 8300 MAX provides a full suite of high-throughput secure routing, VPN, and management capabilities. Dynamic routing protocols, VRF, VRRP, and policy-based routing enable advanced traffic management scenarios. Support for IPsec and WireGuard, as well as the latest encryption standards, secure site-to-site and remote user VPN connections. IT automation platforms like Ansible®, SaltStack®, Puppet®, and Chef® can manage the TNSR software configuration on the Netgate 8300 MAX through both CLI and RESTCONF API. These go beyond traditional GUI management techniques to enable speed and multi-instance management orchestration at scale, along with low-cost deployment and automated operation.

The Netgate 8300 MAX with TNSR software starts at $4,998 for a single unit.

Buy Netgate 8300 MAX with TNSR software

In the Cloud

Netgate offers pfSense Plus and TNSR software on the AWS and Azure marketplaces. You can choose to use the products on a “pay-as-you-go” (PAYGO) basis or subscribe to one- or three-year terms for a discounted rate. If you are looking for the maximum discount possible, contact us to discuss a private offer from Netgate.

Have you ever wanted to try pfSense Plus or TNSR in the cloud just to see if it is right for your needs? We are happy to offer zero-cost Proof of Concept, or PoC, trials. The cloud platform credits your account for cloud resources associated with the PoC (certain limits may apply), and Netgate covers the cost of our products. Check out this page for more details and to get started!

Do you wonder what others like about Netgate in the cloud? A custom AWS/PeerSpot Buyer Guide is now available in the AWS Marketplace. You can read what pfSense customers say about their cost savings, performance gains, and other helpful feedback.

Netgate @ Black Hat 2024 - Las Vegas - August 6 - 8

If you will be attending Black Hat and want to meet our Marketing VP to discuss the Multi-instance Management roll-out, exciting features coming this year geared toward ZTNA, pfSense Plus forthcoming performance improvements, TNSR, cloud, or anything else…schedule a meeting!

Monthly Customer Highlights from PeerSpot

“My favorite thing about pfSense is its overall stability of the product. It's rock solid and low maintenance. I like that aspect. It doesn't cost much, and it's feature-rich, including mobile VPN, pfBlocker, and IPS. You have the flexibility to deploy it as bare metal or VM.

It's very easy to add features to pfSense and to configure them. The solution's management page offers a single pane of glass view. You can clearly see the various features on the main page, and it isn't difficult to drill down into the other sections for more details. I can't say which features Plus provides that the community edition doesn't. I only knew that the Plus edition was the path forward. I was previously on a community edition for many years, but I've been on the Plus edition for at least a couple of years now.”

– Steve, Network Administrator

Read the Full Review >>>

Videos

Netgate's video library is expanding! Visit our YouTube channel for sneak peeks, software releases, deep dives, and unboxing videos.

If you are an influencer and have created a video on pfSense, TNSR, or one of our appliances, we’d love to showcase it in our next newsletter. Please reach out to mktg@netgate.com.

Watch our latest content on the Netgate official YouTube channel.

Technical Assistance Center

The Netgate Technical Assistance Center (TAC) provides technical assistance with pfSense Plus software & TNSR. Every Netgate Security Gateway and cloud instance comes with TAC Lite included. TAC Lite offers Zero-to-Ping assistance, ensuring a smooth setup and configuration. Zero-to-Ping assistance will get your Netgate appliance with pfSense Plus & TNSR software, AWS, or Azure firewall connected to the Internet and one client on the same network online.

In addition to TAC Lite, TAC Professional and TAC Enterprise levels are available for faster response times and a much wider variety of assistance topics. Regardless of support level, TAC is here 24/7/365 to help.

Netgate Holiday Schedule

As the holidays near, please be aware that Netgate will be closed on the following dates except for Technical Support. Considerations should be made for possible delays due to these closures:

September 2- Labor Day
November 28- Thanksgiving
November 29- Thanksgiving
December 24- Christmas Eve
December 25- Christmas

Our 24/7/365 Global Support Technical Assistance Center (TAC) is fully staffed and operational for all holidays. The engineering, sales, manufacturing, and shipping teams will be off for the holidays listed above.

We Want Your Feedback

Thank you for subscribing to the Netgate newsletter, and for your continued support of Netgate and our products. We are always looking for ways to improve and value your feedback. If you have suggestions, please reply to this email, contact us, or send an email to mktg@netgate.com. You can also talk to us on social media, or visit our forum.

Useful Links & Information

Netgate Website
Netgate Store

mktg@netgate.com

+1 512.646.4100

Join our growing social community!

This message is sent on behalf of Netgate. To ensure delivery to your inbox, please add mktg@netgate.com to your address book or safe sender list.

© Copyright 2024 Rubicon Communications, LLC
Netgate is a registered trademark of Rubicon Communications, LLC
TNSR is a registered trademark of Rubicon Communications, LLC
pfSense is a registered trademark of Electric Sheep Fencing, LLC
Other trademarks are the property of their respective owners.