 Tom here from Lawrence Systems. We're going to talk about PF Sense 2.45, which just got released today. And I have my lab server all updated and ready to talk about it. If you want to learn more about me and my company, head over to LawrenceSystems.com. If you'd like to hire a short project, there's a Hire Us button up at the top. If you want to support the channel in other ways, there's affiliate links down below for products and services that we talk about to get you some discounts and deals. PF Sense 2.45, as of March 26, 2020, that's today, has been released. And I haven't updated everything yet because, well, it's middle of the day and there's a lot of things going on. I've got other work to do. But I do have work in time to test my labs. There is usually where I test all this out, play around with all the settings. But I do have a lot of faith in the team over at NetKate and PF Sense because they do so much testing. And I've been testing this in the beta as well. I didn't run to any problems when I was doing the updates. And this updated from a release candidate to the full version without any issues. Now, as I roll this out in other systems, we'll make sure that's still the case. But like I said, they do a lot of testing with the PF Sense before they roll it out. Matter of fact, one of the things I like is the fact that they don't have updates constantly rolling at you because, well, updating a lot of firewalls can be a little bit tedious, can be a little bit worrisome. And you always want uptime and you don't want to break anything and security is of the utmost importance. I always take security and stability over anything else when it comes to firewall because this is what divides you between the outside world and all your private data. Back to the system here. OS upgrade, base upgrade operating system from 11 stable to FreeBSD 11.3. Added sorting, searching, filtering to several pages including certificate manager, DHCP leases, ARP and NDP tables. This one's particularly cool because this is what the search looks like on DHCP leases and you can see it's missing from your old version. So this is the 244, this is 245. Same thing we're going to go over here and look at the ARP table. We now have the ability here to do some searches. And this is just kind of cool because now we can, if I know what I'm looking for already and ARP table being small because this is my lab and it would be much larger on another machine, whoops. You can search for things like, you know, a MAC address or just the IP address to help find something. And when you talk about, when you manage a network with a thousand computers this is pretty handy to be able to just search and narrow it down. Same with the DHCP tables. We have some clients that have some very large networks and if I needed to find something, needle in a haystack, I mean, I can hit Control-F and find it in the page but it's nicer when they added this feature here and some of the pull-downs. So maybe I added this to a few different spots as noted in here. Added DNS resolver unbound Python integration. That's cool. So now there's a more extensive integration in there. Updated IPsec to add some more PFS groups. Changed UFS file system defaults to no A time on new installation to reduce unnecessary disk write. I'm not going to dive too deep into what no A time is but yes, this will definitely reduce the number of disk writes for the way it has to update the time on the files. It's probably not a huge of a deal for a normal installation but it's the amount of logs that can do that and also if you're using something like Squid or some other tool that has to write a lot, some of the other add-ons for PFS, they're going to write a lot of files and this will help reduce the amount of activity by setting that option on there. Now this one here will definitely help but my preference, just as a whole, it's not necessarily a PFSense thing, turn off the stupid autofill in your browsers. Anytime we've helped people remotely, especially when helping other IT professionals, I'm like why is this on? You open up a page and it starts filling everything. Now what they've done here is set the autocomplete equals new password setting so for forms containing authentication fields to help prevent browser autofilling in passwords. Please just don't have your browser autofilling anything. Yes, I use password managers. Yes, I highly recommend a password manager but I always turn off all autofill on both the browser or the password manager. I just don't want it autofilling things in there because occasionally it gets things wrong. I don't want things in the wrong place and I've literally solved people's problems but they thought they had a problem with PFSense. It turned out there were autofill, had a autofill that was getting filled in every time they opened up the page or every time they saved it, it would put the wrong information in. To save yourself ahead, you can turn off autofill altogether. Add a new dynamic DNS providers for line node and Gandy. I'm not sure exactly how that's pronounced but that's great. This one was an interesting one. So potential cross-site scripting vector across several pages. That's always a concern so they're always working to do that. They do require logonification. There's nothing about this particular version that requires you to load it right now. There's not a glaring security hole if you don't do it. There's no zero days being patched because there weren't any zero days. So the other thing is this privilege escalation for authenticated users granted the picture widget could run arbitrary PHP code. This one made me laugh because I just never use it so I loaded a picture in here in case you didn't know this existed. What this is is an ability and I've seen people use it this way where the box. I'll just put the box in here. It's spelled right. What this does is allows you to upload a picture here. We don't really use this but I've seen some clients who do this when they're managing multiple PDF senses. They'll throw a picture or a description or a network map right here of where it is located in a network that when you log in you implicitly know when you see the picture. Oh, I'm logged into the one that's this box right here. And if you're managing a lot of remote sites this might be a handy way to do that. We keep documentation on the back end for our clients not uploaded into our box itself but they fix a scripting issue related to this. So someone once again would have to have privileges enough to get to the dashboard and upload a picture here but they would have to upload a mail form picture to possibly get a gain access through a PHP code in there. So it once again requires some level of access to the system anyways and most people you are granting access to the UI system are going to have some level of admin privileges anyways. So it's not like just anyone gets that type of privilege on there. So it's still great that they fixed it. I'm not saying it shouldn't have been fixed. I'm saying it's nothing that you have to be oh my gosh I have to update this right now for. I just want to keep that clear. So a few other little rata details on here and a few other advisories and notices they do keep everything up to date even though it's not the absolute latest version of 3BSD don't worry they patch everything in there and anything that's not patched like say if there was some problem with Samba and BSD well Samba's not part of the package. They only load the packages necessary to build this on BSD. They don't load every BSD package. So that's sometimes people conflate that to say well I found a problem in this particular package and the folks over at NetKator well it doesn't affect us because we don't load those packages. They don't load a bunch of extra on there. Now one couple notable bug fixes. An additional security fixed PF since software version 2.5 includes part in bug fixes. The default GUI certificate has been reduced to 825 days and this is because some of the platforms on iOS require shorter certificate release times even for self-sign search. So this is actually pretty easy to fix go here we're going to copy it SSH into my lab open up a shell paste now what that did was update the certificate so when I go here because this has a self-sign search it made me click the yes again so that's all you have to do to update that if that matters to you you just updated a cert. There's a couple other little things like the fix several issues of custom view management and status monitoring. This is a kind of neat tool if you haven't used it before. I can't remember if I've covered it in one of my videos in depth at all. Maybe I should do an updated troubleshooting video for PF Sense. There's a lot of little tools in PF Sense including the status monitor. There we go. And you can dive into and get graph information and let's customize this. We can look at the left axis, right axis can be traffic. How does that affect the number of system states and update the graphs and you can now overlay data and put it on there. Have a refresh interval. Let's say we want to refresh this every one minute. We do bar graph, update graphs actually we'll do one minute, five minute resolution actually one hour, one minute. There we go. Update graphs. This can be very handy when you're troubleshooting loads loads on a large firewall. So if you have a lot of things like how much process uses does it take what does it look like for a time of day and pull these monitoring stats. And if these stats aren't good enough what it does right here to generate it does have a download button so you can take a look at them in the raw and draw your own. So it is kind of cool and they've done some more updates to fix that. I'm definitely happy about that. Now something they made of note here perceived a costume and upgrading PF sense during travel restrictions in effect which does fit into March 26 of 2020. So if you do not have physical access or will be unable to access if the upgrade goes bad make sure that you have access because well if you can't get to it and it goes bad this was not an update that was do or die when it comes to security therefore do it with caution do it with preparedness that you do have access to it. I've so far like I said only updated a few things in our lab here and I've all updated but I have physical access to them and their lab computers if I need to reset them I can reset them. Always do a backup before you do the update always make sure that you have verified okay I have the backup I have access to it now I can push the update and do it on off hours obviously because you're you know wanting to make sure that it's not going to be disruptive to people if you do have to roll it back. Now they do have this on the bottom here planning for the upcoming 2.5 O release I've got another lab server I've been keeping up to date with this they have a couple of notes in there but one of them I just want to bring up because they have it right here please note that PF sense version 2.5 O will not require AES and I they've been saying I think it's been like two years ago when this got brought up and you know it does not require it and people still here in 2020 are asking me will want the 2.5 version require AES and I processor and people really seem to lose your minds over it I did a video about you know that it wasn't going to require it and people some people still argue with me that was wrong this is from that gate it's it's true it does not require it I still think you should have a processor does a SNI because it's faster in terms of the crypto support that it has but by the way these processes have been around now for I think about eight years that they've been around so if you're running it on older hardware than eight years is the only time you're really going to run into an issue with this but it's not required by the way it's just a speed enhancement to use this on PF sense in general but it's not a requirement for PF sense I just want to leave that out there but I'll leave links to this they have all the updates and all the details in the documentation because their documentation are really strong on and keeping it all up to date which is wonderful and that's it have fun and happy upgrade time thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time