There are several ways to test the various steps that allow ThreatSTOP to give you automated IP protection.
There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:
- Does your system pull IPs from our database
- Are the IPs applied to firewall rules
- Do the blocked IPs get logged
- Can the logs be uploaded to our database.
- Can 1-4 be done automatically
1. Does your system pull IPs from our database?
In the Web GUI, hover over the firewall rule "ThreatSTOP_block" that is on the WAN interface. Take note of one of the IP addresses. If the rule has IP address, as shown below, you have now verified that your system can pull IPs from our database and that the IPs and applied to the firewall rule.
2. Are the IPs applied to firewall rules?
See step 1,Does your system pull IPs from our database?
3. Do the blocked IPs get logged?
In order to see the log file updated real time. Run the command
tail -f /var/log/filter.log
On a device that resides behind the firewall, ping the selected IP address from step 1.In the below example, we are pinging 23.227.196.206 from the device 10.10.10.56.
4. Can the logs be uploaded to our database?
To manually upload the log to ThreatSTOP, run the following command on the pfSense device.
/usr/local/bin/php /usr/local/www/tslogupload.php/var/log/filter.log
If you see the below output, then you have verified that your device can upload logs to our database.
5. Can 1-4 be done automatically?
Run the following command to see the cron jobs.
crontab -l
The output will have 2 lines that are relevant to the ThreatSTOP service.
The 2nd line we already used to test that your device can upload logs. The 1st line is the one we will be testing. Run the command.
/usr/local/bin/php /usr/local/www/tsgetblockip.php firewall
If the output looks like the image below, we have now verified that your pfSense is properly configured for the ThreatSTOP service.
Comments