PFMonitor Admin Panel
Code Version: 2.3.52 || Database Version: 2.3.52
Welcome Page
Welcome admin
PF Monitor 2.3.52 Release - Monitoring, Analytics, and Alerting for pfSense

This system is optimized for 1366x768 or larger resolution for reports, and charts.

First Build:            November 11th, 2016
Released by:  		PFMonitor
Build version:  	2.3.52  - View Changelog
Build date: 		2017-06-19 
License:		License Required for use!

Support E-Mail:		[email protected]

How to connect your pfSense Firewalls to PFMonitor in 4 stages.
1. Add your Firewall to your Devices List under Settings > Manage Devices
Make sure to use the Primary WAN IP Address as the IP.
Generic Name and Admin Port are Optional and not required.
Sensor Type should be TCP/IP
Static and Dynamic IPs are supported, Make sure you select the proper option!

2. Threat Data Feed - Watch Video Tutorial!
Syslog Ingest:		------------------------

Note:  If you have multiple gateways, or all traffic flowing out thru a VPN, please set
the source address of the syslog settings to that of your WAN IP instead of "default".
This must be the same IP registered for the firewall in PFMonitor.

3. ACL Management for pfSense Firewalls: - Watch Video Tutorial!
Lists update much faster when Checkin Agent is installed on firewalls.
Whitelist Sync:		------------------------
Blacklist Sync:		------------------------

4. PFMonitor Checkin Agent for Live Statistics: - Watch Video Tutorial!
Enables Live Stats, Faster URL Table/Alias Table reloads, Inventory, and Remote Reboot.
Checkin Module: 	------------------------
Cron Job Entry: 	------------------------

Troubleshooting the checkin agents ability to reach the PFMonitor Backend Servers:
1.  On the firewall, Go to, Diagnostics, Command Prompt.
2.  In the Execute Shell Command field Enter: php pfmonitor.checkin.php
3.  A response of "success" indicates the connection is good.  No response indicates a failure to reach the backend.

Proxy Tools:		pfMonitor Proxy Daemon for Windows - AES Encrypted
Proxy Tools:		pfMonitor Proxy Daemon for Linux - AES Encrypted - Deps: Python 2.6-2.7, Pycrypto
                        pfMonitor Proxy Daemon Change Log

Release Author:		MasterX-BKC-
Author Email:		[email protected]
Author URL:

Add tracking of CPortal authentication events.

General Help:
Inbound threat data is buffered by 15 minutes before merging into storage to ease disk IO.

tcp:S   = TCP Syn, A General TCP Connection Attempt, Most commonly an enemy Port-Scanner.
          Can also be a legitimate connection attempt from a blocked ip.
          Can also be a legitimate connection attempt on a closed port.
tcp:A   = TCP Ack, Generally a Spoof, sometimes an indicator that you may have rule issues.
tcp:SA  = TCP Syn/Ack, Generally a Spoof, sometimes an indicator that you may have rule issues.
tcp:FPA = Unknown, but most commonly seen with Exchange Servers, doesnt seem to signify an actual issue.
udp     = Standard UDP Datagram, Handshake-less, Sometime nmap can cause these.
auth    = This indicates a successfull or failed login or logout event.  Usually to a firewalls Web GUI.

Many tcp:S hits on ports 23, 2323, 3389 and some others, usually indicated a penetration attempt/scan from
an automated scanner/botnet controller.  RDP Brute Force bots, MiRai IoT Botnet Tool, and others.

pfWeb Layer 7 Defense addon:
1.  Include in top level php file, or main config file that is loaded in all modules.

2.  in main .htaccess file add the following line with correct path to pfweb.php
php_value auto_prepend_file "/path/to/your/pfweb.php"

Legal Bit:
Copyright © 2016

 * Unauthorized use, copying, or distribution of this file, via any medium is strictly prohibited
 * Proprietary and confidential
 * Written by MasterX-BKC- 

10 % of the monthly proceeds to this service will be donated to development of pfSense

Many long hours have been poured into the development of this system. However, none of it would have
been possible without the help of everyone involved in the community at I would like to
thank the people who have assisted is the development of this system and the firewall we all love: pfSense.
Thank you pfSense team for producing such a versatile system.

PFMonitor contributions
		MasterX-BKC- Lead Programmer
		Brett Scott for his quick answers to python questions, and consulation
		Steven Wilson (Wilson212) for Coding, and UI assistance

		David Hernandez

This system is designed to enable IT and Security Staff to recognize trends in attack sources to help
identify and quantify automated attacks from targetted attacks and show any coordination in attacks
against other members, groups, etc.  This tool is also usable to judge the reputation of networks, and
ip addresses from around the world based on their historical records of attacks.  Data from multiple
firewalls can be quickly sorted and analyzed to quickly reveal attackers who are randomly hitting you
versus those who could be launching coordinated penetration tests and attacks to attempt hostile breach
of your systems.

The developer of this release CANNOT guarantee compatibility with all systems. Any bugs reported will
be address on a "best-effort" basis. This release has been developed and tested against the following
		2.3.2-RELEASE (i386) - FreeBSD 10.3-RELEASE-p5
		Intel(R) Xeon(R) CPU E5620 @ 2.40GHz - 2 CPUs: 1 package(s) x 2 core(s)
		2048MB RAM

	Web Server:
		Ubuntu 14.04.5
		Intel(R) Xeon(R) CPU X5650 @ 2.66GHz, 12 cores
		20 GB RAM
		PHP 5.5.9 or newer
		MariaDB 5.5.53 (MySQL and MariaDB are interchangable)
		|-MariaDB is faster, and works better with larger databases!
		|-Oracle's MySQL was choking with 10+ firewalls in use.
		|-MariaDB is 10x faster with 31 firewalls in use.

Helpful Resources if you've purchased Standalone Copy :
As can be seen above this system release on technologies from around the Internet. Here's a brief list of
web sites that you may find helpful in setting you this system:


The system is very simple, if you do not scrutinize outgoing traffic no rule changes should be
needed.  Otherwise, you will need to allow traffic to pass to the Ingest server listed at the
top of this page.  The flow is one way over UDP, no need for a re-entry rule to be created.

Known Issues:
 - N/a

 - N/a