NGFW Features Requiring Plugins/Add-ons:
Deep Packet Inspection (DPI):
- Requires installing plugins like Suricata (Intrusion Detection System - IDS) for DPI and intrusion prevention.
Intrusion Detection and Prevention System (IDPS):
- Suricata is the plugin needed for IDPS, which provides both detection and prevention features.
Application Awareness and Control:
- Requires plugins or custom configurations, such as setting up Suricata with rule sets that can recognize and control specific applications.
Advanced Threat Protection (ATP):
- Available through integration with Suricata or third-party services, but requires configuring it.
SSL/TLS Decryption and Inspection:
- This is handled through the Web Proxy with the SSL Inspection plugin, which allows decryption and inspection of HTTPS traffic.
URL Filtering and Web Content Control:
- You can achieve this by enabling the Web Proxy along with the URL filtering capabilities, though more advanced filtering might require a plugin like Zenarmor (Sensei).
Antivirus and Antimalware:
- Requires installing the ClamAV plugin for antivirus scanning in conjunction with the web proxy for malware detection.
Threat Intelligence Integration:
- Can be integrated through plugins like ET (Emerging Threats) rule sets in Suricata or other third-party integrations.
Conclusion:
OPNsense offers most NGFW capabilities, but to achieve full NGFW functionality, it requires the use of plugins or addons such as Suricata, ClamAV, SSL Inspection, and possibly Zenarmor (Sensei) for enhanced control and visibility. These are all freely available, supported, and integrated within the OPNsense ecosystem, but they do require some manual configuration.#