Help Please

[Sabrine-se]

Hello,
I installed a production deployment
Here's some informations:

/etc/soversion : 2.3.270
On-prem with Airgap=True no access to internet
Installed with Security onion image
3 Nodes (1 Manager node with 1 sensor node and 1 search node )
No monitoring network traffic ( sensor with 1 NIC)
So-status show all services running on the 3 nodes
Soc grid page don't show any failures (status OK)
Firewall: I copied portgroups file and assigned_hostgroups from default to local
when i run systemctl stop firewalld i can run salt '' test.ping with True
when i run salt '' state.hignstate many times i have some failure with the forward node and response no code exist
Salt-key -L show that keys are accepted
I configured my ipfire firewall to send syslog logs to forward node and I did so-allow -s -i IP to allow this host to send syslog
I tried to Add the following to the sensor minion pillar file located at /opt/so/saltstack/local/pillar/minions/_.sls
firewall:
assigned_hostgroups:
chain:
DOCKER-USER:
hostgroups:
syslogtosensor1:
portgroups:
- portgroups.syslog

but when i run sudo salt _ state.apply firewall
no minion matched the target.No command was sent,no jid was assigned
Error:No return received
In SOC it show this
Http-Status-code: 500 -500 can't connect to pakfire.ipfire.org:443(Name or service not known)
PS :i lost connection with SOC many time i have to run systemctl restart firewalld to catch connection

I have doubts that it is a firewall configuration problem or the forward with a single NIC

[dougburks]

From #1720:
Make your discussion search friendly
When creating your discussion, please put a relevant and descriptive title in the Title field and avoid generic titles like Help.

No monitoring network traffic ( sensor with 1 NIC)

This is a strange configuration. Sensor nodes are intended to monitor traffic and have 2 or more NICs. If you're not going to monitor traffic, then you probably don't need a sensor node.

/etc/soversion : 2.3.270

Please note that 2.3 reaches End Of Life in less than 4 months:
https://blog.securityonion.net/2023/12/4-month-end-of-life-eol-reminder-for.html

You may want to take this opportunity to migrate to 2.4.

[Sabrine-se]

that is right i'am not going to monitor traffic but i think i will need forward node for filebeat configuration!

[dougburks]

If you're not going to monitor traffic from a tap or span port and are just trying to collect firewall logs from your firewall, then you don't need a forward node.

Please take this opportunity to move to 2.4 and make sure you review the documentation to determine the correct architecture and node types to meet your requirements:
https://docs.securityonion.net/en/2.4/architecture.html

If you have further questions or problems, please start a new discussion with relevant and descriptive title in the Title field and avoid generic titles like Help Please.