Having trouble accessing the 'Show all configurable settings, including advanced settings' option?

[larry1788]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Eval

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

8

RAM

16

Storage for /

512

Storage for /nsm

512

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello Security Onion expert, after opening 'Show all configurable settings, including advanced settings' and configuring PFSense according to the user manual, upon completing the setup and syncing, I'm unable to log in to the website. At the same time, all system containers seem to be working fine. How should I go about troubleshooting this?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[larry1788]

Next, we need to allow the traffic from the pfSense firewall to port 9001:

Navigate to Administration –> Configuration.
At the top of the page, click the Options menu and then enable the Show all configurable settings, including advanced settings. option.
On the left side, go to firewall, select hostgroups, and click the customhostgroup0 group. On the right side, enter the IP address of the pfSense firewall and click the checkmark to save.
On the left side, go to firewall, select portgroups, select the customportgroup0 group, and then click udp. On the right side, enter 9001 and click the checkmark to save.
On the left side, go to firewall, select role, select your desired role, select chain, select INPUT, select hostgroups, select customhostgroup0, and then click portgroups. On the right side, enter customportgroup0 and click the checkmark to save.
If you would like to apply the rules immediately, click the SYNCHRONIZE GRID button under the Options menu at the top of the page.

[larry1788]

                    Security Onion Status
                     Container │ Status  │               Details

───────────────────────────────────┼─────────┼───────────────────────
so-curator │ running │ Up 40 hours
so-dockerregistry │ running │ Up 41 hours
so-elastalert │ running │ Up 40 hours
so-elastic-fleet │ running │ Up 40 hours
so-elastic-fleet-package-registry │ running │ Up 41 hours (healthy)
so-elasticsearch │ running │ Up 41 hours
so-idstools │ running │ Up 41 hours
so-influxdb │ running │ Up 41 hours (healthy)
so-kibana │ running │ Up 41 hours
so-kratos │ running │ Up 41 hours
so-mysql │ running │ Up 41 hours (healthy)
so-nginx │ running │ Up 41 hours (healthy)
so-playbook │ running │ Up 40 hours
so-sensoroni │ running │ Up 41 hours
so-soc │ running │ Up 40 hours
so-soctopus │ running │ Up 40 hours
so-steno │ running │ Up 41 hours
so-strelka-backend │ running │ Up 40 hours
so-strelka-coordinator │ running │ Up 41 hours
so-strelka-filestream │ running │ Up 40 hours
so-strelka-frontend │ running │ Up 41 hours
so-strelka-gatekeeper │ running │ Up 41 hours
so-strelka-manager │ running │ Up 40 hours
so-suricata │ running │ Up 24 hours
so-telegraf │ running │ Up 41 hours
so-zeek │ running │ Up 41 hours (healthy)

✔ This onion is ready to make your adversaries cry!

[larry1788]

I found the problem
Firewall settings have disappeared
[root@soclab-1228 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Normal circumstances, it is
[root@solab-m firewall]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- 172.17.1.0/24 anywhere tcp
ACCEPT udp -- 172.17.1.0/24 anywhere udp
ACCEPT tcp -- solab-m anywhere tcp
ACCEPT udp -- solab-m anywhere udp
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:4505
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:4506
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:4505
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:4506
ACCEPT tcp -- solab-m anywhere tcp dpt:shell
ACCEPT udp -- solab-m anywhere udp dpt:syslog
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere
LOGGING all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere icmp timestamp-reply

Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.1.20 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:wap-wsp
ACCEPT tcp -- anywhere 172.17.1.22 tcp dpt:vrace
ACCEPT tcp -- anywhere 172.17.1.21 tcp dpt:8220
ACCEPT tcp -- anywhere 172.17.1.44 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.17.1.26 tcp dpt:d-s-n
ACCEPT tcp -- anywhere 172.17.1.27 tcp dpt:esmagent
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:vop
ACCEPT tcp -- anywhere 172.17.1.28 tcp dpt:4434
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:rtraceroute
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:lxi-evntsvc
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:unot
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:intecom-ps1
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:5644
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6050
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6051
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6052
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:6053
ACCEPT tcp -- anywhere 172.17.1.29 tcp dpt:micromuse-ncpw
ACCEPT tcp -- anywhere 172.17.1.30 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:pcsync-https
ACCEPT tcp -- anywhere 172.17.1.31 tcp dpt:7788
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.33 tcp dpt:9696
ACCEPT tcp -- anywhere 172.17.1.34 tcp dpt:9822
ACCEPT tcp -- anywhere 172.17.1.35 tcp dpt:afs3-fileserver
ACCEPT tcp -- anywhere 172.17.1.41 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.40 tcp dpt:redis
ACCEPT tcp -- anywhere 172.17.1.38 tcp dpt:57314

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- solab-m anywhere tcp dpt:hbci
ACCEPT tcp -- solab-m anywhere tcp dpt:mysql
ACCEPT tcp -- solab-m anywhere tcp dpt:esmagent
ACCEPT tcp -- solab-m anywhere tcp dpt:redis
ACCEPT tcp -- solab-m anywhere tcp dpt:9696
ACCEPT tcp -- solab-m anywhere tcp dpt:d-s-n
ACCEPT tcp -- solab-m anywhere tcp dpt:wap-wsp
ACCEPT tcp -- solab-m anywhere tcp dpt:vrace
ACCEPT tcp -- solab-m anywhere tcp dpt:commplex-main
ACCEPT tcp -- solab-m anywhere tcp dpt:8220
ACCEPT tcp -- solab-m anywhere tcp dpt:unot
ACCEPT tcp -- solab-m anywhere tcp dpt:pcsync-https
ACCEPT tcp -- solab-m anywhere tcp dpt:7788
ACCEPT tcp -- solab-m anywhere tcp dpt:https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:lxi-evntsvc
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:5644
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:8220
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:unot
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:pcsync-https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:commplex-main
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:d-s-n
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:redis
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:9696
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:wap-wsp
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:vrace
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:5644
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:commplex-main
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:d-s-n
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:8220
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:unot
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:pcsync-https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:https
ACCEPT tcp -- 10.2.50.0/24 anywhere tcp dpt:http
ACCEPT tcp -- 10.2.50.0/24 anywhere tcp dpt:https
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:http
ACCEPT tcp -- 10.2.10.0/24 anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-dropped: "
DROP all -- anywhere anywhere

==========================
what should i do？

[cm-ops]

What does sudo salt-call pillar.get firewall return? Also, are you still unable to access SOC?

[larry1788]

Dear Security Onion Experts
Thank you for your reminder and reply. The answer to this question has been found. The reason is that I typed the wrong text in the settings and mistakenly typed customportgroup0 as customportguoupO. Currently, the port can be enabled in iptables -L, although I have not seen it in Integuetions. LOG, but this is already a big improvement. Thank you for your reply and wish you the best!

iptables -L
ACCEPT tcp -- 10.1.0.0/16 anywhere tcp dpt:9514
ACCEPT udp -- 10.1.0.0/16 anywhere udp dpt:9514

Another problem is that I cannot see and listen to the 9514port in ss -alent. I will continue to work hard to see if the setting is not completed there!