PCAP stuck on pending (SO running behind Firewall --> NAT)

[Sidhy]

Hi,

I have read through many of the PCAP stuck on pending discussions but did not find the answer / fix for my situation.

I am running SO behind another firewall (pfsense) where I route my traffic using NAT, when I want to inspect the PCAP file from an alert it stays on pending.

I have checked the /nsm/pcap folder and confirmed the PCAP files are present.

In the /opt/so/log/sensoroni/sensoroni.log file it is filled with the below entry:

{"fields":{"error":"Post \"https://10.6.0.2/sensoroniagents/api/node\": dial tcp 10.6.0.2:443: connect: connection timed out"},"level":"warn","timestamp":"2024-07-04T19:06:02.173125494Z","message":"Failed to submit request"}
{"fields":{"error":"Post \"https://10.6.0.2/sensoroniagents/api/node\": dial tcp 10.6.0.2:443: connect: connection timed out"},"level":"warn","timestamp":"2024-07-04T19:06:02.173192096Z","message":"Failed to poll for pending jobs"}

Firewall IP 10.6.0.2
NAT traffic: 10.6.0.2:443 --> 10.6.2.34:443

Web interface is working fine, I had to manually update the /opt/so/saltstack/local/pillar/global/soc_global.sls file to match the firewall ip to make this work

global:
  soversion: '2.4.70'
  managerip: '10.6.2.34'
  mdengine: 'ZEEK'
  ids: 'Suricata'
  url_base: '10.6.0.2'
  airgap: False
  imagerepo: 'security-onion-solutions'
  pipeline: 'redis'
  repo_host: 'seconion'
  influxdb_host: 'seconion'
  registry_host: 'seconion'
  endgamehost: ''

Anyone has advice on solving the issue ?

[dougburks]

Web interface is working fine, I had to manually update the /opt/so/saltstack/local/pillar/global/soc_global.sls file to match the firewall ip to make this work

It sounds like you manually inserted 10.6.0.2 in /opt/so/saltstack/local/pillar/global/soc_global.sls. You shouldn't need to manually edit this file as this configuration change should be done via the Configuration GUI as shown here:
https://docs.securityonion.net/en/2.4/url-base.html

I'm guessing that the Security Onion node doesn't know how to connect to 10.6.0.2. You may need to change that to a hostname that can be resolved differently from different sides of the NAT boundary.

[Sidhy]

Thank you for your reply and suggestion, I will test this option to see if that would make a change.

I manually changed the entry in the config as I was not able to reach the GUI in the first place, but like you said I need something that will resolve on both ends.

[Sidhy]

This was the fix I had to reboot the full SO stack to make it work properly after making the change in the GUI.

so changed the DNS resolve entry on my local dns server for domain securityonion.domain.local to resolve to 10.6.0.2
and on the SO server it self added a hardcoded entry to the /etc/hosts file to the management interface ip (10.6.2.34 in my case)