Netgate Releases pfSense Plus Software Version 24.03

With over 10 million deployments across homes, small businesses, enterprises, service providers, and governments, pfSense® is the world’s leading open-source-driven firewall, router, and VPN solution for network edge and cloud secure networking. 

We are excited to announce that pfSense® Plus software version 24.03-RELEASE is now available. Release notes are available for review. 

Major Changes and Features

Significant changes in this release include an improved update process using ZFS snapshots, the ability to export packet flow data, an enhanced gateway recovery process, and changes to the default state policy for increased security. The release also addresses several bugs and other issues. 

• Introducing Default Password Control: In response to mandates from various regulatory bodies both in the US and Internationally, pfSense Plus 24.03 now implements stringent measures regarding default passwords. Any attempt to use default passwords will be met with a mandatory reset requirement, applicable across both the User Interface (UI) and Command Line Interface (CLI). As part of our commitment to best practices, we strongly advise all pfSense users to proactively adopt this change. By doing so, you bolster the security posture of your system and align with evolving compliance standards, ensuring a safer and more resilient network environment.
  
  
• Enhanced Update Process using ZFS snapshots: This latest release introduces significant improvements to the software update mechanism, leveraging the capabilities of the ZFS file system to bolster stability and minimize downtime throughout the update process. These enhancements not only fortify the reliability of pfSense Plus but also furnish administrators with potent tools, particularly beneficial for those utilizing system snapshots to establish diverse pfSense Plus environments for testing purposes. This empowers administrators with the flexibility to quickly revert to a predetermined environment should the need arise, enhancing the overall manageability and resilience of the system.

Learn More

• Packet Data Flow Export: A notable addition to this release is the capability to export packet flow data to external collectors via the NetFlow v5 or IPFIX protocol. This feature enables administrators to extract valuable insights from network traffic, which is essential for effective network management. By analyzing flow data, administrators can address various challenges such as optimizing application response times, implementing usage-based accounting, profiling traffic patterns, fine-tuning traffic engineering strategies, detecting potential security threats or intrusions, monitoring Quality of Service (QoS) metrics, and much more. This enhancement equips administrators with powerful tools to enhance network visibility and make informed decisions regarding network performance and security.

Learn More

• Gateway Recovery: Another change is an enhanced gateway recovery process with options to reset connections made through a backup gateway while the primary gateway is offline. This feature will allow connection fail-back to a primary gateway after downtime, which can be especially useful for metered links.

Learn More

• State Policy Default Change: For increased security, the default State Policy in pfSense Plus 24.03 software and later releases is changing from Floating states to Interface-bound states.

Learn More

• Upgrade VPN capabilities: We're excited to announce two major upgrades: Mobile Group Pools and performance enhancements. With the introduction of "Mobile Group Pools," users can access a dedicated tab to configure additional address pools and, if necessary, a DNS server, which may be especially beneficial for larger organizations. This feature allows organizations employing group authentication to define extra address pools for specific user categories, enhancing flexibility to meet diverse requirements

Additionally, we're focused on reducing processing overhead and enhancing performance by updating the IPsec-MB kernel module (iimb.ko) to Intel's latest upstream version 1.5. This update includes optimizations for CPUs supporting AVX512 and AVX2, ensuring smoother operations and improved efficiency. These advancements aim to elevate user experience while maintaining high-performance standards.

Learn More

• Updated IPsec-MB kernel module: We focused on reducing processing overhead and enhancing performance by updating the IPsec-MB kernel module (iimb.ko) to Intel's latest upstream version 1.5. This update includes optimizations for CPUs supporting AVX512 and AVX2, ensuring smooth operations and improved efficiency. These advancements aim to elevate user experience while maintaining high-performance standards.

• High Availability on AWS: We're excited to announce the release of High Availability (HA) for pfSense Plus software on AWS. This release builds upon the standard HA features customers have leveraged in data centers, branches, and remote offices worldwide, with additional AWS-specific features that enable fast failover and maintaining connectivity to critical cloud workloads and services. This feature was added to meet the mission-critical needs of enterprise and government customers requiring uninterrupted services in their AWS deployments. With HA on AWS, customers can meet uptime requirements and internal SLAs while safeguarding mission-critical operations within AWS.
  

Installing the Upgrade

Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.

Installation Note: 

Devices running pfSense Plus software version 24.03 may be seeing a "24.03_1" update available which is a very minor revision made to address a missing dependency on 64-bit ARM devices (https://redmine.pfsense.org/issues/15433). The revision is kept the same on all platforms for consistency.Upgrading to this version is safe, but not necessary at this time unless users are running on 64-bit ARM devices and want access to S.M.A.R.T. disk data (e.g. Netgate 2100 devices which have an add-on SSD).Using the GUI or pfSense-upgrade from the console or shell to upgrade from 24.03 to 24.03_1, the device will want to reboot, but in this case that is unnecessary. However, doing so is harmless except for the minimal downtime involved in the reboot during that upgrade process.Manually updating from the shell via pkg update; pkg upgrade will pull in the new revision and fixed dependency as needed. Run those commands from a shell prompt and confirm that the proposed changes are OK. No additional action is necessary.Devices which have not yet upgraded to 24.03 or those installed fresh via the Online Network Installer will obtain the latest version automatically and do not require any additional action after upgrading.

Users currently running pfSense Plus software

Upgrades from an earlier version of pfSense Plus software are usually made through the user interface. Before any major change, such as an upgrade, it’s always recommended to save a backup of the pfSense Plus configuration. You can find Backup and Recovery instructions in the pfSense documentation.

• Navigate to System > Update

• Set Branch to “Current Stable Version (24.03)”

• Click Confirm to start the upgrade process

Users currently running pfSense Community Edition (CE) software

We encourage you to migrate from pfSense CE software to pfSense Plus software. Doing so will ensure you have access to all of the benefits of pfSense Plus software. You can find details on how to get pfSense Plus software here.

Troubleshooting the Upgrade

Please review the documentation on Troubleshooting Upgrades for the most up-to-date information on working around upgrade issues.

This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid support.

Supporting the Project

When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software. 

You may support this work through one or more of the following:

• Purchase an official appliance directly from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
• Purchase TAC support which provides you with direct access to Netgate Global Support
• Purchase Professional Services, which provides access to our most senior engineers for more complex projects outside the scope of TAC support.
• Use a genuine pfSense Plus instance from Netgate to connect and protect your cloud workloads on AWS and Azure.

Our efforts are made possible by the support of our customers and the community, and for that we express our sincere thanks. This involvement makes the pfSense project a stronger solution for everyone.