Netgate Nexus & Multi-Instance Management FAQ

The most frequently asked questions (FAQ) associated with Netgate Nexus and Multi-Instance Management for pfSense Plus.

Netgate Nexus FAQ

Have a burning question? You're likely not alone! Check out our FAQ's for some clarity on our most commonly asked Netgate Nexus software questions.

: Netgate Nexus is the controller for the pfSense Plus multi-instance management system. Designed to address the growing complexity of managing multiple firewall instances across distributed environments including on-premise, edge and cloud, Netgate Nexus empowers network operators to quickly and securely manage hundreds of pfSense Plus instances through a unified, intuitive interface.
: Netgate Nexus makes use of zero trust VPN technology, utilizing the Noise Framework for handshaking and key negotiation. Data is then transmitted using the OpenVPN data transport protocol between the controller and clients. Because it is the Client’s job to initiate the VPN, the Client may exist behind other intermediate firewalls, or behind NAT devices, or other layers of internet security or functionality.

As long as the Client can reach the Controller, it can connect to the Netgate Nexus controller and bring up the VPN. Because all traffic exists within the confines of the VPN, there is no need to port-forward or manipulate firewall rules on intermediate systems in order to allow this traffic to pass.
: An instance of pfSense Plus is any Netgate appliance, AWS or Azure cloud virtual machine that is running pfSense Plus version 25.03 or later.
: The role of the Controller is to manage instances of pfSense plus, providing monitoring, management, auditability and automation functions for your group of pfSense Plus instances. The Netgate Nexus controller ships with every instance of pfSense Plus software version 25.03 or higher.
: A Client is an instance of pfSense Plus (version 25.03 or higher) under management, associated with a particular Netgate Nexus controller.
: At this time, Netgate Nexus requires pfSense Plus 25.03 or later, running on Netgate appliances, AWS or Azure virtual instances. Netgate Nexus controllers may work on third-party enterprise class hardware, but this is not guaranteed and we caution against it*. In order to check for device eligibility, enable Netgate Nexus and visit the License menu on the your proposed third-party devices. If your hardware is not supported, an error message will be displayed. Clients must be able to access your Controller.

*Air-gapped, offline, virtual and some hardware systems without serial numbers or other identifiers are not eligible for management through the multi-instance management software with the Netgate Nexus controller.
: A zero-trust security model where your appliance identity is verified and tracked through your hybrid network ensures that the connectivity between Controller and Clients is both secure and legitimate. If your appliance cannot be positively and uniquely identified and verified, that appliance must be excluded in order maintain zero trust integrity. System identification is rarely an issue when using enterprise-grade hardware.
: Netgate Nexus controllers either have no license, or a single active license. When you want to associate Clients with a particular active Controller, you purchase an entitlement token for the licensed Controller to manage your Client(s). Entitlements are valid for one year and auto-renew upon expiration. If you wish to cancel, your Entitlements remain valid for the remainder of the term. You will receive email in advance notifying you of pending renewals.

Additional information on Netgate Nexus licensing and entitlements can be found in the documentation here.

Multi-Instance Management for pfSense Plus FAQ

Here are our most commonly asked questions on Multi-Instance Management for pfSense Plus.

: Multi instance management entitlements are sold on a per-managed-device basis. By default, your Controller is capable of controlling the pfSense Plus instance upon which it resides. To add entitlements to your license, allowing you to control more than one instance, simply purchase those entitlements from our store, and apply the entitlement token to your Netgate Nexus controller. Instructions can be found here. Purchases of entitlements will expire/renew independently of other entitlement purchases after one year of the purchase date.
: Canceling your subscription will prevent your entitlements from automatically renewing upon expiration. Your existing entitlements and features will continue to function as normal until they expire.
: Additional entitlements for your license can be purchased from the Netgate store here. When purchased, you will receive an email just like the initial one you received for your previous entitlements, which will contain a new token. Information about how to apply your Netgate Nexus license and entitlements can be found on our website here. Every token/entitlement has a 1-yr/12 month duration, independent of other tokens purchased.
: Netgate Nexus comes complete with a familiar but rewritten GUI, as well as a robust REST API. You can use either or both of these methods to manage your instances. Large scale or custom operations will be carried out faster using the API.
: Yes. There is an API toolkit that will quikly get you up to speed. The toolkit is available on GitHub and is linked here. Examples include instance enrollment, instance information retrieval, as well as instance update triggering. Community examples are also available on our forum.
: There is no hard limit to the number of devices that a Netgate Nexus controller can manage. This would depend on the capabilities of the hardware that the controller is running on, as well as the number of managed instance entitlements that are purchased for the Netgate Nexus license.
: Netgate Nexus allows the operator to securely manage all pfSense Plus instances from a single pane of glass, utilizing an intuitive GUI and/or a robust REST API across a zero trust VPN network. This allows the operator to perform monitoring and management tasks on groups of managed instances in a very efficient manner.
: Multi-Instance Management may be enabled on any pfSense+ firewall running software version 25.03 or greater by navigating to the System > Advanced menu and selecting the Netgate Nexus tab. See our documentation for more information.
: Our Technical Assistance Center is available 24 hours a day, 365 days a year. Customers with TAC Lite or TAC Pro subscriptions can open a ticket with our Technical Assistance Center via email or the TAC portal. Customers with TAC Enterprise subscriptions may also call our direct Technical Assistance Center phone number. Customers who have purchased Netgate appliances have a complimentary TAC Lite subscription for the life of their Netgate appliance. More information about Netgate TAC can be found here.