Bug #8389
openfirewall: Add monitor/observe mode to preview firewall policy without enforcing drops
Description
Firewall mode currently has no way to evaluate a rule set without enforcing it. Rules either accept or drop, and the default policy drops unmatched traffic. There is no equivalent of IDS alert-only mode for the firewall engine.
This is a blocker for safe policy deployment. Operators need to preview the effect of a new or modified firewall policy on production traffic before switching to enforcement. The typical workflow is: deploy rules → enable monitor mode → observe logs for hours/days → confirm no legitimate traffic would be blocked → switch to enforce mode.
Ask : A configuration option (in suricata.yaml or via a runtime flag) that puts the firewall engine into a non-enforcing "monitor" state. When enabled:
- Firewall rules evaluate identically — same matching, same rule ordering, same table evaluation (pre_flow, pre_stream, main).
- Drop/reject verdicts are suppressed — packets that would be dropped or rejected by a firewall rule are instead allowed to pass through. The default drop action for unmatched packets is also suppressed.
- Alerts are generated — for every packet where a drop/reject verdict is suppressed, an alert (EVE JSON log entry) is generated indicating the rule that matched and the action that would have been taken. This gives operators full visibility into what enforcement mode would do.
- Accept rules behave normally — packets matching accept rules pass through as usual.
- Changing all drop:* rules to alert doesn't work because firewall mode syntax doesn't support alert as an action — only accept and drop (with scope).
- Running in IDS mode instead doesn't work because IDS mode doesn't evaluate the firewall rule tables (pre_flow, pre_stream, main) or the default drop policy. The rule evaluation path is fundamentally different.
- Setting the default policy to ACCEPT (Section 4.5 of our requirements) only changes the unmatched-traffic behavior — it doesn't suppress explicit drop:* rule verdicts. Monitor mode needs to suppress all enforcement, including explicit drop rules.
Ideally the runtime toggle approach, so operators can switch between monitor and enforce on a live instance without restarting Suricata or reloading rules.
Updated by Jamie Lavigne 12 days ago
I think this one is optional/low priority because with https://redmine.openinfosecfoundation.org/issues/7701 we would have the support we need to do this?
Updated by Victor Julien 11 days ago
- Subject changed from Firewall mode: Add monitor/observe mode to preview firewall policy without enforcing drops to firewall: Add monitor/observe mode to preview firewall policy without enforcing drops
- Priority changed from Normal to Low
I think a complexity would be how to handle explicit drop rules. These are terminating actions, so to simulate the enforcement of drop rules we'd have to make them terminating as well. Maybe it would be enough to turn drop:packet into accept:packet, etc.
Updated by Yash Datre 3 days ago
In monitor mode, the pipeline must follow the same path — skip the same tables, make the same decisions — and only flip the final action. Since a firewall drop rule skips IPS/IDS rules, in monitor mode the matching drop rule should be accepted directly and skip IPS/IDS mode.