- Disable default admin exposure and limit GUI/API to management VLAN.
- Enable multi-factor authentication for administrative accounts.
- Use unique local admin accounts instead of shared credentials.
- Enforce least-privilege firewall aliases and policy-based rules.
- Block management traffic from user/guest networks.
- Use anti-lockout rule only for initial onboarding and then harden to fixed sources.
¶ VPN and Zero Trust Access
- Use WireGuard or IPsec with strong cipher suites.
- Require certificate-based auth for privileged remote access.
- Limit VPN network access with per-user or per-group rules.
¶ IDS/IPS and Reputation Feeds
- Enable Suricata in IPS mode on critical interfaces after baseline testing.
- Keep Emerging Threats or equivalent rulesets updated.
- Tune signatures to reduce false positives without disabling core protections.
¶ Update and Backup Operations
- Apply OPNsense security updates during planned windows.
- Test config changes in staging before production rollout.
- Schedule encrypted backups and verify restore procedures quarterly.
¶ Logging and Monitoring
- Send logs to external SIEM/syslog with retention policies.
- Monitor admin login events, rule changes, and service restarts.
- Enable health checks/alerts for gateway failover and certificate expiry.