I installed Zenarmor with a Home license.
Over time I had already configured Suricata on the WAN and a rule to block all countries outside my own.
Now with Zernarmor I will have to change something.
- Is there a filter by countries? Or do I keep my rule in WAN that uses GeoIP d MaxMind?
- Should I keep Suricata on the WAN? If yes, with what rules? Or rather protect the WAN from Zenarmor?
- If I enable options in the Default policy, for example block Malware/Virus or the "Adult" category, do all the other policies have these options even if not explicitly activated or do I have to enable them in the other policies too
- Are the three policies provided by the license additional to the Default?
- On one interface I have VLANs called LAN, Home, Guests which have different uses. However, I read that it would be useful to configure Zenarmor on the interface and not on the VLAN. What should I do?
- In the device list I find my PC and the switch. Hours later, "Initial identification in progress" still appears. It's correct?
- My PC is with Win11 Pro on ASRock Motherboard. Yet it is identified as Lanix Android; instead the HP switch is identified in the Mobiles category as Google OS: Android OS.
Hi,
1- It is in our roadmap. Please keep in touch for the announcement.
2- You can not protect the same interface with Suricata in (IPS mode) and Zenarmor. You can protect your WAN interface on Zenarmor.
3- The default policy matches the session which if it is not match any custom policy. So you need to set each policy rules individually. The default policy settings will be applied only the sessions that matches it.
4- Home license has the default + 2 custom policies.
5- It is enough to protect only the parent interface. Zenarmor will cover VLANs inside it. If you protect both the parent and child interface together, the traffic will be inspected 2 times.
6- Zenarmor always checks the network packages if there is more detail or new information for the devices until you activate stop device updates in device detail.
7- It should be better to wait a bit more. Zenarmor catches the information from network packages and match them with its device identification database. If it is not be corrected for a while, please share Zenarmor logs with the team via Have feedback option in UI. It could be a false positive classification.
Thanks for the reply.
I'm sorry, but it's still not clear to me how the two policies overlap.
If I didn't misunderstand:
- In configuration I only protect em0 (WAN) and em1 (on which there are VLANs).
- In default policy I establish which options to activate that can also be valid for all VLANs.
- In Policy1 and Policy2 I instead define the options that I intend to enable only for specific VLANs.
It's correct?
Furthermore, it is not clear to me the overlap between the protection of em0 and em1. If I protect the WAN from malware, for example, I shouldn't need to also protect the LAN and VLANs.
I can only think of the case in which a laptop infected elsewhere is then connected to the LAN.
Then, I have a Quad Core i5 and 8GB RAM, after installing Zenarmor (still configuring superficially) and I have CPU peaks at 95% and stable RAM at 81%. It's correct?
Hi,
1- The best practice is to protect the LAN physical interface(s) on Zenarmor. But if you would like to protect only specific VLAN(s) on the interface, you can protect individual VLAN(s) as well. If you protect all inner interface(s) on Zenarmor, The WAN interface protection is optional.
2- Zenarmor applies only one policy to a session. So, if you configure a custom policy that matches to your VLAN traffic, only the custom policy will apply for your VLAN traffic. The Default policy only will be applied for the sessions that don't match to your custom policy(ies). If you don't add any custom policy, the default policy will be applied to all sessions. Or, for example, you added a policy for VLAN 100, this policy will be applied to VLAN 100 and all other traffic will match to default policy. Please visit the following link for further detail.
https://www.zenarmor.com/docs/opnsense/policies/configuring-policy
3- Yes, that's correct.
CPU and Ram usage seems pretty high. Can you share top -ao res command?
In attach the screenshot of "top -ao res" command.
I'm just doing some testing at the moment and have only secured em0-WAN and em1.
In default policy I only have:
* in Security Malware/Virus, Phishing, hacking, Potentially Dangerous.
* In Web control Adult, Dating, Pornography, Social Networks.
If I open a well-known porn site I get an error page "This page is blocked".
Instead, if I open a well-known adult magazine, a dating site and the most well-known social network, an ERR_CONNECTION_CLOSED error appears with the message "WEBSITE has closed the connection unexpectedly".
Why is there no error page for these?
About the devices, they are all wrong.
The switch is Android, Win 11 is another Android, the router is Win10, ...
I'll send a log tomorrow.