I feel compelled to share my recent experience with Zenarmor regarding their services and commitments. As a long-time customer, I was assured that my subscription would be upgraded to the SSE version at no additional cost. This assurance played a significant role in my decision to continue with Zenarmor.
Unfortunately, this promise has not been fulfilled, and my disappointment has only deepened after escalating the issue to the CEO. Instead of a resolution, I received responses that seemed dismissive and failed to address my concerns. The conditions have changed unexpectedly, leaving me feeling undervalued as a customer.
I have faced numerous technical issues that remain unresolved, and the lack of communication regarding my upgrade has only added to my frustration. It's disheartening to see a company that once held great promise fail to keep its word, especially after raising these issues at the highest level.
I urge others who have faced similar issues to voice their experiences as well. We deserve to have our commitments honored and our concerns addressed.
Thank you for reading.
In the spirit of this forum I'd like people to ask technical questions more than share resentment, because at the end of the day only one will bring OPNsense and Zenarmor forward.
Cheers,
Franco
as a person who just bought a 3 year license to opnsense has been a paying customer of zenarmor for > 1 year now, i get what you are saying franco, but if this is only for technical issues, where else does a paying customer address this? reddit only i guess? there isn't some review section on the opnsense store or zenarmor website for paying customers.
i think staying positive is best, but at the end of the day, the business cannot be shielded from feedback or reviews or experiences.
i really love opnsense and i want to love zenarmor, but sensei/sunnyvalley doesn't do themselves any favors IMHO
I just don't want this forum to become a substitute Yelp. We could share some facts here about the situation but ultimately Zenarmor needs to address this (in communication and engagement first and foremost) which is where I don't think these types of postings will be the catalyst.
Cheers,
Franco
" substitute Yelp" :D
I just imagined what if OPNsense was officially run from Yelp, what a weird thought.
Franco I agree with you, but a constructive critic doesn't hurt. Even thou this topic is more on the other side of the note...
Regards,
S.
All the tickets I raised with them were taken care of in a timely and professional manner.
I mainly bought Home to support development, the free edition (and you don't get that level of DPI insights/filtering for free anywhere else) is pretty awesome itself.
Not saying that it's not something nice to play with, but in the end:
SSE (SSL Inspection) is usually not something you run at home anyways, as you have to roll out certificates and will have to constantly exempt stuff (certificate pinned apps, incompatible websites) to make users happy. It has a very low WaF and your kids would start visiting the neighbors pretty often soon. 😅
> Franco I agree with you, but a constructive critic doesn't hurt.
I don't disagree. I want to mostly point out opening with "deep disappointment" in the subject is a lost cause. Eventually you want to have a stance that can be amended by others.
Cheers,
Franco
Quote from: franco on October 23, 2024, 12:54:35 PM
> Franco I agree with you, but a constructive critic doesn't hurt.
I don't disagree. I want to mostly point out opening with "deep disappointment" in the subject is a lost cause. Eventually you want to have a stance that can be amended by others.
point taken. yea the OP wording clearly shows their frustration, but might be a bit dramatic. ultimately though, its up to you and opnsense, as it is your product and such and we have to respect that as well. thanks for taking the time give your point of view.
Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.
If Zenarmor is positioning itself as a cost-effective solution compared to the market, it's vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It's important for us to have a platform to express our experiences and concerns.
I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.
Thank you for allowing me to share my thoughts.
If someone tries to sell AI in the security sector, I usually look twice, double check and then smile about what was actually offered as being AI.
THB, I'd love it if they didn't try to sell anything as ,,AI" for security and just sit out the hype. Remember blockchain?
AI is the next crypto.
Quote from: Patrick M. Hausen on October 24, 2024, 08:37:09 AM
AI is the next crypto.
+1
Ever heard of AI power supplies? Those are AI because you can run devices on them that run AI......
Quote from: Patrick M. Hausen on October 24, 2024, 08:37:09 AM
AI is the next crypto.
I'm expecting the crash after the hype. Maybe next year?
Still, it's more useful than crypto which, unfathomably, is still around.
NVIDIA likes both. ;)
Quote from: pradip.marathon on October 24, 2024, 07:24:33 AM
Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.
If Zenarmor is positioning itself as a cost-effective solution compared to the market, it's vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It's important for us to have a platform to express our experiences and concerns.
I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.
Thank you for allowing me to share my thoughts.
I agree, lately they are more concerned with large scale enterprise customers than with those of us betatesters out there. On the zenarmor website you can request a trial version of zenarmor SSE for home users and I have been trying for weeks and all I get is advertising in my email.
I really would like to hear what the technical issues are, I haven't seen anything on my end other than lots of RAM in use, but I assume that is from loading the lists into RAM so that it is faster to scan.
I'm also not trying to do SSL inspection right now, it's something I need to look into when I have time.
Quote from: yeraycito on October 24, 2024, 03:46:00 PM
Quote from: pradip.marathon on October 24, 2024, 07:24:33 AM
Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.
If Zenarmor is positioning itself as a cost-effective solution compared to the market, it's vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It's important for us to have a platform to express our experiences and concerns.
I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.
Thank you for allowing me to share my thoughts.
I agree, lately they are more concerned with large scale enterprise customers than with those of us betatesters out there. On the zenarmor website you can request a trial version of zenarmor SSE for home users and I have been trying for weeks and all I get is advertising in my email.
For an SSE trial license, please send an email to sales@zenarmor.com. They will assist you with this as soon as possible.
Quote from: Greg_E on October 24, 2024, 04:28:19 PM
I really would like to hear what the technical issues are, I haven't seen anything on my end other than lots of RAM in use, but I assume that is from loading the lists into RAM so that it is faster to scan.
I'm also not trying to do SSL inspection right now, it's something I need to look into when I have time.
Generally I would not use zenarmor if the aim is to have a system that works after an update.
But that goes for all packages that are not directly part of the main opnsense distribution.
As for the OP, I can't understand what the problem is either, the posts read like press releases.
Sorry for my English.... use translator.
I would like to say that after my previous comment about the impossibility to get a trial version of Zenarmor SSE, my request has been answered very kindly and above all very quickly. I am very happy that you take into account the individual users who are the ones who mostly use your product and in many cases we act as betatesters without wanting it and that is not at all counterproductive to the natural fact that Zenarmor is a company and needs to monetize their products.
I've been testing the full TLS inspection for a few days and I'm going to take this opportunity to comment on how it works:
Opnsense on mini-pc N305 + 16 gigabyte ram DDR5, local network with 6 devices.
I use full TLS inspection without any restrictions or whitelisting.
Manjaro + Brave computer:
I have not noticed any decrease in performance when accessing web pages, however when accessing some of them sometimes it does not load them, very few times, it is solved by waiting a bit and reloading the page again. If I have noticed a slight slowdown very small in the case of the Google search engine and loading problems when returning to it after accessing any of their search results.
Android 14 mobile:
Zenarmor does not inform on its website about the possibility of including the Zenarmor certificate on Android:
https://www.zenarmor.com/docs/guides/adding-zenarmor-certificate-to-a-trust-store
However, in the case of Fortinet they do provide this information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-FortiGate-CA-certificates-into/ta-p/193274
In my case when doing it with the Zenarmor certificate I have obtained very mixed results, the Brave browser on Android communicates me that there is no internet connection but nevertheless there is no problem accessing any web. In the case of installed applications some connect without problems and others do not, Gmail does and Protonmail does not.
It is very possible that Zenarmor is not to blame but Android is to blame when installing the certificate because to install it as a root certificate you must have rooted the mobile.
Finally, Zenarmor had a very bad start but over time it has been improving favorably. Today it works very well, the protection it offers is very satisfactory, the performance in the absence of multicore capability has improved a lot over time and the filtering and display options are simply fantastic.
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
That's also why we have trusted root servers out on the internet, but you'll need to be running a registered name to be able to use them.
Else you can push them out with a group policy for your Windows LAN clients.
Quote from: athurdent on October 29, 2024, 08:10:11 AM
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Quote from: pradip.marathon on October 30, 2024, 08:02:41 AM
Quote from: athurdent on October 29, 2024, 08:10:11 AM
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.
I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.
Quote from: Greg_E on October 30, 2024, 03:53:35 PM
I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.
Being a CA certificate, of course it's self signed.
Addendum: and that cannot be "fixed".
Generations of cryptographers have been working hard to make TLS a trustworthy secure unbreakable end-to-end channel. If you insist on breaking it anyway, you need a local certification authority that is trusted by your end devices.
That's how it is supposed to work. A proxy, a firewall, Zenarmor, ... have no business looking inside TLS encrypted connections. That's what TLS is for.
Quote from: bimbar on October 30, 2024, 03:59:03 PM
Quote from: Greg_E on October 30, 2024, 03:53:35 PM
I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.
Being a CA certificate, of course it's self signed.
You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ... :)
Quote from: athurdent on October 30, 2024, 04:35:25 PM
Quote from: bimbar on October 30, 2024, 03:59:03 PM
Quote from: Greg_E on October 30, 2024, 03:53:35 PM
I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.
Being a CA certificate, of course it's self signed.
You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ... :)
That was my point, you will not get anyone to issue you an official CA certificate.
Quote from: athurdent on October 30, 2024, 09:17:25 AM
Quote from: pradip.marathon on October 30, 2024, 08:02:41 AM
Quote from: athurdent on October 29, 2024, 08:10:11 AM
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.
It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.
Quote from: pradip.marathon on November 04, 2024, 11:17:33 AM
Quote from: athurdent on October 30, 2024, 09:17:25 AM
Quote from: pradip.marathon on October 30, 2024, 08:02:41 AM
Quote from: athurdent on October 29, 2024, 08:10:11 AM
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.
It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.
Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.
Eh ?! What is your understanding of how Palo Alto does the inspection? Agent or Agent-less has nothing to do with it.
Somehow this thread got derailed. Can a new one be created to discuss the ups and downs and requirements for TLS MITM proxy?
Quote from: athurdent on November 04, 2024, 11:31:27 AM
Quote from: pradip.marathon on November 04, 2024, 11:17:33 AM
Quote from: athurdent on October 30, 2024, 09:17:25 AM
Quote from: pradip.marathon on October 30, 2024, 08:02:41 AM
Quote from: athurdent on October 29, 2024, 08:10:11 AM
Quote from: pradip.marathon on October 29, 2024, 07:46:44 AM
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works. ;)
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.
It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.
Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.
I expectation was mentioned clearly in earlier post as well.
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.
Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.
Quote from: pradip.marathon on November 04, 2024, 12:11:17 PM
There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.
This is technically impossible. The entire point of TLS is prohibiting "inspection".
Quote from: pradip.marathon on November 04, 2024, 12:11:17 PM
Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.
That usually requires the firewall to be able to inspect the URLs called, which normally demands SSL decryption to take a look. With a certificate installed on your system.
If it really works without, and please verify and let us know, then they got lucky and there are e.g. different hosts used by YouTube or Facebook for this. Which would allow differenciation without looking at the traffic.
I doubt you can do the above with Palo Alto and no extra certificate installed though.
You CAN do filtering on a domain name basis via SNI without decryption, but that's it.
Quote from: Patrick M. Hausen on November 04, 2024, 12:13:23 PM
Quote from: pradip.marathon on November 04, 2024, 12:11:17 PM
There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.
This is technically impossible. The entire point of TLS is prohibiting "inspection".
I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.
Quote from: bimbar on November 04, 2024, 12:58:24 PM
You CAN do filtering on a domain name basis via SNI without decryption, but that's it.
Agreed, But here I was refering to content filtering instead of URL filtering.
Quote from: pradip.marathon on November 05, 2024, 09:28:07 AM
Quote from: Patrick M. Hausen on November 04, 2024, 12:13:23 PM
Quote from: pradip.marathon on November 04, 2024, 12:11:17 PM
There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.
This is technically impossible. The entire point of TLS is prohibiting "inspection".
I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.
Well I'm going to stop arguing this then. Do live in whatever world you choose.
Quote from: pradip.marathon on November 05, 2024, 09:28:07 AM
I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.
Quote from the doc you linked:
QuoteHTTPS Inspection should be enabled in SafeSquid. If not enabled, you can check our document ...
Link to that document:
https://docs.safesquid.com/wiki/Setup_HTTPS_Inspection
Quote:
QuoteImporting SafeSquid SSL certificate into your browser
When SafeSquid is installed in your network with HTTPS inspection enabled and SSL certificate not installed into the browser, then you will get an error while accessing the HTTPS websites. You have to install SafeSquid SSL certificate into the browsers.
As I argued it is technically impossible to inspect TLS without installation of a trusted CA on the client.
If anything, this discussion with the OP helped at least me putting the original post in perspective.
I'm out, feels like there's a better use of my time than rephrasing the same fact over and over again. ;)
AI in the back end?
Is it already done wrecking the front end, or just branching out?
Yuk (And I say that in a very positive way, Franco ::) )
Quote from: FredsterNL on November 09, 2024, 12:55:59 AM
Yuk (And I say that in a very positive way, Franco ::) )
Well, we got the discussion rolling. That's s a good thing. Thanks to all!
Cheers,
Franco