OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: DenverTech on September 21, 2020, 04:42:14 pm

Title: Policy order and priority
Post by: DenverTech on September 21, 2020, 04:42:14 pm
I realized I may have a misunderstanding of how the policies work and was hoping for some clarity.

How I thought they worked:
- Like firewall rules, it continues until it matches, then stops there.
- If you have Policy1, Policy2, and Default, it will process Policy1 and if it applies, it would allow/block as appropriate, but if the policy didn't apply (wrong user/group), it would move to Policy2, and if neither applies, it uses Default.
- Example: We block Proxies in Policy1, but not in Policy2 or Default. If user is included in Policy1, it blocks their Proxy. If they are not included in Policy1, we don't.

How it's actually working and why I'm confused:
- Policy1 is our employee policy. It blocks pornography and nothing else.
- Policy2 is our guest/student policy. It blocks pornography, proxy, games, and violence.
- Default is the default policy. It blocks pornography, proxy, games, and violence (we had to match policy2 and default, as anonymous users did not count as any user or group we could identify for Policy2)
- Staff member tries to use his computer. If he goes to pornography, I see it blocked by Policy1, as expected.
- Staff member tries to use his computer. If he goes to a proxy, I see it blocked by Default, which surprised me. This seems to indicate that all policies that do apply to the username/group are applied AND ALSO the default, as though they combine their blocks.

If the last statement above is true and it's (all policies which apply + default) on all users, how do I apply something to anonymous users, without also blocking non-anonymous users? In the example above, I don't want to block staff from proxies, but if I block anonymous via the Default policy, I also inadvertently block staff. I feel like we either need the ability to apply a policy to "anonymous" users or the ability to have a policy stop processing of any further policies (like the firewall rules).
Title: Re: Policy order and priority
Post by: mb on September 21, 2020, 08:18:13 pm
Hi @DenverTech,

You're correct. Policy ordering logic is how you expect it to be: We try to match defined policies first. If any match is there, we apply the rules of that policy. If no policy is a match, then the rules of the Default policy is applied to the packets.

In your scenario, I think the connection does not hit the correct policy because of the policy definition.

You can debug it through the "Blocks" tab of the Reports. Drill down until you have your blocked sessions, and use the "Live Session Explorer" to tell you which connection was blocked because of what.

Contact support so that one of our engineers can go through it with you.
Title: Re: Policy order and priority
Post by: DenverTech on September 24, 2020, 08:35:54 pm
Does not appear to be working as intended. Perhaps I'm still overlooking something, or have them in the wrong order. Pics attached.

My setup:
- Staff policy is top. This allows proxies.
- Student policy is second. This blocks proxies.
- Default policy is last. This blocks proxies.
- My personal cellphone is assigned a static IP. I've added that IP to Staff to ensure the policy applies.
- I loaded NordVPN on my phone. It's being blocked (but shouldn't be).
- When I watch the live block logs, my phone is being blocked by the Default policy.
Title: Re: Policy order and priority
Post by: mb on September 25, 2020, 01:01:09 am
Hi @DenverTech,

Can you send a PR through Sensei UI? You're right; if you've added your IP to the Staff Policy, that should match Staff policy, thus should not block.

Let's have a closer look.

PS: Make sure you also send sensei configuration.
Title: Re: Policy order and priority
Post by: DenverTech on September 25, 2020, 03:24:26 pm
Will do, thanks. I'll update here if it's an easy fix. :)