OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: allebone on March 18, 2021, 12:33:19 am

Title: Additional platforms - how does that work?
Post by: allebone on March 18, 2021, 12:33:19 am
I see the latest release says it supports additional platforms. How does that work exactly? It seems heavily integrated into opnsense.

Pete
Title: Re: Additional platforms - how does that work?
Post by: mb on March 18, 2021, 01:08:55 am
Hi Pete,

Documentation will follow shortly on this. Let me try to provide a bit early information here.

Apart from OPNsense; 1.8 currently supports FreeBSD 11 & 12, Centos 7 & 8, Ubuntu 18.04 & 20.04 and Debian 9 & 10.

Unlike Sensei on OPNsense, for the new platforms, we do not provide the management plane on the deployed machine; rather the management is through Cloud Portal. So you need to have a Cloud Portal account for this. : https://sunnyvalley.cloud (https://sunnyvalley.cloud)

On the target platforms, the packet engine itself  (sensei package) is deployed along with the cloud communication agent (sensei-agent package).

To install sensei on one of these platforms run below one-liner and it should download and install the sensei and sensei-agent packages:

Code: [Select]
curl https://updates.sunnyvalley.io/getsensei.sh -o getsensei.sh && sudo sh ./getsensei.sh
This script basically installs the Sunny Valley package repository and installs:

sensei
sensei-agent


packages. After the package installation, run the cloud registration and you'll see the new platform popping up in the list of firewalls.

Code: [Select]
user@ubuntu:~$ sudo senseictl cloud register
[sudo] password for user:       

        Sunny Valley Networks Cloud Management Portal
        Node Registration Utility

        This utility registers your system with Sunny Valley Networks Cloud Portal
        We need your Cloud Portal authentication credentials for:
        https://sunnyvalley.cloud

        If you have not set your password before, you can do that from 'My Account'
       
Please enter your Cloud Portal e-mail:

Removing is as easy as stopping engine and cloud services and removing the packages with your package manager:

Code: [Select]
# service eastpect stop
# service senpai stop
# apt remove sensei
# apt remove sensei-agent


For the reporting, you can utilize either an Elasticsearch instance (cloud or your own) or the local SQlite database (embedded, no installation required)

For filtering, Cloud Portal will have the Central Policies functionality ready late this month or early next month. So these functionalities will be available after a while. You also need netmap. (for FreeBSD you already have the netmap, for Linux, you'll need to manually install - instructions to follow).

You'll be able to use the same cloud based policies accross all your deployments.

I hope this provides some early information.
Title: Re: Additional platforms - how does that work?
Post by: allebone on March 18, 2021, 04:05:15 am
Interesting. Thanks.
Title: Re: Additional platforms - how does that work?
Post by: mb on March 18, 2021, 05:04:57 pm
Always a pleasure.
Title: Re: Additional platforms - how does that work?
Post by: opnip on March 25, 2021, 08:51:20 am
One short question about deployment. Is it also possible to use it in a bridged environment? This means I use a Sensei Linux/FreeBSD box inline (bridged between firewall and main switch)? I would like to use my existing firewall (right now not OPNsense) and switch. Or is it better to use the "routed mode"?

Stack:
Client --> Switch --> Sensei (bridge or routing mode) --> Firewall --> Internet
Title: Re: Additional platforms - how does that work?
Post by: mb on March 26, 2021, 02:10:52 am
Hi @opnip,

Bridge more requires a bit hardware-specific configuration, which we did not fully automatize yet. This is why it's in experimental state.

Having said that; if your LAN/WAN ethernet adapters have single RX/TX queues (or you can also manually configure them to use a single queue), you are good to go. Sensei will act like a filtering bridge behind your firewall.

One more note: Bridge mode is not yet available for the new platforms. It's OPNsense only for the time being.

Title: Re: Additional platforms - how does that work?
Post by: jclendineng on May 04, 2021, 08:03:36 pm
The plans are a bit confusing on this front, are we able to manage unix/bsd installs with the home plan or is that blocked? Central Policy is listed as not for paid home use BUT how then are we able to manage the firewall?
Title: Re: Additional platforms - how does that work?
Post by: mb on May 05, 2021, 12:21:57 am
Hi @jclendineng,

Thanks for this question. I guess "Centralized Policy Management" and "Cloud Management" terms are close and maybe prone to mis-understanding.

With the Cloud Management capability (available in the Free) you are able to manage the sensei functionality on individual firewalls. Means you can view their reports, create/delete/manage policies etc) on an individual firewall basis.

A Centralized Policy is that you have a single centralized policy which gets applied to many firewalls at once.  So instead of configuring the individual policies on the individual firewalls one by one, you create a single policy and push it to all / a group of firewalls.

Centralized Reporting is similar to Centralized Policy, where you can view the reports of all / a group of firewalls from a single pane.

Cloud Management is available for Free Edition; where as Centralized Policy/Reporting is available in their respective paid plans.

Hope this makes this more clear.

PS: We'll shortly roll-out an improved product documentation, which will also include Cloud Management.
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on May 05, 2021, 01:51:56 pm
Thank you for that.  I assumed that was the case but wanted to double check. 
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 10, 2021, 03:32:48 pm
Hi @jclendineng,

Thanks for this question. I guess "Centralized Policy Management" and "Cloud Management" terms are close and maybe prone to mis-understanding.

With the Cloud Management capability (available in the Free) you are able to manage the sensei functionality on individual firewalls. Means you can view their reports, create/delete/manage policies etc) on an individual firewall basis.

A Centralized Policy is that you have a single centralized policy which gets applied to many firewalls at once.  So instead of configuring the individual policies on the individual firewalls one by one, you create a single policy and push it to all / a group of firewalls.

Centralized Reporting is similar to Centralized Policy, where you can view the reports of all / a group of firewalls from a single pane.

Cloud Management is available for Free Edition; where as Centralized Policy/Reporting is available in their respective paid plans.

Hope this makes this more clear.

PS: We'll shortly roll-out an improved product documentation, which will also include Cloud Management.

What is the timeline for this? Reporting is basically a graph that tells me something happened somewhere...no real information. You mentioned drill down and live block is coming in .10? Is that still on track? Thanks!
Title: Re: Additional platforms - how does that work?
Post by: mb on June 10, 2021, 04:43:40 pm
Hi @jclendineng,

You should already have the "drill-down" feature:
https://www.sunnyvalley.io/docs/reporting-analytics/report-view-configuration#applying-generic-filterexclusion-on-a-report-view

Blocking has been introduced with 1.9. For Linux, you'll need to manually compile & install netmap module (documentation to follow this month). For FreeBSD, since netmap is embedded in the kernel, you don't need this step.

Live Reports & using subscriptions on the new platforms are going to be shipped with the 1.9.1 release, which is scheduled for early next week.

We believe with 1.9.1, new platforms will also reach a state where you'll be able do reporting / blocking almost as good as OPNsense.

I hope this answers your question. Please feel free if you have further questions.
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 10, 2021, 05:44:11 pm
Yes, tats fantastic! Thanks. Im going to be using this headless on BSD separate from opnsense installation.
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 10, 2021, 06:20:21 pm
What about the "Session Details"? Is that coming in some form?
Title: Re: Additional platforms - how does that work?
Post by: sy on June 10, 2021, 08:56:19 pm
Hi,

It's coming with 1.9.1 at next week
Title: Re: Additional platforms - how does that work?
Post by: mb on June 16, 2021, 05:21:40 am
Hi @jclendineng,

1.9.1 is released today. Cloud Live Session Explorer is one of the features brought by this release.
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 16, 2021, 04:45:47 pm
Looks great on my test box!! I will note that the cloud portal failed to find the firewall after the update, I had to do a full uninstall and re-install, and re-add the firewall to the cloud portal and then it worked.  Looks great.  The ability to block/unblock is a good feature.
Title: Re: Additional platforms - how does that work?
Post by: mb on June 16, 2021, 06:01:37 pm
@jclendineng, glad to hear that you're enjoying it.

This is most probably due to a bug we've fixed in this release. It was related to the cloud agent service not doing a proper restart after the upgrade. Since the version which does the actual upgrade is still 1.9, you experienced the problem. Looking forward this should not occur any further.
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 24, 2021, 02:54:47 pm
I noticed that on FreeBSD I do not have the option to do a bridge, I thought I saw that it was only on Opnsense but I can't find it now...is there any plans to allow bridging on additional platforms? If not, would it work if I set up a manual bridge?
Title: Re: Additional platforms - how does that work?
Post by: mb on June 25, 2021, 07:43:45 pm
@jclendineng,

OS bridge would not work since it does not have the proper netmap support.

However, we'll add the Bridging Mode support to the Cloud - hopefully in the coming version (1.10).
Title: Re: Additional platforms - how does that work?
Post by: jclendineng on June 26, 2021, 04:13:50 pm
You are awesome as always!  Thanks!