Messages

Thank you for your reply.
I have already implemented the suggested solutions on OPNsense and pfSense. However, I am particularly interested in finding a solution that allows me to control traffic based on content, such as TLS/SSL inspection. Specifically, I aim to control the content within domains. For example, I want to allow access to YouTube but block specific content categories like sports, games, shorts, movies, and music. Similarly, after allowing Facebook, I would like to deny access to games. On WhatsApp, I want to restrict the transfer of specific content types, such as JPEG, AVI, and video files.

Hello everyone,

I hope this message finds you well. I'm currently exploring firewall solutions and am interested in finding alternatives to Zenarmor that are compatible with OpnSense. I've been using Zenarmor and appreciate its features, but I'm curious to see if there are other similar tools available that work well with these platforms.

Does anyone have recommendations for other security software or add-ons that offer comparable functionality? Any experiences or insights into how well these alternatives integrate and perform would be greatly appreciated.

Thank you in advance for your help and suggestions!

Best regards,

You CAN do filtering on a domain name basis via SNI without decryption, but that's it.

Agreed, But here I was refering to content filtering instead of URL filtering.

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

This is technically impossible. The entire point of TLS is prohibiting "inspection".

I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

I expectation was mentioned clearly in earlier post as well.
In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

Version 1.18 has been released, lets see whether it fixes the issue reported. I will keep you posted.

I'm happy to hear that OPNsense is working on application and web category-based traffic shaping and prioritization. I would suggest creating different policies for filtering and shaping, as this would be convenient for business users to apply based on the requirements of different groups or departments.

As mentioned by @mb, there is indeed a need for TLS inspection now, which will greatly benefit business users.

Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.

If Zenarmor is positioning itself as a cost-effective solution compared to the market, it's vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It's important for us to have a platform to express our experiences and concerns.

I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.

Thank you for allowing me to share my thoughts.

Maybe it's better to submit a call with their support department so they can investigate more thoroughly because they have access to your log files and such. I submitted a similar issue and I'm currently running the 1.18 beta which has fixes for this, as well as for the same devices being recognized multiple times with different IP addresses due to DHCP (both private range and 169.254.x.x).

Yes, submitted with support team already, As per them it will get fixed in upcoming release of 1.18

How are your TAGs set in the deployment menu in ZA?

Regards,
S.

Can you please explain this in details?

Go to ZenArmor > Configuration > Please choose interfaces to protect

And make screenshot of that whole section.

Regards,
S.

I have TAG only LAN interface as of now.

OPNsense is blocking some traffic even after adding a specific rule to allow everything from that source. Please find the screenshot and logs below for your reference.

I would appreciate your assistance in diagnosing this issue.

How are your TAGs set in the deployment menu in ZA?

Regards,
S.

Can you please explain this in details?