Messages

1

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: November 05, 2024, 09:29:32 am »

You CAN do filtering on a domain name basis via SNI without decryption, but that's it.

Agreed, But here I was refering to content filtering instead of URL filtering.

2

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: November 05, 2024, 09:28:07 am »

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

This is technically impossible. The entire point of TLS is prohibiting "inspection".

I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.

3

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: November 04, 2024, 12:11:17 pm »

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works.

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

I expectation was mentioned clearly in earlier post as well.
In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

4

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: November 04, 2024, 11:17:33 am »

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works.

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

5

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: October 30, 2024, 08:02:41 am »

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works.

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

6

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: October 29, 2024, 07:46:44 am »

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

7

Zenarmor (Sensei) / Re: Zenarmor Incorrect Device count and detection

« on: October 24, 2024, 01:07:00 pm »

Version 1.18 has been released, lets see whether it fixes the issue reported. I will keep you posted.

8

Zenarmor (Sensei) / Re: Request for Feedback: Application/Web Category based Traffic Shaping

« on: October 24, 2024, 07:33:03 am »

I'm happy to hear that OPNsense is working on application and web category-based traffic shaping and prioritization. I would suggest creating different policies for filtering and shaping, as this would be convenient for business users to apply based on the requirements of different groups or departments.

As mentioned by @mb, there is indeed a need for TLS inspection now, which will greatly benefit business users.

9

Zenarmor (Sensei) / Re: Deep Disappointment with Zenarmor's Commitment

« on: October 24, 2024, 07:24:33 am »

Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.

If Zenarmor is positioning itself as a cost-effective solution compared to the market, it’s vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It’s important for us to have a platform to express our experiences and concerns.

I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.

Thank you for allowing me to share my thoughts.

10

Zenarmor (Sensei) / Re: Zenarmor Incorrect Device count and detection

« on: October 22, 2024, 12:38:34 pm »

Maybe it's better to submit a call with their support department so they can investigate more thoroughly because they have access to your log files and such. I submitted a similar issue and I'm currently running the 1.18 beta which has fixes for this, as well as for the same devices being recognized multiple times with different IP addresses due to DHCP (both private range and 169.254.x.x).

Yes, submitted with support team already, As per them it will get fixed in upcoming release of 1.18

11

Zenarmor (Sensei) / Re: Zenarmor Incorrect Device count and detection

« on: October 22, 2024, 12:29:05 pm »

How are your TAGs set in the deployment menu in ZA?

Regards,
S.

Can you please explain this in details?

Go to ZenArmor > Configuration > Please choose interfaces to protect

And make screenshot of that whole section.

Regards,
S.

I have TAG only LAN interface as of now.

12

24.7 Production Series / Re: Weird "Default deny / state violation rule" behavior

« on: October 22, 2024, 09:32:24 am »

OPNsense is blocking some traffic even after adding a specific rule to allow everything from that source. Please find the screenshot and logs below for your reference.

I would appreciate your assistance in diagnosing this issue.

13

Zenarmor (Sensei) / Re: Zenarmor Incorrect Device count and detection

« on: October 22, 2024, 07:56:41 am »

How are your TAGs set in the deployment menu in ZA?

Regards,
S.

Can you please explain this in details?

14

Zenarmor (Sensei) / Re: Zenarmor Incorrect Device count and detection

« on: October 22, 2024, 07:55:57 am »

Quick question; Could you set the "Deployment mode" to Passive (Report Only) mode in the Zenarmor Firewall configuration menu or enable the WAN interface from the Interface menu, even if it's just for testing?

My policies will not work if we set the "Deployment mode" to Passive (Report Only) mode. There is no point of this testing.

15

Zenarmor (Sensei) / Re: Zenarmor Home Users: Your Feedback Shapes Our Focus!

« on: October 21, 2024, 12:11:55 pm »

I would like to express my concern regarding the commitments made to customers. It is crucial for a business to keep its word and fulfill the promises made. Instead of providing excuses for not delivering on these commitments, I urge you to focus on maintaining transparency and accountability.

As a customer, I expect a consistent experience based on the assurances given. Upholding these commitments is essential for building trust and fostering long-term relationships.