Messages

If anything, this discussion with the OP helped at least me putting the original post in perspective.
I'm out, feels like there's a better use of my time than rephrasing the same fact over and over again. ;)

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

That usually requires the firewall to be able to inspect the URLs called, which normally demands SSL decryption to take a look. With a certificate installed on your system.
If it really works without, and please verify and let us know, then they got lucky and there are e.g. different hosts used by YouTube or Facebook for this. Which would allow differenciation without looking at the traffic.

I doubt you can do the above with Palo Alto and no extra certificate installed though.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

Being a CA certificate, of course it's self signed.

You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ...  :)

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

NVIDIA likes both.  ;)

If someone tries to sell AI in the security sector, I usually look twice, double check and then smile about what was actually offered as being AI.

THB, I'd love it if they didn't try to sell anything as ,,AI" for security and just sit out the hype. Remember blockchain?

All the tickets I raised with them were taken care of in a timely and professional manner.
I mainly bought Home to support development, the free edition (and you don't get that level of DPI insights/filtering for free anywhere else) is pretty awesome itself.

Not saying that it's not something nice to play with, but in the end:
SSE (SSL Inspection) is usually not something you run at home anyways, as you have to roll out certificates and will have to constantly exempt stuff (certificate pinned apps, incompatible websites) to make users happy. It has a very low WaF and your kids would start visiting the neighbors pretty often soon. 😅

Hi,

It's not an issue "does not start"... OpnSense on Proxmox works great also with SR-IOV (I've updated to Proxmox 8.2.2 last weekend and it runs great). If it does not start, you probably have to disable secure boot in the "Guest BIOS" => that was my issue when I installed OpnSense on Proxmox the first time ;D

Your error message "smells like" none unique IOMMU groups...

It's an issue with Intel virtual function network interfaces and high availability virtual IP addresses that uses CARP. The issue is that CARP needs a second MAC address and the packet flow inside the Intel driver has some "issues with this by design" on X710 NIC's. That's why it is possible to ping the CARP IP from outside (from another client/PC) but not if the client runs "on the same physical NIC" with another virtual function network device on the same physical card.

As I figured out (and also this link tells us https://forum.proxmox.com/threads/issues-with-sriov-based-nic-passthrough-to-firewall.66392/) it's needed to define "vf-true-promisc-support on" on the Proxmox host on the first NIC interface + promisc is needed to be set within the guest (in our case OpnSense / I think for CARP OpnSense enables promisc anyway?). With this settings and a newer Intel E810 card all works... but it still doesn't work on older X710 Intel NIC's.

Regards

I have been running OPNsense and other VMs with SR-IOV for years now, no problems. It's only kernel 6.8 with the X710 interface preventing any of my VMs (Linux or OPNsense) from starting. It's a Supermicro EPYC board with full IOMMU support, no hacks required.
Older Intel 10G card works fine, too.
I have ordered an E180 adapter now, you not having any issues with that one is a good starting point.

Does Proxmox kernel 6.8 also keep your hosts from starting?

This is my X710, stock or latest Intel drivers, no luck...

Code Select Expand

Firmware has requested this device have a 1:1 IOMMU mapping, rejecting configuring the device without a 1:1 mapping. Contact your platform vendor.

[any product]

Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.

Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.

So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.

So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.

Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.

My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.

Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.


Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.

Adding some experience on the ,,designed to prohibit" part: while one can usually convince a browser to accept the  TLS/SSL inspecting CA's cert, it's impossible for e.g. smartphone apps and a lot of Windows/macOS programs/apps.. They just won't respect your CA and the app's connectivity simply breaks.
You'll end up with an SSL decryption exception list you'd have never dreamed of before.

How?

# top

If a process is 100% or below, it is only one core.

Code Select Expand

top -aHSs1 usually works well for me there.

You might want to list your OPNsense hardware.
My N100 HUNSN appliance does 2.5G Zenarmor just fine.

Hi @sy,

any news on multicore progress? If there's a beta program I can subscribe to, happy to test!