Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works.
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.
It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.
I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.
Being a CA certificate, of course it's self signed.
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
You should probably read up on how SSL Inspection works.
I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?
In a BYOD scenario, why would someone want to install a certificate on their personal device?
There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.
Hi,
It's not an issue "does not start"... OpnSense on Proxmox works great also with SR-IOV (I've updated to Proxmox 8.2.2 last weekend and it runs great). If it does not start, you probably have to disable secure boot in the "Guest BIOS" => that was my issue when I installed OpnSense on Proxmox the first time
Your error message "smells like" none unique IOMMU groups...
It's an issue with Intel virtual function network interfaces and high availability virtual IP addresses that uses CARP. The issue is that CARP needs a second MAC address and the packet flow inside the Intel driver has some "issues with this by design" on X710 NIC's. That's why it is possible to ping the CARP IP from outside (from another client/PC) but not if the client runs "on the same physical NIC" with another virtual function network device on the same physical card.
As I figured out (and also this link tells us https://forum.proxmox.com/threads/issues-with-sriov-based-nic-passthrough-to-firewall.66392/) it's needed to define "vf-true-promisc-support on" on the Proxmox host on the first NIC interface + promisc is needed to be set within the guest (in our case OpnSense / I think for CARP OpnSense enables promisc anyway?). With this settings and a newer Intel E810 card all works... but it still doesn't work on older X710 Intel NIC's.
Regards
Firmware has requested this device have a 1:1 IOMMU mapping, rejecting configuring the device without a 1:1 mapping. Contact your platform vendor.
Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.
Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.
So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.
So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.
Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.
My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.
Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.
Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.
How?
# top
If a process is 100% or below, it is only one core.
top -aHSs1 usually works well for me there.