1
Zenarmor (Sensei) / Does Sensai play well with others?
« on: April 20, 2021, 01:28:09 pm »
Hi Guys,
Background
I have been evaluating differing platforms that my wife and brother can easily administer, and I think that 'Home' could fit our needs. However, after a couple of days, I have come to realise (Whilst chasing problems down) that the Installation instructions and Forum could be tweaked to aid the user experience.
So far, I confess to liking Untangle for it's ease of use; so you can see why Sensai peaks my interest and I think, and hope, that this project is going to get there. I also believe that it could potentially have the edge, given time, for the ability to; install more modules, have more customisation in general, and access to a larger 'tinkerer' community i.e having the best of both worlds.
I like OPNSense as it's slightly easier than PfSense (past user) and also given the partnership with ProofPoint for ET Pro telemetry and now Sensai's central interface.
My Original Assumptions 'D'oh'; due to lack of information
After installing OPNSense, I immediately setup the usual suspects of IDS (with ETPro telemetry) and Unbound. I had a gut feeling not to install web proxy as presumably Sensai would be doing a lot of tinkering with it, so I didn't want another package interfering.
I'm beginning to realise that I had made incorrect assumptions where I thought: If I installed Sensai last, Sensai would check the usual directories, see the databases already in use, append and dedupe; leading to one database instance per function (module), with Sensai then having full control and reporting for DNS, threats etc. I also Assumed that if the user wished for seperation, that they would have to do so by way of seperate instancing of dns / pihole/ etc. somewhere else which in turn provides users with both options.
Purely due to the headaches of chasing things down and seemingly where adding things to whitelists are not working despite checking the format ".domain.com" where normal formatting also failed (in the varying places). I couldn't get my head around firewall aliasing to bypass everything.
Would it be possible to:
I get that you could use free for a while then convert, however there are those of us that need the paid features to make an informed choice when comparing the competition. You pretty much have to try the 7 day paid evaluation off the bat. This certainly doesn't allow for new users to OPNSense, nor the chasing down of issues, nor the working out module hierachy.
I personally would like to see the AD Connector included in home or have the option for a modest upgrade to gain the function. Whilst i've not played with AD for a decade, most of us have the capabilities to implement it, or similair. In my case; keeping with the theme of making things easier, it is something I am considering.
Thanks ever so much,
Jon
Background
I have been evaluating differing platforms that my wife and brother can easily administer, and I think that 'Home' could fit our needs. However, after a couple of days, I have come to realise (Whilst chasing problems down) that the Installation instructions and Forum could be tweaked to aid the user experience.
So far, I confess to liking Untangle for it's ease of use; so you can see why Sensai peaks my interest and I think, and hope, that this project is going to get there. I also believe that it could potentially have the edge, given time, for the ability to; install more modules, have more customisation in general, and access to a larger 'tinkerer' community i.e having the best of both worlds.
I like OPNSense as it's slightly easier than PfSense (past user) and also given the partnership with ProofPoint for ET Pro telemetry and now Sensai's central interface.
- Which I assume means that my wife and brother will be able to use the 'Cloud Management Portal' e.g. if a rule goes wrong or to check 'what's wrong' whilst keeping the Firewall fully closed off from the world?
My Original Assumptions 'D'oh'; due to lack of information
After installing OPNSense, I immediately setup the usual suspects of IDS (with ETPro telemetry) and Unbound. I had a gut feeling not to install web proxy as presumably Sensai would be doing a lot of tinkering with it, so I didn't want another package interfering.
I'm beginning to realise that I had made incorrect assumptions where I thought: If I installed Sensai last, Sensai would check the usual directories, see the databases already in use, append and dedupe; leading to one database instance per function (module), with Sensai then having full control and reporting for DNS, threats etc. I also Assumed that if the user wished for seperation, that they would have to do so by way of seperate instancing of dns / pihole/ etc. somewhere else which in turn provides users with both options.
Purely due to the headaches of chasing things down and seemingly where adding things to whitelists are not working despite checking the format ".domain.com" where normal formatting also failed (in the varying places). I couldn't get my head around firewall aliasing to bypass everything.
Would it be possible to:
- Get a sticky for OPNSense with Sensai 'Handy hints and tips' or 'Read me first'?
- Make it clear that Sensai does not overview everything and any modules added to OPNSense would also require checking should issues arise. This should include the hierachy for white and blacklisting ( I believe Sensai is last?)
- Include what modules can be installed that Sensai can control?
- Include modules can be installed that Sensai can view and report on?
These modules probably need an inclusion tickbox or something in config for selecting? i.e. information Sensai can 'read only' on these modules and include in the reporting as to which module information was from, to enable better hunting. - Whether the modules should be installed before or afterward?
- Which modules are common to run alongside in spite of Sensai not being able to control or view them.
- Consider or change the evaluation period. Realistically and in part due to the below, 7 days is no where near enough time to evaluate the product?
I get that you could use free for a while then convert, however there are those of us that need the paid features to make an informed choice when comparing the competition. You pretty much have to try the 7 day paid evaluation off the bat. This certainly doesn't allow for new users to OPNSense, nor the chasing down of issues, nor the working out module hierachy.
I personally would like to see the AD Connector included in home or have the option for a modest upgrade to gain the function. Whilst i've not played with AD for a decade, most of us have the capabilities to implement it, or similair. In my case; keeping with the theme of making things easier, it is something I am considering.
Thanks ever so much,
Jon