Messages

856

Development and Code Review / Re: Sensei domain name resolution blocking

« on: January 10, 2019, 06:48:01 am »

Hi @cgwork,

Now I see: you want to hide some traffic in the reports. That'd be a nice feature. We're adding it to the roadmap.

857

Development and Code Review / Re: Sensei by-pass rule

« on: January 10, 2019, 06:46:26 am »

Hi @cgwork,

Understood now, thanks for the additional information.  In terms of source IP based whitelisting, we've designed it as part of policy based filtering, which will be part of the Premium subscription. 

858

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 09, 2019, 04:34:43 pm »

But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.

Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.

Any hints what could be the reason for the stopping services.

The service crashes pretty soon. 1-2 minutes after starting up.

Hi @hbc,

Thanks for reporting this. After services stop, and when you look at Status-> Services page, do you also see that both services are disabled at boot time?

If yes, most probably this is because Sensei's Health Check subsystem. Because Sensei is in BETA now, checks are more sensitive to problems. Even if it finds a small problem it disables both services in an effort to keep  network connectivity up & running.

Can you try disabling Health Check and see if services are running persistently?

If they do and it turns out because of Health checks, I'd still recommend investigating this. While running Sensei & ES, can you do 'top' on OPNsense console and see if any processes (not necessarily Sensei (eastpect) processes) are consuming much CPU/Memory?

Performance-wise, your system looks pretty decent. We've been reported a similar system handling 700 concurrent users.

859

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 09, 2019, 03:56:00 pm »

Hi @jinn,

Thank you for giving Sensei a try. I see your quoted message did not get response. Sorry for that. I looks like we missed it.

I guess you've been able to figure out the first part yourself. But I wonder why Cloud Threat Intel did not work for you. I'll write to you about this.

For reporting about application categories, yes you can do it. I guess you've started using it.

As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.

860

Development and Code Review / Re: Sensei by-pass rule

« on: January 08, 2019, 06:17:00 am »

Hi @cgwork,

For any destination hostname, you can write a whitelist via Web Controls -> User Defined Categories. Just add a new category and put the whitelisted domains into that. Make sure the green tick is there to have them whitelisted.

If you want to do the same for a specific source IP address, this is not possible with current functionality.

Upcoming premium edition will have Policy based filtering, which will enable you to create specific policies based on flow direction (incoming, outgoing, both), local IP addresses, local subnets, VLAN ids, Active Directory Groups or Users. You'll be able to customize Security, App Controls, Web Controls and TLS Inspection per policy. 

861

Development and Code Review / Re: Sensei domain name resolution blocking

« on: January 08, 2019, 06:10:35 am »

Hi @cgwork,

For the sake of clarity: By "logging", do you mean Sensei session logs?

If you're viewing the reports and your viewing criteria is "Sessions", that's normal. Modern browsers do pre-queries for mostly used domains and the ones that you have in your bookmarks. This is why you see some many dns requests.

You can however view the reports "Volume" wise, if you want to see how your network is utilized with regard to "bandwidth" utilization. For this just select "Volume" on the right hand corner of the reports page.

pS: You can use the main Sensei thread to ask questions and follow the discussion. We're not always able to keep track of other threads in the forum, but we make sure that we're keeping up with the main thread:

https://forum.opnsense.org/index.php?topic=9521.150

862

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 04, 2019, 08:01:18 pm »

Hi @lmwalker71,

Not quite

If you're based in USA, make sure you have the "US - Central" Cloud nodes checked & in green color (Sensei -> Configuration -> Cloud Threat Intelligence). (If in Europe, Europe nodes should be active)

If that's already the case, can you reach out to us through sensei - at - sunnyvalley.io so that we can dig deeper together?

863

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 04, 2019, 06:09:15 am »

@manjeet, you're right. They are already in the workload for 0.8

Hi @dp, correct. Shaping is on the roadmap. Our plan is to feed the currently existing shaping infrastructure on OPNsense. Sensei development is quite booked with IPv6 support nowadays. Though, you should see it implemented like Q2 or Q3 2019. We'd like to keep in touch about ideas on that

864

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: January 03, 2019, 07:21:25 am »

@manjeet,

This is a cool feature request. Thanks. Added to roadmap.

A quick note on remote IP addresses on "local assets table": We've had a look at the screenshots. 169.254.x.x is actually a local ip address. Your PC is automatically assigned an IP address, if it cannot get an IP address from a DHCP server. More on this: https://www.techrepublic.com/forums/discussions/where-did-ip-16925451183-come-from/

Screenshots show that some PCs (or a PC) wanted to communicate with the outside world, but it did not get any replies (Incoming packets all zero).

865

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 29, 2018, 07:29:00 am »

Hi @donatom3,

For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.

For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.

If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.

That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.

We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.

Very happy to hear that you've attained gigabit speeds and happy with the software

866

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 28, 2018, 03:32:44 am »

Hi @donatom3,

Actually this is an expected behavior. We're utilizing DNS override for Web Reputation & Threat Intel. Since DNS occurs before the actual connection attempt, we gather prior threat intelligence & reputation about the remote IP & host.

For a quick workaround you can disable Cloud Reputation & Web Categorization from Sensei -> Configuration. Then you'll still have reputation data for the top 1Million domains from the local database, but not for +140M .

We're exploring ideas to do this in parallel. This way you'll still be able to do your DNS through your DNS server and Sensei will do a parallel query for its intelligence.

867

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 28, 2018, 03:20:06 am »

Hi @Antaris,

You're all welcome & thx for the pointer. We'll fix it.

868

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 28, 2018, 03:18:43 am »

Thanks for the update @MB.

For Table Reports update is working as expected.

As @Antaris mentioned, i also see remote host in local table but no local host in remote table except OPNsense LAN IP which i think, in one way, is not an issue because firewall itself generates traffic for interface access etc..

Hi @manjeet, you're very welcome. Can you share with me a screenshot of  the remote hosts table (you know my email). Would like to see how they look like. Normally you should only see local hosts behind the firewall there.

869

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 26, 2018, 09:56:25 pm »

Dear Sensei & OPNsense users,

Happy new year to all. Here is a humble new year present from Sensei team.

We're happy to announce the availability of Sensei 0.7.0 release. It was ready since last Friday, but we wanted to make sure everyone had a calm Christmas holiday, spending time with friends and family instead of doing Sensei deployments
 
This is the full list of features that this release brings (from 0.6.x):

1. 350+ new applications identified.
2. Google applications browsed via Chrome are now being identified (QUIC over UDP protocol support).
3. Mobile browser compatibility: you can view reports from your mobile browser
4. Reports enhancement: Data retirement option introduced. With this option you can define how long to keep your reports (days)
5. Reports enhancement: Option to erase all reporting data
6. Reports enhancement: Drill-down in Security reports is now available
7. Reports enhancement: Daily executive reports. Selected reports delivered via a daily e-mail.
8. You can easily add block/allow rules within Session Explorer based on Application and Application Category or SNI / hostname
9. User's Manual in English.
10. More deployment options for Home and Large scale users
11. Changelog between updates
12. Fixed Rebellion Theme compatibility issues.
13. Better Cloud Nodes availability
14. Better & smoother updates
15. We speak your language now, we added i18n support to match your OPNsense UI language. English and German are there for now, more coming soon.
16. Removed some large dependencies in preparation for embedded devices & PIE (Position Independent Executable) support.More performance & stability improvements.

To update your installation, simply navigate to Sensei -> Status and you should see 0.7.0 update being reported and an option to install it. If you do not see the update notification, just click "Check for updates" and you'll be guided through the update process.
 
A quick note: Although this is marked "release", Sensei is still under BETA development. We strongly advise to test the software on one of your test-beds to see if it fits your requirements. When we finally release Sensei 1.0, the BETA program will cease and the software will be publicly available for all users. We expect to release Sensei 1.0 in Q1 2019.
 
If you find any issues or you want to reach out for comments and feedback, please do not hesitate to contact us through sensei -at- sunnyvalley.io or through this forum thread.
 
Happy new year to all

Sensei team

870

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: December 23, 2018, 08:03:06 pm »

Hi @Antaris,

Do you have multiple interfaces configured for Sensei? Are these IP addresses multicast / broadcast addresses?