English Forums > Zenarmor (Sensei)
Zenarmor Dashoard: Local and remote Hosts inverted in graphs
wstemb:
I had to put the Zenarmor service from Routed mode to Passive mode due to "DEVD: Ethernet detached event for optx", which was disrupting a important application communication over that interface, at least until I find the real cause of this events (and the solution, if possible). The reconfiguration was without reinstall of entire Zenarmor.
After setting the "Passive mode", the upper error disappeared from log (and the application is working well), but I found a strange situation in Zenarmor Dashboard.
On graphs: "Top local Hosts" and "Top Remote hosts" the displayed host graphs are inverted: Under Local, I see external hosts, under Remote, I see graph for IP address from my Intranet (RFC1918 subnets). On the "Table of remote hosts" it is the same, I have only local internal IP address in the table. The "Table of local asset" is OK.
The trouble is that "Drill down" is returning empty graphs, until I manually repair the filters from "source" to "destination" (or opposite, depending on which graph I want to drill down). Once updated the filters, the graphs are displayed correctly, so the data in database on which the filtering is made has to be OK (the logic of filters corresponds on searched items ("Source hostname" for local hosts / "Destination hostname" for external-internet hosts).
Until I used Zenarmor in "Routed mode", all was OK.
It is not the first time I had this behavior (it was on 22.7), but it disappeared in one of reinstall or reconfigurations during the test phase.
The system was working stable and as expected until the needed config change described above, so I cannot tell this change is the cause or it simply triggered the error. I have to repeat and reproduce the scenario, but I can't do it now not to risk to disrupt the communication of the app sensible to lost conversations. So I will retry it in one of my "maintenance windows" and confirm here.
License: Free Edition
Engine Version: 1.12.4
UI Version: 23.2.24
Database Version: 1.12.22122618
Reporting Database Backend: MongoDB
wstemb:
-
Rootfix:
Hi,
In passive mode, Zenarmor uses the pcap instead of the netmap. It provides to get a copy of the packets. So Zenarmor classify the traffic according to source and destination address. It can not know which one is local side and remote site. With the upcoming releases a configuration option will be available in passive mode to indicate the LAN and WAN interfaces, So, Zenarmor could be able to determine for local and remote IP addresses.
As for the Routed mode, can you please elaborate on the exact problem you experienced? Can you explain it in more detail?
Regards
wstemb:
It is described in: https://forum.opnsense.org/index.php?topic=33198.msg160597#msg160597
In passive mode there was no attached/detached igb1 in log, nor complaints from users.
Last WE we had a phishing attack, not dropped by other protections, so I decided to return to Routing mode, to have at least some default protections from default policy, including blacklisting the links from phishing attack).
In between the provider equipment (not under my control, I have just a Ethernet cable and one IP address) and my firewall, I placed a small VLAN with two ports, to be able to check in logs if the detachment of the interface is provoked by some disconnection from the far side, or by the firewall interface itself (netmap driver).
No interface igb1 re-initialization until now.
Walter
wstemb:
--- Quote from: Rootfix on April 04, 2023, 04:17:20 pm ---Hi,
In passive mode, Zenarmor uses the pcap instead of the netmap. It provides to get a copy of the packets. So Zenarmor classify the traffic according to source and destination address. It can not know which one is local side and remote site. With the upcoming releases a configuration option will be available in passive mode to indicate the LAN and WAN interfaces, So, Zenarmor could be able to determine for local and remote IP addresses.
...
--- End quote ---
But I have the sensation there is no problem in [Source] or [Destination] categorization of address, just in the graph displaying it. If I drill down on graph Local Hosts or Remote Hosts, it is just using wrong filter, corresponding to the graph, displaying nothing.
If I correct it placing the opposite filter, p.e. [Source Hostname] filter for real internal (local) addresses, displayed wrongly in "Remote Hosts" graph, the filter is displaying this local(source) machine graphs correctly.
To be clear, when in routing mode, Zenarmor is protecting the LAN interface only (igb0). There is no allowed access from outside (WAN) to hosts on LAN, just from some other isolated segments (DMZ like )
Walter
Navigation
[0] Message Index
[#] Next page
Go to full version