Deep Disappointment with Zenarmor's Commitment

[Greg_E]

I really would like to hear what the technical issues are, I haven't seen anything on my end other than lots of RAM in use, but I assume that is from loading the lists into RAM so that it is faster to scan.

I'm also not trying to do SSL inspection right now, it's something I need to look into when I have time.

[IHK]

Zenarmor has potential, However advanced features and functions that many competitors have already developed, including AI capabilities are their in roadmap. This is why we have continued to support them, as we once saw promise in their roadmap. However, the lack of commitment to customer satisfaction is concerning.

If Zenarmor is positioning itself as a cost-effective solution compared to the market, it's vital for them to understand the challenges customers face and the frustration that arises when commitments are not honored. It's important for us to have a platform to express our experiences and concerns.

I hope Zenarmor will recognize the need for accountability and take customer feedback seriously. Open communication and reliability are essential to maintaining a loyal customer base.

Thank you for allowing me to share my thoughts.

I agree, lately they are more concerned with large scale enterprise customers than with those of us betatesters out there. On the zenarmor website you can request a trial version of zenarmor SSE for home users and I have been trying for weeks and all I get is advertising in my email.

For an SSE trial license, please send an email to sales@zenarmor.com. They will assist you with this as soon as possible.

[bimbar]

I really would like to hear what the technical issues are, I haven't seen anything on my end other than lots of RAM in use, but I assume that is from loading the lists into RAM so that it is faster to scan.

I'm also not trying to do SSL inspection right now, it's something I need to look into when I have time.

Generally I would not use zenarmor if the aim is to have a system that works after an update.
But that goes for all packages that are not directly part of the main opnsense distribution.

As for the OP, I can't understand what the problem is either, the posts read like press releases.

[yeraycito]

Sorry for my English.... use translator.

I would like to say that after my previous comment about the impossibility to get a trial version of Zenarmor SSE, my request has been answered very kindly and above all very quickly. I am very happy that you take into account the individual users who are the ones who mostly use your product and in many cases we act as betatesters without wanting it and that is not at all counterproductive to the natural fact that Zenarmor is a company and needs to monetize their products.

I've been testing the full TLS inspection for a few days and I'm going to take this opportunity to comment on how it works:

Opnsense on mini-pc N305 + 16 gigabyte ram DDR5, local network with 6 devices.

I use full TLS inspection without any restrictions or whitelisting.

Manjaro + Brave computer:

I have not noticed any decrease in performance when accessing web pages, however when accessing some of them sometimes it does not load them, very few times, it is solved by waiting a bit and reloading the page again. If I have noticed a slight slowdown very small in the case of the Google search engine and loading problems when returning to it after accessing any of their search results.

Android 14 mobile:

Zenarmor does not inform on its website about the possibility of including the Zenarmor certificate on Android:

https://www.zenarmor.com/docs/guides/adding-zenarmor-certificate-to-a-trust-store

However, in the case of Fortinet they do provide this information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-FortiGate-CA-certificates-into/ta-p/193274

In my case when doing it with the Zenarmor certificate I have obtained very mixed results, the Brave browser on Android communicates me that there is no internet connection but nevertheless there is no problem accessing any web. In the case of installed applications some connect without problems and others do not, Gmail does and Protonmail does not.

It is very possible that Zenarmor is not to blame but Android is to blame when installing the certificate because to install it as a root certificate you must have rooted the mobile.

Finally, Zenarmor had a very bad start but over time it has been improving favorably. Today it works very well, the protection it offers is very satisfactory, the performance in the absence of multicore capability has improved a lot over time and the filtering and display options are simply fantastic.

[pradip.marathon]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

[athurdent]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

[Greg_E]

That's also why we have trusted root servers out on the internet, but you'll need to be running a registered name to be able to use them.

Else you can push them out with a group policy for your Windows LAN clients.

[pradip.marathon]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

[athurdent]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

[Greg_E]

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

[bimbar]

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

Being a CA certificate, of course it's self signed.

[Patrick M. Hausen]

Addendum: and that cannot be "fixed".

Generations of cryptographers have been working hard to make TLS a trustworthy secure unbreakable end-to-end channel. If you insist on breaking it anyway, you need a local certification authority that is trusted by your end devices.

That's how it is supposed to work. A proxy, a firewall, Zenarmor, ... have no business looking inside TLS encrypted connections. That's what TLS is for.

[athurdent]

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

Being a CA certificate, of course it's self signed.

You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ...  :)

[bimbar]

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

Being a CA certificate, of course it's self signed.

You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ...  :)

That was my point, you will not get anyone to issue you an official CA certificate.

[pradip.marathon]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.