Upgraded to newer version of Zen Armor, policy behavior changed

[kwo1]

Hi,

Since December of last year, I've been troubleshooting what I originally thought was an OPNsense upgrade issue, but I have now instead determined to be a Zen Armor-specific upgrade issue. 

My current OPNsense setup:

• Multiple interfaces - LAN, MGMT, WAN
• Zen Armor has been installed since late summer 2025
• The MGMT network has its own Zen Armor policy assigned to it named MGMT_Policy, which has "Block all internet access" turned ON.
• I manage OPNsense through it's MGMT interface IP - https://192.168.2.251/

I was on Zen Armor version 2.1.1.  If I upgrade to the newest version available, currently 2.3.2, I can no longer reach the OPNsense web URL https://192.168.2.251.  I've included screenshots below which shows the live sessions page, before and after the upgrade.  Before the upgrade, you can see my workstation (192.168.2.99) is able to reach the web URL of .251.  After the upgrade, the workstation is blocked from accessing the same .251 IP.  Besides upgrading Zen Armor, nothing else changed.  I did not make any changes to the policy, the IPs, firewall rules, nothing at all. 
You cannot view this attachment.
You cannot view this attachment.

I don't think this is specific to the latest version of Zen Armor.  I only know that it began with a version after 2.1.1. 

Post-upgrade, if I turn off "Block all internet access" on my MGMT_Policy, my workstation (192.168.2.99) can once again access https://192.168.2.251. 

Can someone provide insight as to why an upgrade to Zen Armor would change the behavior of the policy? 

Thank you

[sy]

Hi,

Can you share "Block Message" of the blocked sessions in Live Sessions-Blocks report?

[kwo1]

Hi, 

This is the block message:
You cannot view this attachment.

It says "Default policy block".  I think it's saying the Default policy which comes with Zen Armor out of the box is applying to my workstation?  I don't understand why though.  My MGMT_policy is specifically configured to apply to vmx1 and 192.168.2.0/24, both of which corresponds to the MGMT interface and MGMT subnet of OPNsense. 
You cannot view this attachment.

 If anything should be blocking my workstation (192.168.2.99), shouldn't it be whatever is configured within the MGMT_Policy, and not the Default policy?  The block message even shows "MGMT_Policy" under the Policy column.  

[sy]

Hi,

The issue arises from the "Block All Internet Access" option, which restricts all connections. Are you aiming to block all web traffic for devices on the vmx1 interface?
 

[kwo1]

Yes, I do want to block all internet access to vmx1 (my MGMT network) except for the sites I've configured under Exclusions.  

When I was on Zen Armor 2.1.1 and earlier, it worked as described above.  After upgrading to newer versions of Zen Armor, I now have to disable the use of "Block all internet access" so that my computer on the same subnet can reach OPNsense, but what is so confusing about this is either:
A) Zen Armor wasn't working properly before the upgrade, and the upgrade "fixed" it, or 
B) Zen Armor was working properly before the upgrade, and the upgrade broke it.  

I don't know which it is.