Upgraded to newer version of Zen Armor, policy behavior changed

[kwo1]

Hi,

Since December of last year, I've been troubleshooting what I originally thought was an OPNsense upgrade issue, but I have now instead determined to be a Zen Armor-specific upgrade issue. 

My current OPNsense setup:

• Multiple interfaces - LAN, MGMT, WAN
• Zen Armor has been installed since late summer 2025
• The MGMT network has its own Zen Armor policy assigned to it named MGMT_Policy, which has "Block all internet access" turned ON.
• I manage OPNsense through it's MGMT interface IP - https://192.168.2.251/

I was on Zen Armor version 2.1.1.  If I upgrade to the newest version available, currently 2.3.2, I can no longer reach the OPNsense web URL https://192.168.2.251.  I've included screenshots below which shows the live sessions page, before and after the upgrade.  Before the upgrade, you can see my workstation (192.168.2.99) is able to reach the web URL of .251.  After the upgrade, the workstation is blocked from accessing the same .251 IP.  Besides upgrading Zen Armor, nothing else changed.  I did not make any changes to the policy, the IPs, firewall rules, nothing at all. 
You cannot view this attachment.
You cannot view this attachment.

I don't think this is specific to the latest version of Zen Armor.  I only know that it began with a version after 2.1.1. 

Post-upgrade, if I turn off "Block all internet access" on my MGMT_Policy, my workstation (192.168.2.99) can once again access https://192.168.2.251. 

Can someone provide insight as to why an upgrade to Zen Armor would change the behavior of the policy? 

Thank you

[sy]

Hi,

Can you share "Block Message" of the blocked sessions in Live Sessions-Blocks report?

[kwo1]

Hi, 

This is the block message:
You cannot view this attachment.

It says "Default policy block".  I think it's saying the Default policy which comes with Zen Armor out of the box is applying to my workstation?  I don't understand why though.  My MGMT_policy is specifically configured to apply to vmx1 and 192.168.2.0/24, both of which corresponds to the MGMT interface and MGMT subnet of OPNsense. 
You cannot view this attachment.

 If anything should be blocking my workstation (192.168.2.99), shouldn't it be whatever is configured within the MGMT_Policy, and not the Default policy?  The block message even shows "MGMT_Policy" under the Policy column.  

[sy]

Hi,

The issue arises from the "Block All Internet Access" option, which restricts all connections. Are you aiming to block all web traffic for devices on the vmx1 interface?
 

[kwo1]

Yes, I do want to block all internet access to vmx1 (my MGMT network) except for the sites I've configured under Exclusions. 

When I was on Zen Armor 2.1.1 and earlier, it worked as described above.  After upgrading to newer versions of Zen Armor, I now have to disable the use of "Block all internet access" so that my computer on the same subnet can reach OPNsense, but what is so confusing about this is either:
A) Zen Armor wasn't working properly before the upgrade, and the upgrade "fixed" it, or
B) Zen Armor was working properly before the upgrade, and the upgrade broke it. 

I don't know which it is. 

EDIT: I reached out to Zen Armor support.  They confirmed that the version I was using previously, 2.1.1, in fact DID have an issue which was resolved in newer versions.  This is taken from their release notes page for v2.2: https://www.zenarmor.com/docs/support/release-notes

The issue allowing clients to access whitelisted domains unexpectedly, even with the No Internet option selected in the policy, has been resolved.

This means that when working correctly, with "Block all internet access" enabled, it takes precedence over the whitelisted URLs configured under Exclusions.  It doesn't matter that my computer is on the same subnet and not trying to reach the internet, it being blocked is by design when enabling "Block all internet access".  Personally, I think it should be renamed to "Block all network and internet access" to be crystal clear.  

Zen Armor support also suggested an alternative configuration.  On my policy, leave "Block all internet access" turned off.  On the same policy, under App Controls, turn on the block for Secure Web Browsing and Web Browsing.  This would block all HTTP and HTTPS traffic, except for any of the whitelisted addresses I defined under Exclusions.  

Hope this helps others.