Sensei on OPNsense - Application based filtering

[thefunkygibbon]

hi, new to opnsense and sensei in general, but i cannot seem to find the answer to this.
I'm running on a 4core atom / 8gb ram appliance and am trying to set up sensei.   
my question is, which db to choose? i know it says high end /low end get different options, but that doesn't really go any distance to explaining the pros and cons of using either.  I see if you have 8gb+ you can choose elastic locally.  But does that mean you should? if a low end system can get away with mongo, would that not be overall better to use unless you have oodles of ram?   
I can set up elastic on a docker container too on my server (connected via gigabit), would that be better for overall firewall/sensei performance ?
also , is it just for reporting/logging or is it constantly in use whilst Sensei is being used?  I guess if it's just for logging and reporting then performance is probably not an issue in terms of throughput of traffic
thanks in advance

[mb]

Hi @thefunkygibbon,

According to the reports we receive from Zenarmor users; if you have many devices (100+) to protect/report, Elasticsearch seems to be appearing as a better alternative as the backend database. Yes, you'll need at least 8GB of RAM to be able run ES along with Zenarmor.

Having said that, if this is a home/small office installation with like at most 50-100 devices, mongo should work equally well.

Yes, Mongo/ES is only used for reporting and for throughput, they won't be an issue overall. However, if the system is producing a lot many logs that the databases cannot keep up with, than it'll come back and hurt system performance which in turn will impact throughput.

With 1.11, we'll also be adding sqlite backend option. It might also be worth trying if you're using zenarmor for your home/small office.

[thefunkygibbon]

thanks.  I ended up selecting Elastic, i assume i can remove it and go down the mongo route?  yes its for a home deployment and likely the most actual concurrent users would be about 10 at the most.  Yes my network has many dozens more devices, but they are unlikely to do be doing much on the internet (IoT devices that connect to my home assistant system etc for example).

As long as i'm getting my line speed, I'm happy.  although I noticed that I cannot do any per user settings using this unless I pay $99 a year.  Unfortunately that's unlikely to happen with budgets like they are.  So its all pretty much testing to see what works best for our needs right now. 
I've came from a mesh system that had user based url/risk blocking and so on, and have moved to a hardware router/firewall and controller based AP's, so i'm trying to get the most of what i can

[mb]

@thefunkygibbon, looking at your environment, Mongodb should just work fine for you. Enjoy

[chrismccracken]

I have installed zenarmor on a new OPNsense 22.1 installation, and am running into a snag with the initial config wizard. My WAN interface does not show up in the Available interfaces box. The interface type is a pppoe running on a VLAN in an Intel ix interface. The unassigned VLAN subinterface does show up, but using that interface won't work properly since the WAN traffic is encapsulated in the pppoe tunnel on it. This seems to be a blocker for me, can anyone help?

**edit to add**
I've since found another post indicating that Sensei does not currently support pppoe interfaces.. Disappointed
(also, why is there no delete button for this reply?)

[skywalker007]

Why wouldn’t you not run it on the LAN Interface like recommended?

[chrismccracken]

Why wouldn’t you not run it on the LAN Interface like recommended?

I have not seen a recommendation in any of the docs I've read so far about which interface to run it on. Every IDS I've used in the past binds to the WAN to get proper pre-filtering threat intel. I'll test it out with LAN, but that seems backwards 

[nikkon]

Set this on all internal interfaces.
If you need more, use suricata on wan

[badkuk]

Hi All,

I've literally just installed ZenA rmor just now; seems that only IDS/IPS or Zen Armor can be enabled for any particular interface. And Zen Armor doesn't seem to have any configuration options that deals with IPS signatures, rules and such. 

I'm getting the impression that Zen Armor is best suited for the user segment, where you protect your users from accessing malicious sites and such....or is there more to it? Can it protect servers? How exactly?

Should i enable IDS/IPS on the server and WAN segment, then enable Zen Armor on the user segment?

tia

[sy]

Hi,

You need to use Zenarmor on the LAN side and an IPS/IDS on the WAN side. Zenarmor has no IPS/IDS features yet.

[BlackJub]

Hello,
I'm a long time user, but never used some features within Zenarmor.

I'm trying to send regular reports to my e-mail address. However, there's a problem when I set things up:
My SMTP server needs a known "from-address", but Zenarmor seems to give a blank one, even though I filled the "Send mail from" option.
I tried using SMTP and SMTPS with and without TLS certificate check: same results.
The mail server is configured without authentication when queries come from known IP addresses: works fine from Monit within OPNsense, Nextcloud server, and so on.

(Please see attached screenshots: my configuration tab, the error message from Zenarmor side, and the SMTP logs from the mail server side)

Is there something I am missing that allows Zenarmor to fill correctly the from-address when using SMTP services?

Any hint would be much appreciated!
In advance, thanks to anyone who can help me!

[Vazmuten]

Hi!
I just updated to the latest updated version of OPNSense:
OPNsense 22.1.4-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

then following the excellent Zenarmor (Sensei) instructions installed the sensei plugins and even before starting configuring them ... all my VLANs disappeared. In stead in listed VLANs in "Interfaces: Other Types: VLAN" there is a line/note "No results found!". I rebooted the OPNSense and guess what - all VLANS were missing for real and did not appear at all in ifconfig command on OPNSense SSH console. After I uninstalled the Zenarmor (Sensei) all my 12 VLANs appeared again. What's going on and how to fix this bug?

[almodovaris]

It's not the fault of Zenarmor, it's the fault of OPNsense.

[franco]

Not enough incentive to cast blame. Dormant bug, common XML node name, no all-encompassing test coverage. VLAN changes introduced are functional and thoroughly vetted. It's just a matter of configuration data handling in the new MVC framework which hasn't been discovered yet.

The change was on the development version for a bit which just makes it seem nobody using Zenarmor is using the development version. It is what it is.


Cheers,
Franco

[jeekee]

Hi guys,

I got some trouble with sensei. I've got OPNSense 22.1.4.1 running without any problem so I thought. But I just found out that sensei is hanging at the initializing screen. Reinstalled it twice to no avail. One thing I did notice during reinstall is the message: peg: no package(s) matching os-sensei-agent. Not sure if this is new\unrelated or the problem. Any ideas or something I am missing here? Worked fine until now...

Thanks for the help!

Jay