Sensei on OPNsense - Application based filtering

Started by mb, August 25, 2018, 03:38:14 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 75 76 77 78 79
User actions
February 10, 2022, 12:34:46 PM #1140 Last Edit: February 10, 2022, 12:38:55 PM by thefunkygibbon
hi, new to opnsense and sensei in general, but i cannot seem to find the answer to this.
I'm running on a 4core atom / 8gb ram appliance and am trying to set up sensei.   
my question is, which db to choose? i know it says high end /low end get different options, but that doesn't really go any distance to explaining the pros and cons of using either.  I see if you have 8gb+ you can choose elastic locally.  But does that mean you should? if a low end system can get away with mongo, would that not be overall better to use unless you have oodles of ram?   
I can set up elastic on a docker container too on my server (connected via gigabit), would that be better for overall firewall/sensei performance ?
also , is it just for reporting/logging or is it constantly in use whilst Sensei is being used?  I guess if it's just for logging and reporting then performance is probably not an issue in terms of throughput of traffic
thanks in advance
February 10, 2022, 02:45:50 PM #1141
Hi @thefunkygibbon,

According to the reports we receive from Zenarmor users; if you have many devices (100+) to protect/report, Elasticsearch seems to be appearing as a better alternative as the backend database. Yes, you'll need at least 8GB of RAM to be able run ES along with Zenarmor.

Having said that, if this is a home/small office installation with like at most 50-100 devices, mongo should work equally well.

Yes, Mongo/ES is only used for reporting and for throughput, they won't be an issue overall. However, if the system is producing a lot many logs that the databases cannot keep up with, than it'll come back and hurt system performance which in turn will impact throughput.

With 1.11, we'll also be adding sqlite backend option. It might also be worth trying if you're using zenarmor for your home/small office.
February 10, 2022, 03:40:42 PM #1142
thanks.  I ended up selecting Elastic, i assume i can remove it and go down the mongo route?  yes its for a home deployment and likely the most actual concurrent users would be about 10 at the most.  Yes my network has many dozens more devices, but they are unlikely to do be doing much on the internet (IoT devices that connect to my home assistant system etc for example).

As long as i'm getting my line speed, I'm happy.  although I noticed that I cannot do any per user settings using this unless I pay $99 a year.  Unfortunately that's unlikely to happen with budgets like they are.  So its all pretty much testing to see what works best for our needs right now. 
I've came from a mesh system that had user based url/risk blocking and so on, and have moved to a hardware router/firewall and controller based AP's, so i'm trying to get the most of what i can
February 11, 2022, 02:55:05 AM #1143
@thefunkygibbon, looking at your environment, Mongodb should just work fine for you. Enjoy ;)

March 10, 2022, 07:33:46 PM #1144 Last Edit: March 10, 2022, 07:39:32 PM by chrismccracken
I have installed zenarmor on a new OPNsense 22.1 installation, and am running into a snag with the initial config wizard. My WAN interface does not show up in the Available interfaces box. The interface type is a pppoe running on a VLAN in an Intel ix interface. The unassigned VLAN subinterface does show up, but using that interface won't work properly since the WAN traffic is encapsulated in the pppoe tunnel on it. This seems to be a blocker for me, can anyone help?

**edit to add**
I've since found another post indicating that Sensei does not currently support pppoe interfaces.. Disappointed :(
(also, why is there no delete button for this reply?)
March 10, 2022, 08:02:01 PM #1145
Why wouldn't you not run it on the LAN Interface like recommended?
System1: Qotom Q310G4
System2: APU2C4
March 10, 2022, 08:10:57 PM #1146
Quote from: skywalker007 on March 10, 2022, 08:02:01 PM
Why wouldn't you not run it on the LAN Interface like recommended?

I have not seen a recommendation in any of the docs I've read so far about which interface to run it on. Every IDS I've used in the past binds to the WAN to get proper pre-filtering threat intel. I'll test it out with LAN, but that seems backwards  ???
March 11, 2022, 07:51:41 AM #1147
Set this on all internal interfaces.
If you need more, use suricata on wan
DEC750 Deciso
March 14, 2022, 03:08:32 AM #1148
Hi All,

I've literally just installed ZenA rmor just now; seems that only IDS/IPS or Zen Armor can be enabled for any particular interface. And Zen Armor doesn't seem to have any configuration options that deals with IPS signatures, rules and such. 

I'm getting the impression that Zen Armor is best suited for the user segment, where you protect your users from accessing malicious sites and such....or is there more to it? Can it protect servers? How exactly?

Should i enable IDS/IPS on the server and WAN segment, then enable Zen Armor on the user segment?

tia


March 14, 2022, 04:59:00 PM #1149
Hi,

You need to use Zenarmor on the LAN side and an IPS/IDS on the WAN side. Zenarmor has no IPS/IDS features yet.
March 24, 2022, 04:47:55 AM #1150
Hello,
I'm a long time user, but never used some features within Zenarmor.

I'm trying to send regular reports to my e-mail address. However, there's a problem when I set things up:
My SMTP server needs a known "from-address", but Zenarmor seems to give a blank one, even though I filled the "Send mail from" option.
I tried using SMTP and SMTPS with and without TLS certificate check: same results.
The mail server is configured without authentication when queries come from known IP addresses: works fine from Monit within OPNsense, Nextcloud server, and so on.

(Please see attached screenshots: my configuration tab, the error message from Zenarmor side, and the SMTP logs from the mail server side)

Is there something I am missing that allows Zenarmor to fill correctly the from-address when using SMTP services?

Any hint would be much appreciated!
In advance, thanks to anyone who can help me!
March 24, 2022, 09:11:02 PM #1151 Last Edit: March 24, 2022, 09:24:29 PM by Vazmuten
Hi!
I just updated to the latest updated version of OPNSense:
OPNsense 22.1.4-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

then following the excellent Zenarmor (Sensei) instructions installed the sensei plugins and even before starting configuring them ... all my VLANs disappeared. In stead in listed VLANs in "Interfaces: Other Types: VLAN" there is a line/note "No results found!". I rebooted the OPNSense and guess what - all VLANS were missing for real and did not appear at all in ifconfig command on OPNSense SSH console. After I uninstalled the Zenarmor (Sensei) all my 12 VLANs appeared again. What's going on and how to fix this bug?
March 25, 2022, 06:44:04 AM #1152
It's not the fault of Zenarmor, it's the fault of OPNsense.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
March 25, 2022, 08:29:30 AM #1153
Not enough incentive to cast blame. Dormant bug, common XML node name, no all-encompassing test coverage. VLAN changes introduced are functional and thoroughly vetted. It's just a matter of configuration data handling in the new MVC framework which hasn't been discovered yet.

The change was on the development version for a bit which just makes it seem nobody using Zenarmor is using the development version. It is what it is. ;)


Cheers,
Franco
April 03, 2022, 10:54:53 AM #1154 Last Edit: April 03, 2022, 10:57:03 AM by jeekee
Hi guys,

I got some trouble with sensei. I've got OPNSense 22.1.4.1 running without any problem so I thought. But I just found out that sensei is hanging at the initializing screen. Reinstalled it twice to no avail. One thing I did notice during reinstall is the message: peg: no package(s) matching os-sensei-agent. Not sure if this is new\unrelated or the problem. Any ideas or something I am missing here? Worked fine until now...

Thanks for the help!

Jay
Print
Go Up Pages 1 ... 75 76 77 78 79
User actions