Sensei on OPNsense - Application based filtering

[the-mk]

@mb: I do have a few questions regarding Sensei:

how is decided how big the environment can be during setup (with 6 GB of RAM it offers me Home 10 users, Home 15 users and Small 25 users; with 8 GB of RAM I get the full list offered until Xlarge with 1000 users)?

when uninstalling Sensei (and Sensei was installed with MongoDB) - why is the MongoDB not removed even if those two checkboxes are checked during uninstall? (the checkboxes are named "Remove Reports data" and the "Remove all install directories")
how can MongoDB be uninstalled? because the security check in the OPNsense update area tells me that there are security vulnerabilities with MongoDB...

during uninstall and reinstall a few settings are remembered (i.e. TCP service security password in Configuration>General) - seems like the "remove all install directories" switch is not working properly?

[yeraycito]

Analysis of sensei 1.1:
Equipment:
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8GB
Sensei: good
Sensei plus Suricata: bad
(opnsense blocking)
netmap suricata error
For when compatibility sensei - suricata?

[mb]

@l0rdraiden, thanks for further input. We're having an active discussion with people who are providing feedback on pricing / features. Current final picture of the Home Edition has been shaped with this feedback. Feel free to jump into the conversation by sending an e-mail to sensei - at - sunnyvalley.io. Though I do not expect much change with regard to Home Edition, since there's also a maintenance overhead on the vendor, which is much higher with smaller numbers of deployments. 

@robvanhooren, @donatom3 you're all welcome. Thanks for the feedback.

[mb]

@the-mk, for mongodb, it should be up to 50 actually (fixed for 1.2.1).

The threshold for running Elastic Search is whether RAM is below or above 8GB. Under 8GB, mongodb provides a lot better results. With a resourceful hardware, Elastic Search is the way to go. Under 8GB and with mongodb, we have not yet tested Mongodb with larger workloads, so for now we keep it up to 50 devices.

For a hint: we have been reported of deployments  with 16GB RAM protecting around 1000 devices, using Elastic Search.

You're right. mongodb/elastic should also be removed during uninstall. (fixing for 1.2.1) You can manually uninstall it via System -> Firmware -> Packages.

We're shipping mongodb 4.0.12 which has proper fixes for OpenSSL flavor. LibreSSL flavor looks fine.

Remaining configuration is the one which we place in config.xml. Yep, that should be removed as well if user wants everything deleted. (fixing for 1.2.1).

Thanks for the heads-up.

[mb]

@yeraycito, Suricata <-> Sensei interoperability is in short-term roadmap and should appear in early next year.

[the-mk]

@mb - thanks for the feedback, looking forward to 1.2.1!

since I wanted to reduce the RAM footprint of my OPNsense installation on my VMware host, I tried running it with 6 GB (coming from 8 GB; target is 4 GB) - so the MongoDB got installed during Sensei installation. With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?

uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...

BTW: I like it that the available views are now configurable on the Sensei dashboard!

another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?

[mb]

With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?

Correct. 50 should be there. 1.2.1 will address this. Since 1.2.1 is a hotfix, we will ship it quick. It should arrive early next week.

uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...

You're right. Alternatively you can just remove it from the ssh console:

Code: [Select]

# pkg remove mongodb40

BTW: I like it that the available views are now configurable on the Sensei dashboard!

Glad to know that

another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?

This will get resolved with device identification. We will track devices with their MAC addresses and associate IPv4/6 addresses with a unique device. Hoping to have this for 1.3 since this also has implications with regard to licensing.

[opnip]

Hello @mb,

some small findings:

1. Filter on Policy Id  (from pie-graph -> Sessions Detail) in Reports (created a new policy before) shows only a rotating circle.
Home Edition bug?

2. Block a URL via Action from Reports -> Connections -> Live Session Explorer results in the following message:

Code: [Select]

Error
Could not find: msmetrics.ws.sonos.com
In Version 1.1 a new Category "Auto Blacklist Hosts" are created. In version 1.2 (Home Editon) the category would not be created. And message above appears.
Home Edition bug?

3. Under Reports -> Security -> Live Blocked Sessions Explorer the coulmn "source ip" (my LAN IPs) shows also the different country flags of the "Dest Hostname" coulmn.
General bug?

Edit: I also did a reset of the config and started from scratch. Same results.

Thanks

[mb]

Hi @opnip, thanks for the heads up. Quikcly checking if we are able to reproduce thse. Will update the thread soon.

Update: all bugs confirmed and fixed. Fixes will appear in 1.2.1. this week.

[jf2001j]

Hi,

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

It is possible to see the packages in "Firewall: Log Files: Live View" for example.

=> How would I do this in Sensei?

In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.

Best regards,

[donatom3]

@mb I'm running into that bug that I reported back during beta again. The one where after a reboot of OPNSense once the Sensei Packet Engine starts it cuts off all traffic to protected interfaces. I have to use another interface to restart the Sensei Packet engine. I also verified it did this again with "Enable engine heartbeat monitoring:" turned off or on.

I did submit a report through the interface with logs. Hopefully that helps.

[stephan79]

Hi,

Got a question about subscription key/code: can you use that on multiple firewalls?
(haven’t found any info on this)

I’m running 2 FW’s with HA for production and 1 in LAB for testing purposes.
But if I must buy a subscription per FW then the cost would be too much for me. 

[mb]

@jf2001j, many thanks for trying Sensei and your suggestions.

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

This would be a cool feature, though not trivial to implement. Reason is that Sensei deploys on inner-facing interfaces; and to be able to inspect firewall's own traffic, we'll need to also deploy on WAN interface, which would mean we would produce duplicate logs (since the traffic has already got inspected on the inner-facing interfaces).

In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.

I guess you mean Sensei Menu on the left. Well noted.

@mb I'm running into that bug that I reported back during beta again.

@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.

[mb]

@stephan79, we're planning a scheme on the HA license. Will keep you updated.

[Antaris]

Hi again, mb. Another minor bug or "feature":
In Web Controls, Auto Whitelist Hosts, there is a field "Send this re-categorization as a feedback to Sensei Team to improve web categorization. " that wont remember his setting. Every time when i logon and go to this menu to add another site, it's ticked on. I turning it off every single time before save.