Sensei on OPNsense - Application based filtering

[siga75]

why are sensei logs not available on the WUI? Or am I missing something?

[cgone]

I have opened a bug report for sensei:

First I have the following setup:
Internet <-> Firewall (with sensei) <-> fritzbox (VOIP).
Only the LAN-interface is assigned to be controlled by sensei.

Incoming SIP Invites are not passing sensei.
The SIP Invite-packets arrives as fragmented udp packets.

The problem is that fragmented udp-packets are discarded by sensei.
The packets never reach the LAN-network, if sensei ist enabled.
If the bypass-mode from sensei is active, the packet are passed normally through the firewall and reach the fritzbox.

I believe that sensei is silently discarding fragmented udp-packets.

[mb]

@ckishappy, all welcome.

@siga75, logs contain quite many information which might be abundant trying to display in the UI. Instead, our approach is to selectively notify users for important events via the User Interface.

@cgone, we received your report. Team will get back to you momentarily.

[xsfpo]

Hi, freshly installed sensei 1.4 caused SEGVGUARD and stops all traffic.
It looks like that in dmesg.today log file:

Code Select Expand


[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (62199)] Suspension expired.
-> pid: 62199 ppid: 13537 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...
[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (49329)] Suspension expired.
-> pid: 49329 ppid: 44449 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...


When I tried to enable Generation of Support Data (Sensei -> Configuration -> Updates & Health; here turn on "Enable Generation of Support Data".) - nothing happened. After page refresh - "Enable Generation of Support Data" still disabled.
How also I can enable generation of support data to catch core dump file ?

[mb]

Hi @xsfpo,

We need  a core file to debug this. Just reach out to us through "Report Bug" menu located on the upper right hand corner of the UI. Team will guide you.

[siga75]

My SSH and SFTP connections are detected as "Generic TCPIP" with no more specific information, so my SSH connection are dropped, even if I enabled SFTP snd Secure Shell

I suggest to have, as an option, a blacklist instead of whitelist (even if generally not a good choice from a security perspective) so if a connection is not correctly detected by default it pass. Otherwise the only way is to completely enable the Generic TCPIP category, which contains more than 700 entries.

[packetmangler]

Hi,
Not sure if it's a bug or not but on I've recently upgraded to v1.4 and I noticed in:

Sensei: Configuration: General: Deployment Size

Database: Elasticsearch
Deployment Size:  Home (Max 15 Devices)  <--- Here

I have the Home subscription and thought the max devices count should be 50. I checked the About: View License  page and it does show 50 devices there.  Is this something I should be concerned about?  I've not noticed anything negative so far.

Thanks!

[guest23448]

Hi all,

What's the plan for Sensei in the future?  I really like the approach and added value to OPNsense, but will it be able to replace some other services like web proxy and clamAV? Or is the intention to run everything independently!?

Currently, they are asking about development preferences for 2020 in a survey, but do not differentiate between subscriptions. E.g. if we vote for TLS inspection, it will not be possible for home users according to their plans published on the website. So the survey results may lead to an undesired focus, not? Although, it is definitely one of the important features that should be also possible for home users in order to allow improving the overall security level since most traffic is encrypted now (as per my knowledge, Sensei does not even take usage of traffic decrypted within the proxy). Sophos has also integrated dpi inspection without a real MITM and is able to scan other ports (e.g. IMAPS).

If malware scanning would also be included (I guess currently, it's not using a malware engine but rather blocks based on urls), the replacement/alternative to the proxy would be perfect in my opinion....

[mb]

Hi @siga75, we could not reproduce this. I think we need a small packet capture. Can you reach out to the team (Report Bug link on the upper right hand corner of the UI)? Team will guide you through.

And, thanks for the suggestion. I might have a few questions to make sure I understand correctly.

Hi @packetmangler, this looks like a glitch with this setting. We are fixing this in the coming release. For now, you do not need to worry since packet engine honors the actual value stored in the license, which is 50 devices.

[mb]

Hi @bEeReE,

Many thanks for your encouraging comments. We've decided to walk through a 'never-tried-before' path for going to the market and delivering the product. Instead of building a full-blown product, we are complementing what's already doing great. It's super to see validation that this is a good idea.

The core technology behind Sensei product is a very powerful packet inspection engine. Indeed, only some fraction of the current underlying capabilities are reflected through the User Interface. Packet engine has a very performant All-ports Full TLS Inspection Capability already built-in (can do almost 500 Mbps on a i5 3Ghz CPU - single core). So in that regard, providing what's available with Squid+ClamAV is possible (i.e. file based AV/Sandbox)

The poll for the 2020 roadmap is kind of what we think we will be providing as of this year. Free/Premium distinction is not decided yet, but we can go ahead and mark the ones which is likely to appear in the Premium version). The poll system did not have a free-answer option. But I think we should be having another poll to have your ideas as to what you would like to see for Sensei (apart from the ones presented in the current poll [1]).

[1] https://surveymonkey.com/r/BTMH9P7

[siga75]

case opened as requested, attached a screenshot, this happens both with putty from windows 10 and from another ssh client from rasbian buster

root@linjs:/root # ssh www.signorini.in
ssh_exchange_identification: Connection closed by remote host

root@linjs:/root # dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version            Architecture Description
+++-==============-==================-============-============================================
ii  ssh            1:7.9p1-10+deb10u2 all          secure shell client and server (metapackage)

[mb]

@siga75, thanks, well received.

[Tubs]

Sensei and AD/LDAP integration

Can Sensei have advantage of AD integration agent in Free plan?

The feature table shows "User based reporting (AD/LDAP) = up to 5 devices" for free plan. But when I install AD agent on DC Sensei reporting shows 0 for authenticated users. The instruction documents are not clear to me in this point.

Something wrong on my set-up or is it supposed to be in this way?

[xsfpo]

Hi mb, can you read and comment some topics in main 20.1 forum branch about unsuccessful upgrade to 20.1.2 with sensei plugin installed.

https://forum.opnsense.org/index.php?topic=16164.0

[mb]

Hi @xfspo, thanks for the heads-up, will be looking.