Sensei on OPNsense - Application based filtering

[guest23448]

Hi mb,

Thanks a lot for your great work - also during this hard times!

Could you shortly specifcy this a little bit more, please:

Cloud
Improved feedback loop for Web Categorization:

When you submit an entry for re-classification we can now re-categorize it within as fast as 10 minutes.

Is there a kind of check/rating you perform in order to maintain overall security for all users connecting to the cloud or how does it work?

Is there also an improvement / faster updates in the cloud-based re-classification of web sites, without having users involved (e.g. potenially dangerous  / undecided not safe / undecided safe sites) which aren't updated, currently?

Thanks a lot!

[l0rdraiden]

@mb

If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?

Does sensei allows the load external IP block lists?

For when is planned the integration with suricata 5 in opnsense?

Are you doing the app control with snort?

[mb]

Hi @bEeReE,

Thanks for your feedback, much appreciated.

From time to time, we receive questions about the Cloud Reputation System. You can see the following article for detailed information:

https://help.sunnyvalley.io/hc/en-us/articles/360046515334-Cloud-Reputation-Threat-Intelligence

Regardless of user feedback, the database is continuously updated. We prioritize sites which we see active in the field. If you think we're missing some sites, that's something we should be looking at. Any chances that you can reach out to us via "Contact Team" menu? We'd like to run a trace.

[mb]

Hi @l0rdraiden, thanks for the questions, please find my answers inline:

If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?

Correct. Let us think about it. We strive to strike a good balance between paid and free editions. While trying to provide many features in the free edition, we want to make sure paying users have good differentiation.

Does sensei allows the load external IP block lists?

Not currently. We understand the need to be able to feed custom lists to Sensei and working on a solution. I'll write more about this later on.

For when is planned the integration with suricata 5 in opnsense?

It's going to be available this year.

Are you doing the app control with snort?

No. From ground-zero, Sensei is a unique technology. We do not utilize any open source IDS/IPS tools in our source code.

[zerolution]

Hi faisal,

Good, you can now do the initial configuration, it should install Elasctic now.

Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.

For disk sizing, you can use this guide:

https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements

Could you please explain how I can move db location to a secondary disk  / partition ?

Thx

[mb]

Hi @zerolution,

1.5 will have the option to do that. Find the feature under Sensei -> Configuration -> Reports & Data.

See attachment.

1.5 is in pilot tests right now. We plan to release it late this month.

[zerolution]

Hello @mb,

Thank you for your reply !

So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?

There is no application (sensei) limitation to the path I will be able to provide ?

Looking forward to being able to use this as my current HD is at 90% usage :)

[mb]

So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?

There is no application (sensei) limitation to the path I will be able to provide ?

Correct :) I think we'll be able to release 1.5 by the end of April.

[m1ke486837]

Is it possible to block an entire domain rather than each subdomain? For example, I have whitelisted apple.com, but then receive blocks on init.itunes.apple.com, play.itunes.apple.com, bag.itunes.apple.com, etc. This is the same behavior with several other domains as well. I was hoping that a single entry of apple.com would exclude all domains ending in .apple.com. Basically a *.apple.com

[mb]

Hi @m1ke486837,

This should already work like this. You might be blocked by the App filter, since this comes earlier to the scene (This is improved in 1.5). Can you confirm if this is the case from "Reports -> Blocks -> Live Blocked Sessions" ? See if it is blocked by App Controls or Web Controls.

If this is not the case send a PR from "Report Bug" menu located on the upper right hand corner of the UI and team will take a deeper look.

[m1ke486837]

Thank you for the quick response. I will monitor the traffic with the 'live blocked sessions', and report back if the blocks originate from the web control category

[m1ke486837]

After some testing, it appears it is working as it should. All of the blocks were specific to the App Controls. It gives the option to whitelist the host, but that is whitelisting the host address for the Web Controls rather than App Controls. I know it is possible to drill down into the categories and unblock entire sub-categories, but it would be nice to have more control as we do with whitelists.

There was mention of a new release (1.5) on the horizon. Will there be a way to whitelist for App Filtering, or will hosts listed in Web Filtering take precedence over App Control?

Loving the premium features of this plugin, and looking forward to further development and features.

[Mks]

Hi opnsense community.

I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.

Anybody with an similar issue?

I've already filed a bug to the SunnyValley Helpdesk.

br

[l0rdraiden]

@mb

Since sensei is based on ELK here are some ideas to include in sensei, both quite impressive. This will provide more added value to sensei over the standalone opnsense.

https://github.com/3ilson/pfelk
https://github.com/robcowart/elastiflow

[donatom3]

Hi opnsense community.

I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.

Anybody with an similar issue?

I've already filed a bug to the SunnyValley Helpdesk.

br

For the vlans are you adding the vlans themselves to the protected interface or the physical interface the vlans are on. Make sure you aren't doing both. I was having this bug to and I was just adding the physical interface. It didn't happen all the time. As soon as it happens send the bug report over so they have more reports than just mine.

Since It last happened to me I think mb and team told me in the ticket they found an issue with netmap when sensei packet engine started at startup. I have since created a bridge from my firewall to my switch, mainly to increase bandwidth and now the bridge interface isn't even an option in Sensei but I can add all the vlans and I haven't had the problem since.

One workaround I did before the bridge though was to turn Sensei auto startup off, and turn sensei back on manually after a reboot. It's not ideal but it's something. You could probably make a cron job to start the packet engine everyday at a certain time that way in case you forget to turn it on after a reboot it can turn on with the job.