@ -118,8 +117,8 @@ The backup server needs its own dedicated addresses, we will use these:
..Note::
Per default the dropdown menu for subnet mask only fits for IPv4
addresses (up to 32). If you want to add an IPv6 CARP address,
write you v6 address and the dropdown list will auto-update to
itself up to 128.
write yourIPv6 address and the dropdown list will auto-update
to 128. :ref:`Configuring CARP with IPv6 <configuring-carp-with-ipv6>`
Because we are going to synchronize firewall settings between both
hosts, we only need to make sure that the pfSync interface can accept
@ -300,6 +299,125 @@ these steps:
With these steps you will not lose too many packets and your existing connection will be transferred as well.
Also note that entering persistent mode survives a reboot.
.._configuring-carp-with-ipv6:
--------------------------
Configuring CARP with IPv6
--------------------------
..Warning::
Please read all the above steps before attempting to configure IPv6 CARP VIPs. This section is complementry. Some important details are omitted for a more focused approach.
..Note::
* An example ISP provided you the following:
* IPv6 network: ``2001:db8:1234::/48``
* Transfer network: ``2001:db8:1234::/64``
* Upstream gateway: ``2001:db8:1234::/64``
* Static route: ``2001:db8:1234::/48`` next hop ``2001:db8:1234::7/64``
..Note::
* Firewall rules have to permit *Protocol: CARP* with *TCP/IP Version: IPv6* on all interfaces with CARP IPv6 VIPs.
..rubric:: Master
:name:master
Go to interfaces, make sure you have these interfaces assigned and setup the following addresses and subnets:
+-----+---------------------------+
| WAN | ``2001:db8:1234::1/64`` |
+-----+---------------------------+
| LAN | ``2001:db8:1234:1::1/64`` |
+-----+---------------------------+
..rubric:: Backup
:name:backup
The backup server needs its own dedicated addresses, we will use these:
+-----+---------------------------+
| WAN | ``2001:db8:1234::2/64`` |
+-----+---------------------------+
| LAN | ``2001:db8:1234:1::2/64`` |
+-----+---------------------------+
-----------------------------------------
Setup Virtual IPv6 Global Unicast Address
-----------------------------------------
On the master node we are going to setup our Virtual IPv6 global unicast address, which
will also be added to the backup node with a higher skew after synchronisation.
Go to :menuselection:`Interfaces --> Virtual IPs` and add a new one with the following
* All IPv6 CARP VIPs on LAN interfaces should be ``/64`` Link Local Addresses.
* Don't use Global Unicast Addresses, many devices ignore them as IPv6 Gateway.
..Tip::
* Even though you can use ``fe80::/64`` for each additional LAN interface, it's advisable to use *IPv6 addresses with IPv4 embedded* (RFC 4291 - Section 2.5.5).
* Example: If there is a LAN interface with the IPv4 CARP VIP ``192.168.1.1/24``, you could use ``fe80::192:168:1:1/64`` as the link local address. It would help with readability, because hosts in that network would have the IPv4 Gateway as ``192.168.1.1`` and the IPv6 Gateway as ``fe80::192:168:1:1``.
--------------------------
Setup Router Advertisments
--------------------------
..rubric:: WAN
:name:WAN
* Go to :menuselection:`Services --> Router Advertisments` and select the WAN interface.
* Make sure *Router Advertisements* is set to *Disabled*
..rubric:: LAN
:name:LAN
* Go to :menuselection:`Services --> Router Advertisments` and select the LAN interface.
* Change the *Source Address* from *automatic* to *VIP LAN IPv6 (fe80::/64)*.
@ -23,6 +23,11 @@ Before installing and using this plugin, make sure your web proxy is configured
or make sure the same username exists locally to map groups too.
..Warning::
Do not install other plugins or configuration files hooking into the proxy as these might interfere with the working
of the system.
Installation
---------------------------
@ -67,6 +72,26 @@ to import/add the users in OPNsense in order to user their authorisation setting
(it's not possible to block no bump sites in full inspection mode)
Transparant proxies
---------------------------
It is possible to use the proxy in transparant mode, but there are some constraints and ceveats to take into account when doing so.
This paragraph tries to explain them one by one.
* Using "Log SNI information only" is not supported in a useful way. As the browser is not aware of the proxy, it will request
access to an ip address in stead of a hostname. With full intercept mode, this is not really an issue as the next request will
be the actual question and does contain the hostname, but without interception, you can only filter on ip address which is often not very useful.
* The client has to trust the CA which the proxy uses to automatically create certificates, which means all TLS requests will be signed by the firewall instead of the
actual trustee.
* User based authentication is not possible, as the client doesn't know it's being intercepted, it's also not possible to
request a username and password. OPNproxy only supports basic authentication.
..Note::
When changing the "Log SNI information only" option, you have to restart the proxy as well. As the apply button will not
Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next generation features. Zenarmor is developed by Sunny Valley Networks (https://www.sunnyvalley.io)
Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next-generation features. Zenarmor is developed by Sunny Valley Networks (https://www.zenarmor.com)
If you are running a L4 firewall (all opensource firewalls fall into this category) and looking for features like Application Control, Network Analytics and TLS Inspection, Zenarmor is the product you're looking for.
If you are running a L4 firewall (all open-source firewalls fall into this category) and looking for features like Application Control, Network Analytics, and TLS Inspection, Zenarmor is the product you're looking for.
..raw:: html
@ -17,7 +17,7 @@ If you are running a L4 firewall (all open source firewalls fall into this categ
Features
----------------------------
Zenarmor empowers your firewall with the following nextgeneration features:
Zenarmor empowers your firewall with the following next-generation features:
1. Application Control
2. Cloud Application Control \(Web 2.0 Controls\)
@ -27,9 +27,9 @@ Zenarmor empowers your firewall with the following next generation features:
6. User-based Filtering and Reporting
7. Active Directory Integration
8. RESTful API
9. Cloudbased centralized management & Reporting
10. Application / Web category based Traffic Shaping and Prioritization
11. Policybased filtering and QoS
9. Cloud-based centralized management & Reporting
10. Application / Web-category-based Traffic Shaping and Prioritization
11. Policy-based filtering and QoS
12. Encrypted Threats Prevention
13. All-ports full TLS Inspection \(for every TCP port, not just HTTPS\) *Coming soon*
@ -50,7 +50,7 @@ User Manual
You can get detailed *How to* documents from Zenarmor's Documentation Site located at https://www.zenarmor.com/docs/opnsense
When you buy a Zenarmor Premium Subscription, you are entitled to Zenarmor Basic Support. Additional support plans are available on demand.
* `Compare Support Plans <https://www.sunnyvalley.io/support-plans>`_
* `Compare Support Plans <https://www.zenarmor.com/plans>`_
* `Access Support Center <https://help.sunnyvalley.io/hc/en-us>`_
**Support Options for Channel Partners**
Sunny Valley Networks provides Tier 3 Support Options for Zenarmor Channel Partners. To learn more about them, please contact **sensei-partnership -at- sunnyvalley.io**.
To become a partner, you may apply for partnership via https://www.sunnyvalley.io/apply-partnership .
To become a partner, you may apply for a partnership via https://www.zenarmor.com/apply-partnership .
@ -6,20 +6,20 @@ Due to the nature of deep packet analysis and detailed drill-down reporting func
**Note**
With the Sensei 1.5 release, you can offload your reporting database to an external system. This allows you to be able to run Zenarmor on systems with a constrained amount of RAM.
With the Sensei 1.5 release, you can offload your reporting database to an external system. This allows you to run Zenarmor on systems with a constrained amount of RAM.
It is recommended that you check if your Ethernet adapter functions well with netmap.
It is recommended that you check if your Ethernet adapter functions well with Netmap.
-------------
CPU & Memory
-------------
Because the analytics module relies on Elasticsearch to process large amounts of data, the amount of the memory available in the system is crucial for the overall performance of Zenarmor.
Because the analytics module relies on Elasticsearch to process large amounts of data, the amount of memory available in the system is crucial for the overall performance of Zenarmor.
**Tip**
If the number of active devices are more than 500 and the sustained WAN bandwidth is higher than 500 Mbps, we do not recommend deploying Zenarmor as a virtual guest since resources in virtual environments are generally shared between guest systems.
If the number of active devices is more than 500 and the sustained WAN bandwidth is higher than 500 Mbps, we do not recommend deploying Zenarmor as a virtual guest since resources in virtual environments are generally shared between guest systems.
Below is the recommended minimum hardware requirements for Zenarmor based on the number of devices and the amount of sustained bandwidth:
@ -35,7 +35,7 @@ Below is the recommended minimum hardware requirements for Zenarmor based on the
**Note**
Zenarmor requires at least 1 GB of memory. Installer will not continue if you have less than 1 GB of RAM. We recommend 8 GB memory to have an exceptional reporting experience with elasticsearch database.
Zenarmor requires at least 1 GB of memory. The installer will not continue if you have less than 1 GB of RAM. We recommend 8 GB memory to have an exceptional reporting experience with the elasticsearch database.
-----------------
Ethernet Adapter
@ -43,7 +43,7 @@ Ethernet Adapter
Zenarmor uses a FreeBSD subsystem called `netmap(4) <https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4>`_ to access raw Ethernet frames. With FreeBSD 11 (OPNsense version <= 20.1) this software can be very particular in terms of proper driver compatibility.
Intelbased adapters, particularly em(4) and igb(4), are observed to perform well in terms of stability and performance.
Intel-based adapters, particularly em(4) and igb(4), are observed to perform well in terms of stability and performance.
Sunny Valley Networks is sponsoring developments on this project so you can expect netmap(4) will better support a wide range of Ethernet drivers.
@ -53,7 +53,7 @@ Disk Space
Zenarmor uses `Elasticsearch <https://en.wikipedia.org/wiki/Elasticsearch>`_ or `MongoDB <https://www.mongodb.com/>`_ as its backend to store large data sets. Please allow at least 5 MB of disk space per hour per megabit/second throughput.
If you're running a 100 Mbps link \(about 100 users\) which is quite active during the daytime and idle rest of the day, you may calculate the space needed as follows:
If you're running a 100 Mbps link \(about 100 users\) that is quite active during the daytime and idle the rest of the day, you may calculate the space needed as follows:
..code-block:: none
@ -61,4 +61,4 @@ If you're running a 100 Mbps link \(about 100 users\) which is quite active duri
6 GB x 7 days a week = 42 GB per week.
42 x 4 weeks a month = 164 GB per month.
As of `version 0.7.0 <https://www.sunnyvalley.io/docs/support/release-notes#07>`_, Zenarmor expires old report data to free up disk space for the most recent data based on the configured number of days of history to keep.
As of `version 0.7.0 <https://www.zenarmor.com/docs/support/release-notes#07>`_, Zenarmor expires old report data to free up disk space for the most recent data based on the configured number of days of history to keep.
@ -7,16 +7,16 @@ Zenarmor (Sensei): Installing via Web Interface
**Note**
Zenarmor Free Edition is **forever free-of-charge**. We strongly recommend you register to keep in touch with updates and new features. You can register at `https://www.sunnyvalley.io/open-source-firewalls <https://www.sunnyvalley.io/open-source-firewalls>`_
Zenarmor Free Edition is **forever free-of-charge**. We strongly recommend you register to keep in touch with updates and new features. You can register at `https://www.zenarmor.com/zenarmor-next-generation-firewall <https://www.zenarmor.com/zenarmor-next-generation-firewall>`_
Zenarmor may be installed using the web interface in OPNsense or using the command line interface via SSH or local system access (see :doc:`zenarmor_cmd_install`). The preferred method is the web interface because the process of installing plugins in OPNsense is simple and Zenarmor requires the use of the web interface to complete the initial configuration after installation.
Zenarmor may be installed using the web interface in OPNsense or using the command line interface via SSH or local system access (see :doc:`zenarmor_cmd_install`). The preferred method is the web interface because the process of installing plugins in OPNsense is simple, and Zenarmor requires the use of the web interface to complete the initial configuration after installation.
To install plugins in OPNsense, you must use an account with administrative access.
..Note::
Before installing Zenarmor, you should ensure you meet the minimum system requirements in order to run Zenarmor or to have the best user experience. See :doc:`zenarmor_hardwarerequirements` for more information.
Before installing Zenarmor, you should ensure you meet the minimum system requirements in order to run Zenarmor or have the best user experience. See :doc:`zenarmor_hardwarerequirements` for more information.
----------------------------
Web Interface Installation
@ -61,7 +61,7 @@ To start the "Initial Configuration Wizard":
2- Hardware Check
....................
Your hardware will be analyzed to ensure it meets the minimum requirements. You will receive one of following responses: compatible hardware, low-end hardware, incompatible hardware. The setup will not continue if you have incompatible hardware.
Your hardware will be analyzed to ensure it meets the minimum requirements. You will receive one of the following responses: compatible hardware, low-end hardware, incompatible hardware. The setup will not continue if you have incompatible hardware.
@ -159,7 +159,7 @@ Cloud Threat Intel settings let you:
* **Automatically Update Databases and Threat Intelligence Data:** Checks automatically for the updates and creates a notification on the Zenarmor “Status” page.
* **Enable Generation of Support Data:** If enabled, Zenarmor collects supporting data during unusual events and crashes. You can share this data when opening a ticket with us.
* **Max Swap Utilization:** You may specify how much swap space Zenarmor may utilize when the system is low on memory. It is recommended that you do not set this value too high. Otherwise, system performance may suffer.
* **Health Check:** If enabled, "Health Check" monitors the system's memory, CPU, disk usage and core services if they're working correctly, and raises alerts if anything goes wrong. "Health Check" also stops the appropriate services if they're consuming excessive system resources.
* **Health Check:** If enabled, "Health Check" monitors the system's memory, CPU, disk usage, and core services if they're working correctly, and raises alerts if anything goes wrong. "Health Check" also stops the appropriate services if they're consuming excessive system resources.
* **Help Sunny Valley Improve Its Products and Services:** If enabled, general system information is submitted to Sunny Valley to help improve the future development of Zenarmor.
Monviech
9 months ago
committed by
GitHub