Merge branch 'opnsense:master' into ipv6fb

source/CE_releases.rst

@@ -8,7 +8,7 @@ Community Edition
     :width: 600px
     :align: center
 
-As of January 2015 there have been *260* releases leading to the latest version *23.7*
+As of January 2015 there have been *262* releases leading to the latest version *23.7.2*
 named "Restless Roadrunner".
 
 

source/manual/dynamic_dns.rst

@@ -31,14 +31,14 @@ Option                  Description
 ======================= =======================================================================================================================================================================
 Enable                  Enable the client
 Interval                The number of seconds address changes will be queried
-Backend                 Select the backend to use, either ddclient or the new OPNsense implementation
+Backend                 Select the backend to use, either "ddclient" or "native"
 ======================= =======================================================================================================================================================================
 
 .. Note::
 
-      With :code:`ddlient` developments sunsetting [`* <https://github.com/ddclient/ddclient/issues/528>`__]  we decided to offer an alternative written
-      in python. Selecting the OPNsense backend changes the implementation. If your service is supported, we do advice to try out the
-      new implementation.
+      With :code:`ddlient` developments sunsetting [`* <https://github.com/ddclient/ddclient/issues/528>`__] we decided to offer an alternative written in
+      Python. Selecting the native backend replaces the employed implementation. If your service is supported, we do advice to try out the new native backend
+      which also offers support for custom HTTP requests.
 
 Accounts
 ---------------------------

source/manual/how-tos/carp.rst

@@ -3,7 +3,6 @@
 Configure CARP
 ==============
 
-
 --------
 Overview
 --------
@@ -118,8 +117,8 @@ The backup server needs its own dedicated addresses, we will use these:
 .. Note::
     Per default the dropdown menu for subnet mask only fits for IPv4
     addresses (up to 32). If you want to add an IPv6 CARP address,
-    write you v6 address and the dropdown list will auto-update to  
-    itself up to 128.
+    write your IPv6 address and the dropdown list will auto-update  
+    to 128. :ref:`Configuring CARP with IPv6 <configuring-carp-with-ipv6>`
     
 Because we are going to synchronize firewall settings between both
 hosts, we only need to make sure that the pfSync interface can accept
@@ -300,6 +299,125 @@ these steps:
 With these steps you will not lose too many packets and your existing connection will be transferred as well.
 Also note that entering persistent mode survives a reboot.
 
+.. _configuring-carp-with-ipv6:
+--------------------------
+Configuring CARP with IPv6
+--------------------------
+
+.. Warning:: 
+    Please read all the above steps before attempting to configure IPv6 CARP VIPs. This section is complementry. Some important details are omitted for a more focused approach.
+
+.. Note::
+    * An example ISP provided you the following:
+    * IPv6 network: ``2001:db8:1234::/48``
+    * Transfer network: ``2001:db8:1234::/64``
+    * Upstream gateway: ``2001:db8:1234::/64``
+    * Static route: ``2001:db8:1234::/48`` next hop ``2001:db8:1234::7/64``
+    
+.. Note::
+    * Firewall rules have to permit *Protocol: CARP* with *TCP/IP Version: IPv6* on all interfaces with CARP IPv6 VIPs.
+    
+.. rubric:: Master
+    :name: master
+
+Go to interfaces, make sure you have these interfaces assigned and setup the following addresses and subnets:
+    
++-----+---------------------------+
+| WAN | ``2001:db8:1234::1/64``   |
++-----+---------------------------+
+| LAN | ``2001:db8:1234:1::1/64`` |
++-----+---------------------------+
+
+.. rubric:: Backup
+    :name: backup
+
+The backup server needs its own dedicated addresses, we will use these:
+
++-----+---------------------------+
+| WAN | ``2001:db8:1234::2/64``   |
++-----+---------------------------+
+| LAN | ``2001:db8:1234:1::2/64`` |
++-----+---------------------------+
+
+-----------------------------------------
+Setup Virtual IPv6 Global Unicast Address
+-----------------------------------------
+
+On the master node we are going to setup our Virtual IPv6 global unicast address, which
+will also be added to the backup node with a higher skew after synchronisation. 
+Go to :menuselection:`Interfaces --> Virtual IPs` and add a new one with the following
+characteristics:
+
++-------------------------+------------------------------------+
+| Type                    | Carp                               |
++-------------------------+------------------------------------+
+| Interface               | WAN                                |
++-------------------------+------------------------------------+
+| IP addresses            | ``2001:db8:1234::7/64``            |
++-------------------------+------------------------------------+
+| Virtual password        | opnsense (the example uses this)   |
++-------------------------+------------------------------------+
+| VHID Group              | 2                                  |
++-------------------------+------------------------------------+
+| Advertising Frequency   | Base 1 / Skew 0                    |
++-------------------------+------------------------------------+
+| Description             | VIP WAN IPv6                       |
++-------------------------+------------------------------------+
+
+.. Tip::
+    ``2001:db8:1234::7/64`` should be the IP where the static route of your provider points to.
+.. Warning::
+    Use a free VHID Group for each additional CARP VIP. Don't use the same VHID Group twice.
+
+-------------------------------------
+Setup Virtual IPv6 Link Local Address
+-------------------------------------
+
+On the master node we are going to setup our Virtual IPv6 link local address, which
+will also be added to the backup node with a higher skew after synchronisation. 
+Go to :menuselection:`Interfaces --> Virtual IPs` and add a new one with the following
+characteristics:
+
++-------------------------+------------------------------------+
+| Type                    | Carp                               |
++-------------------------+------------------------------------+
+| Interface               | LAN                                |
++-------------------------+------------------------------------+
+| IP addresses            | ``fe80::/64``                      |
++-------------------------+------------------------------------+
+| Virtual password        | opnsense (the example uses this)   |
++-------------------------+------------------------------------+
+| VHID Group              | 4                                  |
++-------------------------+------------------------------------+
+| Advertising Frequency   | Base 1 / Skew 0                    |
++-------------------------+------------------------------------+
+| Description             | VIP LAN IPv6                       |
++-------------------------+------------------------------------+
+
+.. Warning::
+    * All IPv6 CARP VIPs on LAN interfaces should be ``/64`` Link Local Addresses.
+    * Don't use Global Unicast Addresses, many devices ignore them as IPv6 Gateway.
+    
+.. Tip::
+    * Even though you can use ``fe80::/64`` for each additional LAN interface, it's advisable to use *IPv6 addresses with IPv4 embedded* (RFC 4291 - Section 2.5.5). 
+    * Example: If there is a LAN interface with the IPv4 CARP VIP ``192.168.1.1/24``, you could use ``fe80::192:168:1:1/64`` as the link local address. It would help with readability, because hosts in that network would have the IPv4 Gateway as ``192.168.1.1`` and the IPv6 Gateway as ``fe80::192:168:1:1``.
+
+--------------------------
+Setup Router Advertisments
+--------------------------
+
+.. rubric:: WAN
+    :name: WAN
+
+* Go to :menuselection:`Services --> Router Advertisments` and select the WAN interface.
+* Make sure *Router Advertisements* is set to *Disabled*
+
+.. rubric:: LAN
+    :name: LAN
+
+* Go to :menuselection:`Services --> Router Advertisments` and select the LAN interface.
+* Change the *Source Address* from *automatic* to *VIP LAN IPv6 (fe80::/64)*.
+
 ---------
 Resources
 ---------

source/manual/how-tos/haproxy.rst

@@ -1,213 +0,0 @@
-=======
-HAProxy
-=======
-
-------------
-Installation
-------------
-
-First of all, you have to install the HAProxy plugin (os-haproxy) from the
-plugins view.
-
-.. image:: ../images/menu_plugins.png
-
--------------------------------------
-First Step: Configure Backend Servers
--------------------------------------
-
-.. image:: images/haproxy_servers.png
-
-On the "Servers" page, click `+` to open a dialog to create a new server.
-A server consist of a name, IP and port.
-Create an entry for every Server you want to load balance.
-
-.. image:: images/haproxy_edit_server.png
-
-For a HTTP Backend, configure like this:
-
-========================== ===========================
-**Name**                   Name of this server
-**Description**            Keep it empty
-**FQDN or IP**             Enter the IP of your Server
-**Port**                   Port of the Server
-**SSL**                    Keep the default (disabled)
-**Verify SSL Certificate** Keep the default (checked)
-**SSL Verify CA**          Keep the default (empty)
-========================== ===========================
-
---------------------------------
-Second Step: Configure a Backend
---------------------------------
-
-Now, as we have the backend services,
-we can build a backend by combining them to groups of
-servers, which will serve the same service.
-For example if you are hosting a Webservice and want to
-scale horizontally, every server in the cluster will be
-a "Server", but they will be combined to a so called
-"Backend", so HAProxy can load balance between them.
-
-To create a new Backend, click the `+`.
-
-
-.. image:: images/haproxy_backends.png
-
-And fill out the form:
-
-.. image:: images/haproxy_edit_backend.png
-
-.. Note::
-    The "Balancing Algorithm" field is important to care about as many
-    web applications depend on a state.
-    For example, if your web application stores session data on a local
-    disk, you may get some trouble when using an algorithm like Round
-    Robin. In such a case, the request of the same client always needs
-    to be sent to the same backend servers.
-    For example by default PHP stores session data in files while Ruby
-    on Rails stores session information in a cookie by default.
-    Please look up your web framework documentation for information how
-    this is handled. Consider writeing files as problematic as well if
-    there is no shared storage.
-
-======================= ===============================================
-**Enabled**             Enable the Backend (checked)
-**Name**                Enter a name for the Backend
-**Description**         Enter an optional description
-**Mode**                Select the mode HTTP as this is an HTTP backend
-**Balancing Algorithm** Select an load balancing algorithm
-**Servers**             Select the previously configured servers
-======================= ===============================================
-
---------------------------------
-Third Step: Configure Conditions
---------------------------------
-
-In this step an Condition will has to be created which is later used to decide
-which traffic from a frontend belongs to which backend.
-
-To create a new Condition, you have to go to "Rules & Checks -> Conditions" 
-and create one by clicking the `+` button:
-
-(Picture is from Previous Version but it still looks as good as the same)
-
-.. image:: images/haproxy_acls.png
-
-In the open modal dialog, the following form will show up:
-
-.. image:: images/haproxy_edit_acl.png
-
-==================== ================================================
-**Name**             Choose a name for this Condition
-**Description**      Keep it empty or choose one for your information
-**Expression**       Select "Host contains"
-**Negate condition** Keep it unchecked
-**Value**            Enter the (partial) hostname to compare
-==================== ================================================
-
-Click "Save changes".
-
----------------------------------------
-Fourth Step: Configure an Rule
----------------------------------------
-
-As promised in the previous step, the Conditions will be used. 
-A Rule can use multiple conditions to decide which Rule is going to be used.
-To create a new Rule, you have to go to "Rules & Checks -> Rules" 
-and create one by clicking the `+` button:
-
-(Picture is from Previous Version but it still looks as good as the same)
-
-.. image:: images/haproxy_actions.png
-
-A form dialog opens and we can fill it out like the following:
-
-(Picture is from Previous Version but it still looks as good as the same)
-
-.. image:: images/haproxy_edit_action.png
-
-.. Note::
-    You can map multiple Hostnames to the same Backend by adding multiple
-    ACLs and choosing the logical operator "OR".
-
-==================== ===================================
-**Name**             Choose a name for this Action
-**Description**      You can add an optional description
-**Test Type**        Keep it at the default ("IF")
-**Select ACLs**      Select the ACLs to be used
-**Logical operator** Keep the default ("AND")
-**Choose action**    Choose "Use Backend"
-**Use Server**       Keep the default ("none")
-==================== ===================================
-
--------------------------------
-Fifth Step Configure a frontend
--------------------------------
-
-Now its nearly done. The only thing that needs to be configured for HAProxy
-is a Public Service.
-A Public Service is a a group of bound ports which are used for incoming connections.
-From this Public Service we need to know which backend the request will routed to.
-For this, the previously configured action is needed.
-If you got multiple domains with the same port on one IP, you differentiate them with rules! 
-Don't create multiple Public Services. For example, if you only want to forward example.org:80 and example.com:80, just create one Public Service. If you want to forward example.org:80, example.org:443, example.com:80, and example.com:443, create only two Public Services, one for port 80 (example.org and example.com) and one for port 443 (example.org and example.com).
-
-To create a new Public Service, click the `+` button:
-
-(Picture is from Previous Version but it still looks as good as the same)
-
-.. image:: images/haproxy_frontends.png
-
-The following modal dialog opens and the frontend can be set up:
-
-.. image:: images/haproxy_edit_frontend.png
-
-.. Warning::
-    If you configure a port that is already in use, the configuration test
-    will be successful but the start of HAProxy will fail silently.
-    Please ensure that the used port is free - especially if the number
-    conflicts with the web configuration of OPNsense.
-
-    
-General Settings
-================
-
-=================== ===========================================================================
-**Enabled**          Checked
-**Name**             Use any name
-**Description**      You may keep it empty
-**Listen Address**   Enter one or more host:port combinations, use 0.0.0.0:80 for HTTP via IPv4
-**Type**             Choose HTTP / HTTPS
-**Default Backend**  Keep the default of "None"
-=================== ===========================================================================
-
-Advanced settings
-=================
-
-Enbable the X-Forwarded-For-header so the backend will know the real IP of
-the client.
-
-Actions (ACLs)
-==============
-
-Here you have to activate the previously configured actions, so HAProxy
-is going to operate based due the rules/conditions.
-
-All other Options
-=================
-
-Keep all other options at the default
-
-----------------------------
-Sixth step: Enable and start
-----------------------------
-
-This is the last step - on the General tab, we will enable the service
-after a config test.
-
-.. image:: images/haproxy_general.png
-
-For that, the "Enable HAProxy" checkbox needs to be checked.
-
-On this screen, check "Enable HAProxy" and click "Apply".
-If everything went OK HAProxy will start.
-Now you need to configure firewall rules for accessing your HAProxy instance.

source/manual/how-tos/haproxy_howtos.rst

@@ -1,85 +0,0 @@
-HAProxy How-Tos
-===============
-
-Redirect Root directory
------------------------
-
-Create a condition:
-
-.. image:: images/haproxy_root_path_condition.png
-
-============== ==============
-name           root
-Condition type Path matches
-Path matches   /
-============== ==============
-
-Create a Rule:
-
-.. image:: images/haproxy_forward_to_dir_rule.png
-
-======================= ===================================================
-name                    forward_to_dir
-Test type               IF
-conditions              root
-Logical ops             none
-Execute function        http-request redirect
-HTTP Redirect parameter code 301 location http://www.example.net/directory/
-======================= ===================================================
-
-Please note that 301 is for a permanent redirect. If you want to do it teporary,
-you will have to use another status code.
-
-
-
-Under Public Services edit your frontend and add "forward_to_dir" to Select Rules.
-
-.. image:: images/haproxy_forward_to_dir_service.png
-
-
-Add Basic Authentication to a Service
--------------------------------------
-
-I have a Webapplication which have to be exposed to the outside and doesn't allow authentication.
-So HAProxy with basic auth would be just fine to get a mininum of security.
-
-* Go to "Rules & Conditions" - "Conditions" and Add a new one:
-
-.. image:: images/haproxy_condition_add_authentication.png
-
-=================== =================
-name                choose a name
-Condition type      Custom
-option pass-through http_auth(admins)
-=================== =================
-
-* Add a rule:
-
-.. image:: images/haproxy_edit_rule_authentication.png
-
-================ =================================
-name             a name for your rule
-Test type        UNLESS
-condition        select the previously created one
-Logical operator none
-Execute function http-request auth"
-================ =================================
-
-* Go to your frontend and add the ACL to it.
-
-.. image:: images/haproxy_frontend_add_authentication.png
-
-
-* Go to :menuselection:`Settings --> Global Parameters`, enable the advanced mode (top left), and add your users to configuration
-  via the "Custom options"
-
-.. image:: images/haproxy_settings_global_params_auth.png
-
-
-.. code-block:: none
-
-    userlist admins
-    user test1 insecure-password pw1
-    user test2 insecure-password pw2
-
-

source/manual/how-tos/ips-bypass.rst

@@ -0,0 +1,69 @@
+=============================================
+IPS Bypass local traffic from inspection
+=============================================
+
+.. Note:: This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks. With bypass enabled, routing performance is improved significantly between local networks while IPS is used. 
+.. Tip:: If you only have 1 interface selected in Intrusion Detection, you don't have to follow this tutorial. There won't be any performance benefit.
+.. Warning:: Traffic between local networks won't be inspected anymore, so use this with care!
+
+-------------
+Prerequisites
+-------------
+
+- Some features described on this page were added in the latest version. Always keep your system up to date.
+- Intrusion Detection should be **enabled** and **IPS mode** selected. 
+- Only **internal networks** should be selected in **Interfaces** (LAN, OPT1 etc..), **not the WAN interface**.
+
+-----------------
+Create new Rules
+-----------------
+
+To start go to :menuselection:`Services --> Intrusion Detection --> Administration` and select the tab :menuselection:`User defined`.
+
+Select **+** to add a new rule.
+
+- Input the **Source IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
+- Input the **Destination IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
+- Select the **Action** as *Pass*
+- Enable the **Bypass** checkbox
+- Set the **Description** as "Bypass net 10.0.0.0 to 10.0.0.0"
+
+Select **+** or **clone** to create additional new rules.
+
+* Repeat the above steps to create rules between each of the RFC1918 Private IPv4 subnets, ``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``. Don't forget to adjust the description.
+
+.. Note:: The finished ruleset for IPv4 should include the following rules:
+    
+    ==================  ==================  ==========  ==========  ======================================
+    **Source IP**       **Destination IP**  **Action**  **Bypass**  **Description**
+    ==================  ==================  ==========  ==========  ======================================
+    10.0.0.0/8          10.0.0.0/8          Pass            X       Bypass net 10.0.0.0 to 10.0.0.0
+    10.0.0.0/8          172.16.0.0/12       Pass            X       Bypass net 10.0.0.0 to 172.16.0.0
+    10.0.0.0/8          192.168.0.0/16      Pass            X       Bypass net 10.0.0.0 to 192.168.0.0
+    172.16.0.0/12       10.0.0.0/8          Pass            X       Bypass net 172.16.0.0 to 10.0.0.0
+    172.16.0.0/12       172.16.0.0/12       Pass            X       Bypass net 172.16.0.0 to 172.16.0.0
+    172.16.0.0/12       192.168.0.0/16      Pass            X       Bypass net 172.16.0.0 to 192.168.0.0
+    192.168.0.0/16      10.0.0.0/8          Pass            X       Bypass net 192.168.0.0 to 10.0.0.0
+    192.168.0.0/16      172.16.0.0/12       Pass            X       Bypass net 192.168.0.0 to 172.16.0.0
+    192.168.0.0/16      192.168.0.0/16      Pass            X       Bypass net 192.168.0.0 to 192.168.0.0
+    ==================  ==================  ==========  ==========  ======================================
+    
+.. Tip::
+
+    - If you use IPv6 - e.g. with *Track Interface* or *Static IPv6* - create an additional rule. 
+    - You can find your *IPv6 prefix* in :menuselection:`Interfaces --> Overview --> WAN` - e.g ``2001:db8:a:aa00::/56``.
+    - You only have to create 1 rule, because all of the *Track IPv6 Interface - IPv6 Prefix ID* networks - e.g. ``2001:db8:a:aa01::/64``, ``2001:db8:a:aa02::/64`` - are already included in the ``/56`` Prefix.
+    - Please note that this only works if your Prefix is static.
+
+-------------------
+Apply configuration
+-------------------
+
+Apply the configuration by pressing the **Apply** button at the bottom of
+the form.
+
+-------------------
+External Resources
+-------------------
+- https://docs.suricata.io/en/suricata-6.0.0/rules/bypass-keyword.html
+- https://docs.suricata.io/en/suricata-6.0.0/performance/ignoring-traffic.html

source/manual/ips.rst

@@ -207,12 +207,25 @@ properties available in the policies view.
 
 
 
+
+User defined rules
+---------------------
+
+Most of the rules being used on your IDPS system will be supplied by third party vendors like Proofpoint,
+but in some cases it can be convenient to build some (limited) rules yourself. The "User defined" tab offers
+this functionality.
+
 Fingerprinting
---------------
+...........................
 
 OPNsense includes a very polished solution to block protected sites based on
 their SSL fingerprint. You can manually add rules in the "User defined" tab.
 
+Bypassing the engine
+...........................
+
+The :code:`Bypass` toggle offers the ability to skip traffic inspection, our How-tos section
+contains a good example to exclude local traffic passing your network and increase routing performance.
 
 Alerts
 ------
@@ -335,3 +348,4 @@ How-tos
 
    how-tos/ips-feodo
    how-tos/ips-sslfingerprint
+   how-tos/ips-bypass

source/manual/reverse_proxy.rst

@@ -207,7 +207,6 @@ Basic Reverse Proxy Setup
 -------------------------
 * :doc:`how-tos/nginx`
 * :doc:`how-tos/nginx_streams`
-* :doc:`how-tos/haproxy`
 * :doc:`how-tos/mailgateway`
 
 

source/manual/vpnet.rst

@@ -445,6 +445,25 @@ OPNsense are  :doc:`grouped <firewall_groups>` as `OpenVPN`.
     devices and use them in a similar fashion as physical interfaces.
 
 
+.................................
+High availability [CARP]
+.................................
+
+When operating an OpenVPN server, there's not much needed to allow an active/passive setup for your environment other then
+using a virtual (CARP) address. As the server will stop receiving traffic when the virtual address doesn't it,
+the backup will eventually become out of service automatically.
+
+In client mode, the OpenVPN instance needs to stop trying to reconnect when it's not in :code:`MASTER` mode, the legacy
+client module shutsdown all instances directly attached to the interface. Our new instances module allows to select
+the :code:`vhid` to track. In most cases an explicit bind isn't needed for a client, the default for a client is to
+use the :code:`nobind` option.
+
+.. Note::
+  It's not possible to move between machines fully seamless  as the client will have to reconnect in order to reach a
+  valid state again.
+
+
+
 .................................
 Examples
 .................................

source/manual/wazuh-agent.rst

@@ -0,0 +1,177 @@
+==========================
+Wazuh Agent
+==========================
+
+--------------------------------------
+Introduction
+--------------------------------------
+
+`Wazuh <https://wazuh.com/>`__ is an open source unified XDR (Extended Detection and Response) and SIEM (Security Information en Event Management)
+system capable of offering protection for endpoints and cloud workloads.
+
+The Wazuh architecture is based on agents, running on the monitored endpoints, which collect information and are capable of
+executing active responses directed by the manager.
+
+The goal of this plugin is to offer an easily installable plugin to connect to the Wazuh manager.
+
+.. Note::
+  The scope of Wazuh on OPNsense is only to offer configurable agent support. We do not plan nor advise to run the Wazuh
+  central components on OPNsense. Detailed information on how to install these on supported platforms are available directly from the
+  `Wazuh website <https://documentation.wazuh.com/current/installation-guide/index.html>`__
+  or you can use their cloud based offering available `here <https://wazuh.com/cloud/>`__
+
+
+.. Warning::
+  This plugin is provided "as-is" and with very limited [tier 3] community support from the OPNsense team. Using a SIEM/XDR system
+  requires knowledge which usually is out of the (free) community support scope.
+
+
+--------------------------------------
+Installation
+--------------------------------------
+
+Installation of this plugin is rather easy, go to :menuselection:`System --> Firmware --> Plugins` and search for **os-wazuh-agent**,
+use the [+] button to install it.
+
+Next go to :menuselection:`Services --> Wazuh Agent --> Settings` to configure the service.
+
+
+.. Tip::
+    When the ossec log offers too limited insights when debugging issues, try to increase the debug level. You can find this setting under
+    General settings when "advanced mode" is enabled.
+
+--------------------------------------
+Connecting the agent
+--------------------------------------
+
+To connect the agent to the manager, just fill in a hostname under **General Settings/Manager hostname**, make sure
+the agent is marked enabled and optionally specify a connect password under **Authentication/Password**.
+
+Next go to the manager to see if the agent registered itself.
+
+
+--------------------------------------
+Selecting which logs to ingest
+--------------------------------------
+
+Our Wazuh agent plugin supports syslog targets like we use in the rest of the product, so if an application sends
+its feed to syslog and registers the application name as described in our `development documentation <https://docs.opnsense.org/development/backend/legacy.html#syslog>`__
+it can be selected to send to Wazuh as well.
+
+For Intrusion detection we can send the events as well using the same (eve) datafeed used in OPNsense, just mark the
+**Intrusion detection events** in the general settings.
+
+.. Note::
+  Wazuh only supports `rfc3164 <https://datatracker.ietf.org/doc/html/rfc3164>`__ formatted syslog messages, for that reason
+  we record a copy of the requested events into a file named :code:`/var/ossec/logs/opnsense_syslog.log` using that format.
+
+
+--------------------------------------
+Installing custom ossec.conf entries
+--------------------------------------
+
+Some Wazuh modules are directly selectable from the gui, but when a feature is needed, which is not offered in the
+plugin, it's possible to add static sections manually.
+
+You can add these in :code:`/usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/`, for example, to
+add a custom json feed, add a file containing the following content in there:
+
+.. code-block:: xml
+  :linenos:
+  :caption: /usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/099-my-feed.conf
+
+  <localfile>
+    <log_format>json</log_format>
+    <location>/path/to/my/file.json</location>
+  </localfile>
+
+
+--------------------------------------
+Use active responses
+--------------------------------------
+
+Wazuh supports `active responses <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html>`__
+so the manager can direct defensive actions when needed. The plugin ships with one action named :code:`opnsense-fw` to
+drop traffic from a specified source address.
+
+.. Note::
+
+  The opnsense-fw action is stateful and can add and delete addresses from the firewall, more context on these type
+  of actions can be found in the `Wazuh <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html>`__
+  documentation.
+
+
+To use this action, you need to add some configuration in the manager, starting with the definition of this action.
+
+.. code-block:: xml
+  :linenos:
+  :caption: /var/ossec/etc/ossec.conf
+
+  <ossec_config>
+    <command>
+      <name>opnsense-fw</name>
+      <executable>opnsense-fw</executable>
+      <timeout_allowed>yes</timeout_allowed>
+    </command>
+  </ossec_config>
+
+After which you can use it in active-response rules, like this:
+
+.. code-block:: xml
+  :linenos:
+  :caption: /var/ossec/etc/ossec.conf
+
+  <ossec_config>
+    <active-response>
+      <disabled>no</disabled>
+      <command>opnsense-fw</command>
+      <location>defined-agent</location>
+      <agent_id>001</agent_id>
+      <rules_id>100201</rules_id>
+      <timeout>180</timeout>
+    </active-response>
+  </ossec_config>
+
+
+The official `documentation <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html>`__
+contains more information about the options available.
+
+.. Tip::
+  Active responses are logged into :menuselection:`Services --> Wazuh Agent --> Logfile / active-responses`, including
+  the messages received from the manager.
+
+
+To quickly test if an active-response can be executed on the agent, we advise to use the API console under :menuselection:`Wazuh --> Tools --> API console`.
+Executing the :code:`opnsense-fw` command for address :code:`172.16.1.30` on agent :code:`001` can be done using:
+
+.. code-block:: xml
+  :linenos:
+
+  PUT /active-response?agents_list=001
+  {
+    "command": "!opnsense-fw",
+    "custom": false,
+    "alert": {
+      "data": {
+        "srcip": "172.16.1.30"
+      }
+    }
+  }
+
+
+.. Tip::
+
+  Wazuh offers quite some `proof of concept <https://documentation.wazuh.com/current/proof-of-concept-guide/index.html>`__ documents and blog posts,
+  like `this <https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/>`__
+  document explaining how Suricata and Wazuh can be combined to respond to detected threats.
+
+--------------------------------------
+Test rule detection
+--------------------------------------
+
+In case log entries are being collected in :code:`/var/ossec/logs/opnsense_syslog.log` and no events are being collected
+in the Manager, it's usually a good idea to check how Wazuh processes these lines.
+
+The :menuselection:`Wazuh --> Tools --> Ruleset test` menu item in the manager offers an easy to use tool to inspect log
+events.
+

source/plugins.rst

@@ -58,8 +58,6 @@ Web
    manual/antivirus
    manual/how-tos/c-icap
    manual/how-tos/clamav
-   manual/how-tos/haproxy
-   manual/how-tos/haproxy_howtos
    manual/how-tos/nginx
    manual/how-tos/nginx_header_hardening
    manual/how-tos/nginx_hosting
@@ -83,6 +81,7 @@ Other
    manual/how-tos/mailgateway
    manual/git-backup
    manual/relayd
+   manual/wazuh-agent
 
 ----------------
 Reporting

source/releases/CE_23.7.rst

@@ -26,6 +26,118 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/
 
 
+--------------------------------------------------------------------------
+23.7.2 (August 23, 2023)
+--------------------------------------------------------------------------
+
+
+Assorted improvements are being shipped with this release.  Of special
+note is the proper monitoring of down gateways which allows the new
+gateway watcher to see the gateway come back online when plugging a
+cable.  A Wazuh agent plugin was added and the ddclient plugin received
+new protocol support including AWS Route53 amongst others.
+
+Here are the full patch notes:
+
+* system: improve monitoring of down gateways
+* system: clear all /var/run directories on bootup
+* system: put lock()/unlock() back for legacy plugin compatibility
+* interfaces: fix special device name chars used in shell variables
+* interfaces: prevent IPv6 mismatches when using compressed format in VIP
+* interfaces: remove descriptive name from newwanip logging
+* interfaces: typo in MRU handling for PPP
+* interfaces: improve PPPoE MTU handling
+* interfaces: switch rtsold to -A mode
+* firewall: missing interface group registration on group creation
+* dhcp: improve UX of the new MVC lease pages
+* firmware: remove defunct mirror "Dept. of CSE, Yuan Ze University"
+* intrusion detection: fix events originating from "int^" due to IPS mode use
+* ipsec: add colon to supported character list for pre-shared key IDs
+* ipsec: reqid should not stick when copying a phase 1
+* monit: fix empty timeout value (contributed by Michael Muenz)
+* openvpn: properly map user groups for authentication
+* openvpn: bring instances into server field
+* openvpn: fix separator for redirect-gateway attribute in instances and CSO
+* unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
+* plugins: os-ddclient 1.15 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__ 
+* plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)
+* plugins: os-relayd 2.7 now supports newer upstream release of relayd
+* plugins: os-wazuh-agent 1.0 `[2] <https://docs.opnsense.org/manual/wazuh-agent.html>`__ 
+* src: remove if_wg from kernel modules to unbreak current wireguard-go use
+* src: axgbe: LED control for A30 platform
+* src: gif: revert in{,6}_gif_output() misalignment handling
+* src: igc: sync srrctl buffer sizing with e1000
+* src: ip_output: ensure that mbufs are mapped if ipsec is enabled
+* src: ixgbe: warn once for unsupported SFPs
+* src: ixgbe: add support for 82599 LS
+* src: ixl: add link state polling
+* src: ixl: port ice's atomic API to ixl
+* src: rss: set pin_default_swi to 0 by default
+* src: rtsol: introduce an 'always' script
+* ports: krb5 1.21.2 `[3] <https://web.mit.edu/kerberos/krb5-1.21/>`__ 
+* ports: openldap 2.6.6 `[4] <https://www.openldap.org/software/release/changes.html>`__ 
+* ports: openvpn 2.6.6 `[5] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.6>`__ 
+* ports: php 8.2.9 `[6] <https://www.php.net/ChangeLog-8.php#8.2.9>`__ 
+* ports: phalcon 5.3.0 `[7] <https://github.com/phalcon/cphalcon/releases/tag/v5.3.0>`__ 
+* ports: phpseclib 3.0.21 `[8] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.21>`__ 
+* ports: py-dnspython 2.4.2
+
+
+
+--------------------------------------------------------------------------
+23.7.1 (August 08, 2023)
+--------------------------------------------------------------------------
+
+
+23.7 looks pretty good so far but no reason not to make it better.
+The MVC changes for DHCP, firewall groups, OpenVPN and Unbound receive
+several required fixes and the latest FreeBSD security advisories were
+added as well.
+
+Here are the full patch notes:
+
+* system: close boot file after probing to avoid lock inheritance
+* system: fix lock() inheriting the lock state
+* system: give more context in process kill error case since we operate PID numbers only
+* firewall: groups were not correctly parsed for menu post-migration
+* firewall: hide row command buttons for internal groups
+* firewall: add "ipv6-icmp" to protocol list in shaper
+* firewall: fix PHP warnings on the rules pages
+* dhcp: check if manufacturer exists for IPv4 lease page to prevent error
+* dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
+* dhcp: fix validation for static entry requirement
+* firmware: revoke 23.1 fingerprint
+* network time: support pool directive and maxclock (contributed by Kevin Fason)
+* openvpn: fix static key delete
+* openvpn: fix "mode" typo and push auth "digest" into export config
+* openvpn: fix race condition when using CRLs in instances
+* openvpn: remove arbitrary upper bounds on some integer values in instances
+* unbound: migration of empty nodes failed from 23.1.11 to 23.7
+* unbound: fix regression when disabling first domain override
+* mvc: fix empty item selection issue in BaseListField
+* plugins: os-ddclient 1.14 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__ 
+* plugins: os-acme-client 3.19 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr>`__ 
+* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[3] <FREEBSD:FreeBSD-SA-23:07.bhyve>`__ 
+* src: frag6: avoid a possible integer overflow in fragment handling `[4] <FREEBSD:FreeBSD-SA-23:06.ipv6>`__ 
+* src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
+* src: libpfctl: ensure the initial allocation is large enough
+* src: pf: handle multiple IPv6 fragment headers
+* ports: curl 8.2.1 `[5] <https://curl.se/changes.html#8_2_1>`__ 
+* ports: nss 3.92 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html>`__ 
+* ports: openssl 1.1.1v `[7] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__ 
+* ports: perl 5.34.1 `[8] <https://perldoc.perl.org/5.34.1/perldelta>`__ 
+* ports: py-dnspython 2.4.1
+* ports: strongswan 5.9.11 `[9] <https://github.com/strongswan/strongswan/releases/tag/5.9.11>`__ 
+* ports: syslog-ng 4.3.1 `[10] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.3.1>`__ 
+
+A hotfix release was issued as 23.7.1_3:
+
+* firewall: do not clone "associated-rule-id"
+* network time: fix "Soliciting pool server" regression (contributed by Allan Que)
+* dhcp: fix IPv4 lease removal
+
+
+
 --------------------------------------------------------------------------
 23.7 (July 31, 2023)
 --------------------------------------------------------------------------

source/vendor/deciso/opnproxy.rst

@@ -23,6 +23,11 @@ Before installing and using this plugin, make sure your web proxy is configured
     or make sure the same username exists locally to map groups too.
 
 
+.. Warning::
+    Do not install other plugins or configuration files hooking into the proxy as these might interfere with the working
+    of the system.
+
+
 Installation
 ---------------------------
 
@@ -67,6 +72,26 @@ to import/add the users in OPNsense in order to user their authorisation setting
     (it's not possible to block no bump sites in full inspection mode)
 
 
+Transparant proxies
+---------------------------
+
+It is possible to use the proxy in transparant mode, but there are some constraints and ceveats to take into account when doing so.
+This paragraph tries to explain them one by one.
+
+* Using "Log SNI information only" is not supported in a useful way. As the browser is not aware of the proxy, it will request
+  access to an ip address in stead of a hostname. With full intercept mode, this is not really an issue as the next request will
+  be the actual question and does contain the hostname, but without interception, you can only filter on ip address which is often not very useful.
+* The client has to trust the CA which the proxy uses to automatically create certificates, which means all TLS requests will be signed by the firewall instead of the
+  actual trustee.
+* User based authentication is not possible, as the client doesn't know it's being intercepted, it's also not possible to
+  request a username and password. OPNproxy only supports basic authentication.
+
+
+.. Note::
+  When changing the "Log SNI information only"  option, you have to restart the proxy as well. As the apply button will not
+  reload the proxy in full.
+
+
 Authentication options
 ---------------------------
 

source/vendor/sunnyvalley/zenarmor.rst

@@ -5,9 +5,9 @@ Zenarmor (Sensei): Overview
 About
 ----------------------------
 
-Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next generation features. Zenarmor is developed by Sunny Valley Networks (https://www.sunnyvalley.io)
+Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next-generation features. Zenarmor is developed by Sunny Valley Networks (https://www.zenarmor.com)
 
-If you are running a L4 firewall (all open source firewalls fall into this category) and looking for features like Application Control, Network Analytics and TLS Inspection, Zenarmor is the product you're looking for.
+If you are running a L4 firewall (all open-source firewalls fall into this category) and looking for features like Application Control, Network Analytics, and TLS Inspection, Zenarmor is the product you're looking for.
 
 .. raw:: html
 
@@ -17,7 +17,7 @@ If you are running a L4 firewall (all open source firewalls fall into this categ
 Features
 ----------------------------
 
-Zenarmor empowers your firewall with the following next generation features:
+Zenarmor empowers your firewall with the following next-generation features:
 
 1. Application Control
 2. Cloud Application Control \(Web 2.0 Controls\)
@@ -27,9 +27,9 @@ Zenarmor empowers your firewall with the following next generation features:
 6. User-based Filtering and Reporting
 7. Active Directory Integration
 8. RESTful API
-9. Cloud based centralized management & Reporting
-10. Application / Web category based Traffic Shaping and Prioritization
-11. Policy based filtering and QoS
+9. Cloud-based centralized management & Reporting
+10. Application / Web-category-based Traffic Shaping and Prioritization
+11. Policy-based filtering and QoS
 12. Encrypted Threats Prevention
 13. All-ports full TLS Inspection \(for every TCP port, not just HTTPS\) *Coming soon*
 
@@ -50,7 +50,7 @@ User Manual
 You can get detailed *How to* documents from Zenarmor's Documentation Site located at https://www.zenarmor.com/docs/opnsense
 
 * `Dashboard <https://www.zenarmor.com/docs/opnsense/customizing-dashboard/dashboard>`_
-* `Status <https://www.zenarmor.com/docs/opnsense/customizing-dashboard/status>`_
+* `Status <https://www.zenarmor.com/docs/opnsense/customizing-dashboard/dashboard>`_
 * `Reports <https://www.zenarmor.com/docs/opnsense/reporting-analytics/reports-overview>`_
 * `Security <https://www.zenarmor.com/docs/opnsense/policies/security-rules>`_
 * `Application Control <https://www.zenarmor.com/docs/opnsense/policies/application-control-rules>`_
@@ -70,26 +70,26 @@ You may also submit bug reports by visiting the *Report Bug* page in the Zenarmo
 With its in-depth coverage, `Zenarmor Documentation <https://www.zenarmor.com/docs/opnsense>`_ is always available for reference.
 
 * `OPNsense Forum <https://forum.opnsense.org/index.php?board=38.0>`_
-* `Users' Manual <https://www.sunnyvalley.io/docs/opnsense>`_
+* `Users' Manual <https://www.zenarmor.com/docs/opnsense>`_
 
 **Premium Subscription Support**
 
 When you buy a Zenarmor Premium Subscription, you are entitled to Zenarmor Basic Support. Additional support plans are available on demand.
 
-* `Compare Support Plans <https://www.sunnyvalley.io/support-plans>`_
+* `Compare Support Plans <https://www.zenarmor.com/plans>`_
 * `Access Support Center <https://help.sunnyvalley.io/hc/en-us>`_
 
 **Support Options for Channel Partners**
 
 Sunny Valley Networks provides Tier 3 Support Options for Zenarmor Channel Partners. To learn more about them, please contact **sensei-partnership -at- sunnyvalley.io**.
 
-To become a partner, you may apply for partnership via https://www.sunnyvalley.io/apply-partnership .
+To become a partner, you may apply for a partnership via https://www.zenarmor.com/apply-partnership .
 
 **Connect via Social Media or Websites**
 
-* **Twitter**: `@sunnyvalley <https://twitter.com/sunnyvalley>`_
+* **Twitter**: `@zenarmor <https://twitter.com/zenarmor>`_
 * **Youtube**: `Sunny Valley Networks Hands-on videos <https://www.youtube.com/@zenarmor>`_
-* **Company Website**: https://www.sunnyvalley.io
+* **Company Website**: https://www.zenarmor.com
 * **Product Website**: https://www.zenarmor.com
 * **Zenconsole Cloud Management Portal**:  https://dash.zenarmor.com
-* **Sunny Valley Blog**: https://sunnyvalley.io/blog/
+* **Sunny Valley Blog**: https://www.zenarmor.com/blog

source/vendor/sunnyvalley/zenarmor_hardwarerequirements.rst

@@ -6,20 +6,20 @@ Due to the nature of deep packet analysis and detailed drill-down reporting func
 
  **Note**
  
-    With the Sensei 1.5 release, you can offload your reporting database to an external system. This allows you to be able to run Zenarmor on systems with a constrained amount of RAM. 
+    With the Sensei 1.5 release, you can offload your reporting database to an external system. This allows you to run Zenarmor on systems with a constrained amount of RAM. 
 
 
-It is recommended that you check if your Ethernet adapter functions well with netmap.
+It is recommended that you check if your Ethernet adapter functions well with Netmap.
 
 -------------
 CPU & Memory
 -------------
 
-Because the analytics module relies on Elasticsearch to process large amounts of data, the amount of the memory available in the system is crucial for the overall performance of Zenarmor.
+Because the analytics module relies on Elasticsearch to process large amounts of data, the amount of memory available in the system is crucial for the overall performance of Zenarmor.
 
 **Tip**
 
-    If the number of active devices are more than 500 and the sustained WAN bandwidth is higher than 500 Mbps, we do not recommend deploying Zenarmor as a virtual guest since resources in virtual environments are generally shared between guest systems.
+    If the number of active devices is more than 500 and the sustained WAN bandwidth is higher than 500 Mbps, we do not recommend deploying Zenarmor as a virtual guest since resources in virtual environments are generally shared between guest systems.
 
 Below is the recommended minimum hardware requirements for Zenarmor based on the number of devices and the amount of sustained bandwidth:
 
@@ -35,7 +35,7 @@ Below is the recommended minimum hardware requirements for Zenarmor based on the
 
  **Note**
  
-   Zenarmor requires at least 1 GB of memory. Installer will not continue if you have less than 1 GB of RAM. We recommend 8 GB memory to have an exceptional reporting experience with elasticsearch database. 
+   Zenarmor requires at least 1 GB of memory. The installer will not continue if you have less than 1 GB of RAM. We recommend 8 GB memory to have an exceptional reporting experience with the elasticsearch database. 
 
 -----------------
 Ethernet Adapter
@@ -43,7 +43,7 @@ Ethernet Adapter
 
 Zenarmor uses a FreeBSD subsystem called `netmap(4) <https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4>`_ to access raw Ethernet frames. With FreeBSD 11 (OPNsense version <= 20.1) this software can be very particular in terms of proper driver compatibility. 
 
-Intel based adapters, particularly em(4) and igb(4), are observed to perform well in terms of stability and performance. 
+Intel-based adapters, particularly em(4) and igb(4), are observed to perform well in terms of stability and performance. 
 
 Sunny Valley Networks is sponsoring developments on this project so you can expect netmap(4) will better support a wide range of Ethernet drivers. 
 
@@ -53,7 +53,7 @@ Disk Space
 
 Zenarmor uses `Elasticsearch <https://en.wikipedia.org/wiki/Elasticsearch>`_ or `MongoDB <https://www.mongodb.com/>`_ as its backend to store large data sets. Please allow at least 5 MB of disk space per hour per megabit/second throughput.
 
-If you're running a 100 Mbps link \(about 100 users\) which is quite active during the daytime and idle rest of the day, you may calculate the space needed as follows:
+If you're running a 100 Mbps link \(about 100 users\) that is quite active during the daytime and idle the rest of the day, you may calculate the space needed as follows:
 
 .. code-block:: none
 
@@ -61,4 +61,4 @@ If you're running a 100 Mbps link \(about 100 users\) which is quite active duri
     6 GB x 7 days a week = 42 GB per week.
     42 x 4 weeks a month = 164 GB per month.
 
-As of `version 0.7.0 <https://www.sunnyvalley.io/docs/support/release-notes#07>`_, Zenarmor expires old report data to free up disk space for the most recent data based on the configured number of days of history to keep.
+As of `version 0.7.0 <https://www.zenarmor.com/docs/support/release-notes#07>`_, Zenarmor expires old report data to free up disk space for the most recent data based on the configured number of days of history to keep.

source/vendor/sunnyvalley/zenarmor_install.rst

@@ -7,16 +7,16 @@ Zenarmor (Sensei): Installing via Web Interface
 
  **Note**
  
-    Zenarmor Free Edition is **forever free-of-charge**. We strongly recommend you register to keep in touch with updates and new features. You can register at `https://www.sunnyvalley.io/open-source-firewalls <https://www.sunnyvalley.io/open-source-firewalls>`_
+    Zenarmor Free Edition is **forever free-of-charge**. We strongly recommend you register to keep in touch with updates and new features. You can register at `https://www.zenarmor.com/zenarmor-next-generation-firewall <https://www.zenarmor.com/zenarmor-next-generation-firewall>`_
    
 
-Zenarmor may be installed using the web interface in OPNsense or using the command line interface via SSH or local system access (see :doc:`zenarmor_cmd_install`). The preferred method is the web interface because the process of installing plugins in OPNsense is simple and Zenarmor requires the use of the web interface to complete the initial configuration after installation.
+Zenarmor may be installed using the web interface in OPNsense or using the command line interface via SSH or local system access (see :doc:`zenarmor_cmd_install`). The preferred method is the web interface because the process of installing plugins in OPNsense is simple, and Zenarmor requires the use of the web interface to complete the initial configuration after installation.
 
 To install plugins in OPNsense, you must use an account with administrative access.
 
 .. Note::
 
-    Before installing Zenarmor, you should ensure you meet the minimum system requirements in order to run Zenarmor or to have the best user experience. See :doc:`zenarmor_hardwarerequirements` for more information.
+    Before installing Zenarmor, you should ensure you meet the minimum system requirements in order to run Zenarmor or have the best user experience. See :doc:`zenarmor_hardwarerequirements` for more information.
 
 ----------------------------
 Web Interface Installation
@@ -61,7 +61,7 @@ To start the "Initial Configuration Wizard":
 2- Hardware Check
 ....................
 
-Your hardware will be analyzed to ensure it meets the minimum requirements. You will receive one of following responses: compatible hardware, low-end hardware, incompatible hardware. The setup will not continue if you have incompatible hardware.
+Your hardware will be analyzed to ensure it meets the minimum requirements. You will receive one of the following responses: compatible hardware, low-end hardware, incompatible hardware. The setup will not continue if you have incompatible hardware.
 
 .. image:: images/zenarmor-wizard-hardware-high-end.png
     :width: 100%
@@ -84,7 +84,7 @@ Your hardware will be analyzed to ensure it meets the minimum requirements. You
 3- Reporting Database
 ......................
 
-* Select the database you wish to use for reporting. High end systems will have 3 options, while low end systems only have 2 options.
+* Select the database you wish to use for reporting. High-end systems will have 3 options, while low-end systems only have 2 options.
 
 .. Warning::
 
@@ -138,7 +138,7 @@ The engine processes the request, queries the **“Sunny Valley Network (SVN) Cl
 Cloud Threat Intel settings let you:
 
 * Enable/Disable the “Cloud Reputation & Web Categorization” engine
-* Set local domain name you wish to be excluded from cloud queries
+* Set the local domain name you wish to be excluded from cloud queries
 * Select the fastest Cloud Reputation Servers which are used for queries
 
 .. image:: images/zenarmor-wizard-cloud-reputation.png
@@ -159,7 +159,7 @@ Cloud Threat Intel settings let you:
 * **Automatically Update Databases and Threat Intelligence Data:** Checks automatically for the updates and creates a notification on the Zenarmor “Status” page.
 * **Enable Generation of Support Data:** If enabled, Zenarmor collects supporting data during unusual events and crashes. You can share this data when opening a ticket with us.
 * **Max Swap Utilization:** You may specify how much swap space Zenarmor may utilize when the system is low on memory. It is recommended that you do not set this value too high. Otherwise, system performance may suffer.
-* **Health Check:** If enabled, "Health Check" monitors the system's memory, CPU, disk usage and core services if they're working correctly, and raises alerts if anything goes wrong. "Health Check" also stops the appropriate services if they're consuming excessive system resources.
+* **Health Check:** If enabled, "Health Check" monitors the system's memory, CPU, disk usage, and core services if they're working correctly, and raises alerts if anything goes wrong. "Health Check" also stops the appropriate services if they're consuming excessive system resources.
 * **Help Sunny Valley Improve Its Products and Services:** If enabled, general system information is submitted to Sunny Valley to help improve the future development of Zenarmor.
 
 .. image:: images/zenarmor-wizard-updates-health-check.png