From 7258aa11445505ec25a660b0c6987fa20f3eac48 Mon Sep 17 00:00:00 2001 From: Administrator Date: Mon, 23 Feb 2026 21:50:49 +0000 Subject: [PATCH] docs: create Netgrimoire/Network/Security/OpnSense_AppInspection --- .../Security/OpnSense_AppInspection.md | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 Netgrimoire/Network/Security/OpnSense_AppInspection.md diff --git a/Netgrimoire/Network/Security/OpnSense_AppInspection.md b/Netgrimoire/Network/Security/OpnSense_AppInspection.md new file mode 100644 index 0000000..dc8d464 --- /dev/null +++ b/Netgrimoire/Network/Security/OpnSense_AppInspection.md @@ -0,0 +1,159 @@ +--- +title: OpnSense +description: App Inspection +published: true +date: 2026-02-23T21:50:37.324Z +tags: +editor: markdown +dateCreated: 2026-02-23T21:50:37.324Z +--- + +# Zenarmor (NGFW) + +**Service:** Zenarmor Next-Generation Firewall +**Plugin:** os-sunnyvalley +**Tier:** Free Edition +**Host:** OPNsense firewall + +--- + +## Overview + +Zenarmor adds application-layer awareness and web filtering to OPNsense that the base firewall does not provide. Where Suricata inspects packet content for known threat signatures, Zenarmor identifies **what application or service** is generating traffic and can block or allow based on that — regardless of port. + +| Feature | Free Tier | Paid Tier | +|---|---|---| +| Layer-7 app identification | ✓ | ✓ | +| Web category filtering | Default policy only | Custom policies | +| Malware/phishing blocking | ✓ | ✓ | +| Real-time network analytics | ✓ | ✓ | +| Device tracking & alerts | ✗ | ✓ | +| Multiple policies | ✗ | ✓ | +| TLS inspection | ✗ | ✓ | + +The free tier is useful primarily for **visibility** (seeing what applications are running on your network) and **basic threat blocking** (malware, phishing, PUP domains). The analytics dashboard alone makes it worthwhile. + +> ✓ Zenarmor and Suricata can run simultaneously. They operate at different layers and do not conflict. Zenarmor handles application identity; Suricata handles content signatures. + +> ⚠ **MongoDB deprecation note:** As of September 2025, MongoDB is being deprecated as the Zenarmor database backend. Use **SQLite** when prompted during setup — it is the supported path going forward. + +--- + +## Installation + +### Step 1 — Install the Plugin + +1. Go to **System → Firmware → Plugins** +2. Search for `os-sunnyvalley` +3. Click the **+** install button +4. Wait for installation to complete +5. **Refresh the browser** — a new **Zenarmor** menu item will appear in the sidebar + +### Step 2 — Initial Setup Wizard + +Navigate to **Zenarmor → Dashboard** — this launches the setup wizard on first run. + +**Deployment Mode:** Select **Routed Mode (L3)** for standard OPNsense setups. This is correct for your configuration. + +**Database:** Select **SQLite** — do not select MongoDB (deprecated September 2025). + +**Interface:** Select **ATT (opt1)** as the primary interface. Add **WAN (igc0)** while dual-WAN is still active. + +> ⚠ Zenarmor should be applied to the **LAN-facing side** of the firewall for internal traffic inspection, or the **WAN-facing side** for inbound threat blocking. For your setup, applying it to both ATT and LAN gives the most coverage. + +**Cloud Connectivity:** Leave enabled — Zenarmor uses cloud-based category lookups for web filtering. If you want fully offline operation, this can be disabled but web filtering accuracy degrades significantly. + +Click **Complete** to finish the wizard. + +--- + +## Configuration + +### Step 3 — Security Policy + +Navigate to **Zenarmor → Security** + +Enable the following threat categories in the default policy: + +| Category | Action | Notes | +|---|---|---| +| Malware | Block | Domains known to serve malware | +| Phishing | Block | Credential harvesting sites | +| Botnet | Block | C2 communication | +| PUP/Adware | Block | Potentially unwanted programs | +| SPAM Sources | Block | Known spam infrastructure | +| Parked Domains | Block | Often used for malicious redirects | + +Leave the following as **Alert** initially (review before blocking): +- Anonymizers / Proxies — may block legitimate VPN services +- Peer-to-peer — may affect legitimate use cases + +### Step 4 — Application Control + +Navigate to **Zenarmor → Policies → Application Control** + +The free tier allows one default policy. Useful applications to consider blocking or monitoring: + +| Application Category | Recommendation | Reason | +|---|---|---| +| Cryptocurrency mining | Block | Resource theft if unauthorized | +| Remote access tools (unknown) | Alert | Unexpected remote tools are a red flag | +| Tor | Alert | Monitor — may be legitimate or evasion | +| Anonymous proxies | Block | Bypass attempts | + +### Step 5 — Web Filtering + +Navigate to **Zenarmor → Policies → Web Controls** + +In the free tier, the default policy controls all web filtering. Recommended categories to block: + +| Category | Action | +|---|---| +| Malware sites | Block | +| Phishing | Block | +| Hacking / exploit sites | Block | +| Illegal content | Block | + +Enable **Safe Search enforcement** if desired — forces Google, Bing, and YouTube into safe search mode network-wide. + +--- + +## Dashboard & Analytics + +Navigate to **Zenarmor → Dashboard** + +The dashboard provides real-time visibility into: +- **Top talkers** — which internal hosts generate the most traffic +- **Top applications** — what services are being used +- **Blocked threats** — real-time feed of blocked requests +- **Bandwidth usage** — per-host and per-application + +This is the primary value of the free tier — even without advanced policy control, the visibility into what is running on your network is significant. + +Navigate to **Zenarmor → Reports** for historical analysis and trend data. + +--- + +## Performance Notes + +Zenarmor uses deep packet inspection which adds some CPU overhead. On modern hardware (anything with i226-V NICs) this is negligible at home lab traffic volumes. Monitor CPU usage in **Zenarmor → Dashboard → System** after enabling. + +If performance degrades, you can limit Zenarmor to specific interfaces rather than all interfaces. + +--- + +## Known Limitations (Free Tier) + +- Only one web filtering policy — all devices get the same rules +- No per-device or per-group policies +- No TLS/SSL inspection — encrypted traffic is identified by SNI only +- No device inventory or unknown device alerts +- Web category database is cloud-dependent + +--- + +## Related Documentation + +- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation +- [Suricata IDS/IPS](./suricata-ids-ips) — complementary content inspection layer +- [CrowdSec](./crowdsec) — IP reputation layer