New Grimoire
This commit is contained in:
traveler
parent
77d589a13d
commit
cc574f8aed
157 changed files with 29420 additions and 0 deletions
159
Ward-Grimoire/Firewall/Zenarmor.md
Normal file
159
Ward-Grimoire/Firewall/Zenarmor.md
Normal file
|
|
@ -0,0 +1,159 @@
|
|||
---
|
||||
title: OpnSense - App Protection
|
||||
description: App Inspection
|
||||
published: true
|
||||
date: 2026-02-23T21:52:43.630Z
|
||||
tags:
|
||||
editor: markdown
|
||||
dateCreated: 2026-02-23T21:50:37.324Z
|
||||
---
|
||||
|
||||
# Zenarmor (NGFW)
|
||||
|
||||
**Service:** Zenarmor Next-Generation Firewall
|
||||
**Plugin:** os-sunnyvalley
|
||||
**Tier:** Free Edition
|
||||
**Host:** OPNsense firewall
|
||||
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Zenarmor adds application-layer awareness and web filtering to OPNsense that the base firewall does not provide. Where Suricata inspects packet content for known threat signatures, Zenarmor identifies **what application or service** is generating traffic and can block or allow based on that — regardless of port.
|
||||
|
||||
| Feature | Free Tier | Paid Tier |
|
||||
|---|---|---|
|
||||
| Layer-7 app identification | ✓ | ✓ |
|
||||
| Web category filtering | Default policy only | Custom policies |
|
||||
| Malware/phishing blocking | ✓ | ✓ |
|
||||
| Real-time network analytics | ✓ | ✓ |
|
||||
| Device tracking & alerts | ✗ | ✓ |
|
||||
| Multiple policies | ✗ | ✓ |
|
||||
| TLS inspection | ✗ | ✓ |
|
||||
|
||||
The free tier is useful primarily for **visibility** (seeing what applications are running on your network) and **basic threat blocking** (malware, phishing, PUP domains). The analytics dashboard alone makes it worthwhile.
|
||||
|
||||
> ✓ Zenarmor and Suricata can run simultaneously. They operate at different layers and do not conflict. Zenarmor handles application identity; Suricata handles content signatures.
|
||||
|
||||
> ⚠ **MongoDB deprecation note:** As of September 2025, MongoDB is being deprecated as the Zenarmor database backend. Use **SQLite** when prompted during setup — it is the supported path going forward.
|
||||
|
||||
---
|
||||
|
||||
## Installation
|
||||
|
||||
### Step 1 — Install the Plugin
|
||||
|
||||
1. Go to **System → Firmware → Plugins**
|
||||
2. Search for `os-sunnyvalley`
|
||||
3. Click the **+** install button
|
||||
4. Wait for installation to complete
|
||||
5. **Refresh the browser** — a new **Zenarmor** menu item will appear in the sidebar
|
||||
|
||||
### Step 2 — Initial Setup Wizard
|
||||
|
||||
Navigate to **Zenarmor → Dashboard** — this launches the setup wizard on first run.
|
||||
|
||||
**Deployment Mode:** Select **Routed Mode (L3)** for standard OPNsense setups. This is correct for your configuration.
|
||||
|
||||
**Database:** Select **SQLite** — do not select MongoDB (deprecated September 2025).
|
||||
|
||||
**Interface:** Select **ATT (opt1)** as the primary interface. Add **WAN (igc0)** while dual-WAN is still active.
|
||||
|
||||
> ⚠ Zenarmor should be applied to the **LAN-facing side** of the firewall for internal traffic inspection, or the **WAN-facing side** for inbound threat blocking. For your setup, applying it to both ATT and LAN gives the most coverage.
|
||||
|
||||
**Cloud Connectivity:** Leave enabled — Zenarmor uses cloud-based category lookups for web filtering. If you want fully offline operation, this can be disabled but web filtering accuracy degrades significantly.
|
||||
|
||||
Click **Complete** to finish the wizard.
|
||||
|
||||
---
|
||||
|
||||
## Configuration
|
||||
|
||||
### Step 3 — Security Policy
|
||||
|
||||
Navigate to **Zenarmor → Security**
|
||||
|
||||
Enable the following threat categories in the default policy:
|
||||
|
||||
| Category | Action | Notes |
|
||||
|---|---|---|
|
||||
| Malware | Block | Domains known to serve malware |
|
||||
| Phishing | Block | Credential harvesting sites |
|
||||
| Botnet | Block | C2 communication |
|
||||
| PUP/Adware | Block | Potentially unwanted programs |
|
||||
| SPAM Sources | Block | Known spam infrastructure |
|
||||
| Parked Domains | Block | Often used for malicious redirects |
|
||||
|
||||
Leave the following as **Alert** initially (review before blocking):
|
||||
- Anonymizers / Proxies — may block legitimate VPN services
|
||||
- Peer-to-peer — may affect legitimate use cases
|
||||
|
||||
### Step 4 — Application Control
|
||||
|
||||
Navigate to **Zenarmor → Policies → Application Control**
|
||||
|
||||
The free tier allows one default policy. Useful applications to consider blocking or monitoring:
|
||||
|
||||
| Application Category | Recommendation | Reason |
|
||||
|---|---|---|
|
||||
| Cryptocurrency mining | Block | Resource theft if unauthorized |
|
||||
| Remote access tools (unknown) | Alert | Unexpected remote tools are a red flag |
|
||||
| Tor | Alert | Monitor — may be legitimate or evasion |
|
||||
| Anonymous proxies | Block | Bypass attempts |
|
||||
|
||||
### Step 5 — Web Filtering
|
||||
|
||||
Navigate to **Zenarmor → Policies → Web Controls**
|
||||
|
||||
In the free tier, the default policy controls all web filtering. Recommended categories to block:
|
||||
|
||||
| Category | Action |
|
||||
|---|---|
|
||||
| Malware sites | Block |
|
||||
| Phishing | Block |
|
||||
| Hacking / exploit sites | Block |
|
||||
| Illegal content | Block |
|
||||
|
||||
Enable **Safe Search enforcement** if desired — forces Google, Bing, and YouTube into safe search mode network-wide.
|
||||
|
||||
---
|
||||
|
||||
## Dashboard & Analytics
|
||||
|
||||
Navigate to **Zenarmor → Dashboard**
|
||||
|
||||
The dashboard provides real-time visibility into:
|
||||
- **Top talkers** — which internal hosts generate the most traffic
|
||||
- **Top applications** — what services are being used
|
||||
- **Blocked threats** — real-time feed of blocked requests
|
||||
- **Bandwidth usage** — per-host and per-application
|
||||
|
||||
This is the primary value of the free tier — even without advanced policy control, the visibility into what is running on your network is significant.
|
||||
|
||||
Navigate to **Zenarmor → Reports** for historical analysis and trend data.
|
||||
|
||||
---
|
||||
|
||||
## Performance Notes
|
||||
|
||||
Zenarmor uses deep packet inspection which adds some CPU overhead. On modern hardware (anything with i226-V NICs) this is negligible at home lab traffic volumes. Monitor CPU usage in **Zenarmor → Dashboard → System** after enabling.
|
||||
|
||||
If performance degrades, you can limit Zenarmor to specific interfaces rather than all interfaces.
|
||||
|
||||
---
|
||||
|
||||
## Known Limitations (Free Tier)
|
||||
|
||||
- Only one web filtering policy — all devices get the same rules
|
||||
- No per-device or per-group policies
|
||||
- No TLS/SSL inspection — encrypted traffic is identified by SNI only
|
||||
- No device inventory or unknown device alerts
|
||||
- Web category database is cloud-dependent
|
||||
|
||||
---
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation
|
||||
- [Suricata IDS/IPS](./suricata-ids-ips) — complementary content inspection layer
|
||||
- [CrowdSec](./crowdsec) — IP reputation layer
|
||||
Loading…
Add table
Add a link
Reference in a new issue