--- title: OpnSense - App Protection description: App Inspection published: true date: 2026-02-23T21:52:43.630Z tags: editor: markdown dateCreated: 2026-02-23T21:50:37.324Z --- # Zenarmor (NGFW) **Service:** Zenarmor Next-Generation Firewall **Plugin:** os-sunnyvalley **Tier:** Free Edition **Host:** OPNsense firewall --- ## Overview Zenarmor adds application-layer awareness and web filtering to OPNsense that the base firewall does not provide. Where Suricata inspects packet content for known threat signatures, Zenarmor identifies **what application or service** is generating traffic and can block or allow based on that — regardless of port. | Feature | Free Tier | Paid Tier | |---|---|---| | Layer-7 app identification | ✓ | ✓ | | Web category filtering | Default policy only | Custom policies | | Malware/phishing blocking | ✓ | ✓ | | Real-time network analytics | ✓ | ✓ | | Device tracking & alerts | ✗ | ✓ | | Multiple policies | ✗ | ✓ | | TLS inspection | ✗ | ✓ | The free tier is useful primarily for **visibility** (seeing what applications are running on your network) and **basic threat blocking** (malware, phishing, PUP domains). The analytics dashboard alone makes it worthwhile. > ✓ Zenarmor and Suricata can run simultaneously. They operate at different layers and do not conflict. Zenarmor handles application identity; Suricata handles content signatures. > ⚠ **MongoDB deprecation note:** As of September 2025, MongoDB is being deprecated as the Zenarmor database backend. Use **SQLite** when prompted during setup — it is the supported path going forward. --- ## Installation ### Step 1 — Install the Plugin 1. Go to **System → Firmware → Plugins** 2. Search for `os-sunnyvalley` 3. Click the **+** install button 4. Wait for installation to complete 5. **Refresh the browser** — a new **Zenarmor** menu item will appear in the sidebar ### Step 2 — Initial Setup Wizard Navigate to **Zenarmor → Dashboard** — this launches the setup wizard on first run. **Deployment Mode:** Select **Routed Mode (L3)** for standard OPNsense setups. This is correct for your configuration. **Database:** Select **SQLite** — do not select MongoDB (deprecated September 2025). **Interface:** Select **ATT (opt1)** as the primary interface. Add **WAN (igc0)** while dual-WAN is still active. > ⚠ Zenarmor should be applied to the **LAN-facing side** of the firewall for internal traffic inspection, or the **WAN-facing side** for inbound threat blocking. For your setup, applying it to both ATT and LAN gives the most coverage. **Cloud Connectivity:** Leave enabled — Zenarmor uses cloud-based category lookups for web filtering. If you want fully offline operation, this can be disabled but web filtering accuracy degrades significantly. Click **Complete** to finish the wizard. --- ## Configuration ### Step 3 — Security Policy Navigate to **Zenarmor → Security** Enable the following threat categories in the default policy: | Category | Action | Notes | |---|---|---| | Malware | Block | Domains known to serve malware | | Phishing | Block | Credential harvesting sites | | Botnet | Block | C2 communication | | PUP/Adware | Block | Potentially unwanted programs | | SPAM Sources | Block | Known spam infrastructure | | Parked Domains | Block | Often used for malicious redirects | Leave the following as **Alert** initially (review before blocking): - Anonymizers / Proxies — may block legitimate VPN services - Peer-to-peer — may affect legitimate use cases ### Step 4 — Application Control Navigate to **Zenarmor → Policies → Application Control** The free tier allows one default policy. Useful applications to consider blocking or monitoring: | Application Category | Recommendation | Reason | |---|---|---| | Cryptocurrency mining | Block | Resource theft if unauthorized | | Remote access tools (unknown) | Alert | Unexpected remote tools are a red flag | | Tor | Alert | Monitor — may be legitimate or evasion | | Anonymous proxies | Block | Bypass attempts | ### Step 5 — Web Filtering Navigate to **Zenarmor → Policies → Web Controls** In the free tier, the default policy controls all web filtering. Recommended categories to block: | Category | Action | |---|---| | Malware sites | Block | | Phishing | Block | | Hacking / exploit sites | Block | | Illegal content | Block | Enable **Safe Search enforcement** if desired — forces Google, Bing, and YouTube into safe search mode network-wide. --- ## Dashboard & Analytics Navigate to **Zenarmor → Dashboard** The dashboard provides real-time visibility into: - **Top talkers** — which internal hosts generate the most traffic - **Top applications** — what services are being used - **Blocked threats** — real-time feed of blocked requests - **Bandwidth usage** — per-host and per-application This is the primary value of the free tier — even without advanced policy control, the visibility into what is running on your network is significant. Navigate to **Zenarmor → Reports** for historical analysis and trend data. --- ## Performance Notes Zenarmor uses deep packet inspection which adds some CPU overhead. On modern hardware (anything with i226-V NICs) this is negligible at home lab traffic volumes. Monitor CPU usage in **Zenarmor → Dashboard → System** after enabling. If performance degrades, you can limit Zenarmor to specific interfaces rather than all interfaces. --- ## Known Limitations (Free Tier) - Only one web filtering policy — all devices get the same rules - No per-device or per-group policies - No TLS/SSL inspection — encrypted traffic is identified by SNI only - No device inventory or unknown device alerts - Web category database is cloud-dependent --- ## Related Documentation - [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation - [Suricata IDS/IPS](./suricata-ids-ips) — complementary content inspection layer - [CrowdSec](./crowdsec) — IP reputation layer