Skip to main content

General Configuration

Zenarmor (Sensei) general configuration options are explained below.

You may reach the Zenarmor General configuration by navigating to Zenarmor -> Configuration -> General on OPNsense web GUI.

Deployment Mode Configuration

Zenarmor can be deployed in three different deployment modes:

  1. Passive Mode (Reporting only, no blocking)

  2. Routed Mode (L3 Mode, Reporting and Blocking available)

  • With Native Netmap Driver
  • With Emulated Netmap Driver
  1. Bridge Mode (L2 Mode, Reporting and Blocking available)

Default mode is the second option: Routed (L3 Mode) and with native netmap driver. If you don't know what you're doing; or do not understand the stuff here, we suggest you leave it on the default option.

Deployment Mode selection

Figure 1. Deployment Mode selection

See below for detailed explanations for each of the deployment modes.

1. Passive Mode (Reporting only mode)

Passive mode is like Suricata's IDS mode. Zenarmor grabs a copy of packets from the configured interfaces and provides you with a wealth of information through its reporting. In this mode, it's not possible to do blocking.

If you're having trouble with the netmap subsystem and still want to make use of Zenarmor's advanced reporting capabilities, this is the best option.

2. Routed Mode (L3 Mode, Reporting + Blocking)

Routed Mode is the option where you deploy Zenarmor on top of the firewall and you still make use of the firewall's other services like L3/L4 filtering, routing, VPN and other plug-ins that are available.

In this mode, you can both do reporting and enjoy all of the filtering functionalities of the software.

This mode utilizes netmap(4), the underlying packet processing subsystem of the FreeBSD operating system. You have two options:

a. With Native Netmap Driver

Being the default deployment option, this option allows you to be able to make use of native netmap performance with regard to Ethernet drivers.

Netmap can be picky when it comes to driver compatibility. If you suspect that your ethernet driver does not play well with netmap, then your best bet is using L3 mode with the Emulated Netmap Driver. See below for details.

b. With Emulated Netmap Driver

As discussed above, if you suspect your Ethernet driver does not play well with netmap, you can use this option to be able to continue using Zenarmor with all of the functionality.

Be noted that the Emulated driver is not as performant as the Native Netmap driver.

3. Bridge Mode (L2 Bridge Mode, Reporting + Blocking)

This experimental deployment mode allows you to be able to deploy Zenarmor like an Inline Web Secure Gateway.

In this mode, it's not possible to make use of other existing OPNsense functionality like firewalling, VPN and other plug-ins; since Zenarmor will bypass the Operating System and your device will act as a transparent filtering appliance.

This mode supports Hardware Assisted Bypass technologies. Currently only Silicom Bypass Adapters are supported.

With Hardware Assistant Bypass adapters, your device can act like a simple cable when there's a software/hardware problem, when Zenarmor is shut down or even when the machine is powered off.

Interface Selection

A network interface is the point of interconnection between a computer and a private or public network. A network interface is generally a network interface card (NIC), but does not have to have a physical form.

On the Zenarmor configuration page, there are a number of interfaces available depending on the model of the Zenarmor installed device.

Interface selection

Figure 2. Interface selection

Zenarmor Users have to configure these interfaces according to their monitoring requirements


If you have multiple VLANs associated with a single physical interface, you should only select the physical parent interface. Zenarmor will be able to analyze all of the VLAN traffic when monitoring the parent interface

When you monitor the parent interface, Zenarmor will monitor all VLANs associated with that interface.


In the Free Edition, you cannot exclude VLANs from being monitored if you have multiple VLANs assigned to a single, parent interface.

If the desired interface does not exist in the left pane, click Refresh Interfaces List

To protect the interface of the device select the required one from the left pane and click the right arrow sign.


Some interface types, such as USB, some Wireless NICs, and the LAGG Interface, are not supported by the Netmap Driver and thus are not displayed in the Interface Selection list. If you can't see all of the interfaces in the list, it means you have unsupported network interfaces that Zenarmor can't protect.

Exempting VLANs & Networks

Exempted VLANs & Networks

Figure 3. Exempted VLANs & Networks

To exempt some VLANs from protection by Zenarmor, you need to enter VLAN ids to this pane. By excluding VLAN, Zenarmor will bypass the traffic of that VLAN.


To get help about Exempted VLANs & Networks use full help toggle.

Exempted VLANs and Network addresses are bypassed from any Zenarmor processing. The difference from Policy-based whitelisting is that these do not enter any packet processing and are directly forwarded at the interface level. For that reason, for these addresses, you`ll also not see any activity reported in the reports.

Likewise, you can also exclude IP addresses or networks by entering them in CIDR format (IPv4). You can also set a name (optional). You may add or remove IP addresses from that list and you may edit the IP address or definition..

For ease of finding IP addresses on the list, you can sort by using the aZ-Za button with a red up/down arrow icon.

IP/Network Address Details

Figure 4: IP/Network Address Details

Deployment Model Preview

Deployment section shows what kind of database Zenarmor is using and which Zenarmor subscription is available. These parameters are set during the installation and the deployment size is determined by your hardware and Zenarmor subscription tier (for more information please visit


Figure 5: Deployment

Selecting Log Level and Rotation

In the Logger pane, you can select the log level, rotation and retire for the log file.

There are 5 types of Log level listed below:

  • 1. INFO : the standard log level indicating that something happened, the application entered a certain state.
  • 2. CRITICAL : tells that the application encountered an event or entered a state in which one of the crucial business functionality is no longer working.
  • 3. ERROR : tells that the application hits an issue preventing one or more functionalities from properly functioning.
  • 4. WARNING : indicates that something unexpected happened in the application, a problem, or a situation that might disturb one of the processes. But that doesn’t mean that the application failed.
  • 5. DEBUG : DEBUG log level should be used for information that may be needed for diagnosing issues and troubleshooting

Also, there are 6 levels available for debugging purposes:


  • DEBUG1

  • DEBUG2

  • DEBUG3

  • DEBUG4

  • DEBUG5

Zenarmor Log levels on OPNsense

Figure 6. Zenarmor Log levels on OPNsense

There are 3 options for log rotation and the default is 1 Day:

  • 1 Hour
  • 1 Day
  • 1 Week

Available Log rotation options for Zenarmor on OPNsense

Figure 7. Available Log rotation options for Zenarmor on OPNsense


Be careful that log files could eventually consume all available disk space on a system if they were not rotated, and pruned on a regular basis.

Using the Retire option, you may choose a time period for the logs to be deleted. Log files are automatically deleted after three days by default. You may also erase log files right away if you need to in an emergency by cliking on the Delete Now button.

Log Retire options for Zenarmor on OPNsense

Figure 8. Log Retire options for Zenarmor on OPNsense

Creating Active Directory Agent Authentication Tokens

In this pane, you can create a new token or you can disable or delete the existing token. Currently, tokens are used for Active Directory integration. Please check the Active Directory installation video for further details.

Zenarmor AD Agent Authentication Tokens

Figure 9. AD Agent Authentication Tokens

Block Notification Page Configuration

Block Notification Page, also known as "Landing Page", is the page users will be prompted when traffic is blocked by Zenarmor. Users are transferred to a secure landing page when accessing potentially dangerous activities according to your guidelines.

With Zenarmor's Customizable Landing Pages, businesses can now provide a safe and secured network environment for all users while maintaining total transparency about company standards.

Custom Landing Pages (CLP) from Zenarmor aid in educating and comforting everyone about potential threats to their organization.

As the owner of a Zenarmor Next-Generation Firewall, you have the ability to create Custom Landing URLs that explain to employees why certain HTTPS pages are blocked due to noncompliance with business laws, potential damage, or unknowing cyber threats to your organization. This capability reduces calls to the helpdesk and user frustration caused by the inability to access specific web content.

In Block Notification Page Pane, you can

  • enable/disable block notification page for TLS encrypted connections

  • upload a new HTML template for a new design landing page.

  • view or download the current template

Landing Page

Figure 10. Landing Page

To enable/disable block notification page for TLS encrypted connections,

  1. Click on the toogle bar next to the "Enable Block Notification Page for TLS Encrypted Connections" option.

  2. Click the Save Changes button to activate the changes.


Since your default internal CA is not trusted by the browser, you will get a warning message like Your connection isn't private. Attackers might be trying to steal your information NET::ERR_CERT_AUTHORITY_INVALID for each blocked SSL site you visit.


Figure 11. ERR_CERT_AUTHORITY_INVALID warning message

To solve this issue, you must add the Zenarmor default CA certificate as a trusted root CA certificate in your client OS. Or, users must type "thisisunsafe" to display the landing page.

To upload a new template:

  1. Click Browse

  2. Select template file and click open.

  3. You can view existing templates or newly created templates by clicking the View button.

  4. Click the Save Changes button to save the template.

For later use or archive purpose, you can Download the template.