Skip to main content

Managing Zenarmor Services on OPNsense Firewall

You can view the status of the Zenarmor (Sensei)-related services on the Status page of a node. It provides all critical system-level information you need to manage your node. The following services are listed here:

On the Status page there are four panels;

  1. Engine Information
  2. Cloud Node Status
  3. Network Interfaces
  4. Services

Viewing Status of The Services

To view the detailed information about the status of the Zenarmor Services, in OPNsense GUI, navigate to Zenarmor-SenseiStatus.

Status Page

Figure 1: Status Page

Engine Information

This pane provides details about:

  • installed engine version
  • last update time of the engine
  • installed Application & Rules Database version
  • last update time of the database

Engine Information Panel

Figure 2: Engine Information Panel

Checking Updates Manually

You can check Engine and Database updates manually within the Engine Information Panel.

  • To check the update of the engine, click Check Updates link in the “Engine Version:” row.
  • To check the update of the database, click Check Updates link in the “App & Rules DB Version:” row.

Checking Updates Progress Bar

Figure 3: Checking Updates Progress Bar

If the installed engine is up to date, the following No Update is Available pop-up message appears. Click on the Close button to close the window. This will restart the user interface.

No Update is Available For the Engine Pop-Up Message

Figure 4: No Update is Available For the Engine Pop-Up Message

If the installed database is up to date, the following No update is available pop-up message appears. Click on the Close button to close the window. This will restart the user interface.

No Update is Available For the Database Pop-Up Message

Figure 5: No Update is Available For the Database Pop-Up Message

When updates are available, the user is notified with a notification message about the update on the dashboard.

Viewing Release Notes

To see the release notes for the installed version, click on the View Release Notes link at the end of the “Engine Version:” row.

Viewing Release Notes

Figure 6: Viewing Release Notes

Reloading Database

Under normal circumstances, after an Application DB update, the in-memory application database is automatically synchronized with the packet engine. If you want to do the re-loading manually, you can use this button to force an application database re-load on the packet engine side.

To reload the database, click on the Reload link next to the “App & Rules DB Version:” row. During the database reloading operation, the following progress bar appears on the screen.

Reloading Application DB Progress Bar

Figure 7: Reloading Application DB Progress Bar

When the reloading database operation is completed without any error, the following message is displayed at the top right corner of the window for several seconds.

Successfully Reloaded DB Message

Figure 8: Successfully Reloaded DB Message

Cloud Node Status

Cloud threat intelligence servers can be enabled for querying real-time information on threat intelligence and web categorization. Two Cloud Reputation servers with the best response times are automatically selected and configured by the engine according to their network response times during the installation and/or initial configuration.

Within the Cloud Node Status panel provides detailed information about the followings:

Node Name: Name of the cloud reputation server such as US-West, US-Central, US-East, Europe, Australia, Asia, etc.

Node Status: Availability of the server. (UP/Down)

Average Response Time(ms): Latency between the cloud reputation server and your system.

Success Rate: The connection success rate for the server.

Details: Uptime/Downtime of the server

Cloud Node Status

Figure 9: Cloud Node Status

Note: If one of the nodes has an unhealthy status/connection, a healthy node can be selected/configured manually from the Configuration menu. For detailed information, please refer to “Enabling Real Time Cloud Threat Intelligence” documentation.

Network Interfaces

The Network Interfaces panel provides the following statistics of the protected interface(s).

Statistics of the Network Interfaces

Figure 10: Statistics of the Network Interfaces

MetricDefinition
InterfacesName of the Network Interface Card
Bytes INNumber of good received bytes by the interface
Bytes OUTNumber of well transmitted bytes by the interface
Packets INNumber of good packets received by the interface
Packets OUTNumber of packets successfully transmitted by the interface.
Err IN:Total number of bad packets received on this interface.
Err OUTThe total number of transmitting problems occurs on the interface.
TPUT INThroughput of the interface for received traffic.
TPUT OUTThroughput of the interface for transmitted traffic.
PPS INNumber of packets per second received by the interface
PPS OUTNumber of packets per second transmitted by the interface

Table 1: Network Interface Metrics

Services

You can view the status of the Zenarmor-related services in the Services pane. The following services are listed here if they are installed.

  • Zenarmor Packet Engine
  • Elasticsearch
  • MongoDB
  • Cloud Agent

Viewing the Status of the Zenarmor Services

The status of the services is listed under the Status title in the pane. You can check whether one of the services is running or not by viewing this page.

Zenarmor Services

Figure 11: Zenarmor Services

Enabling Bypass Mode for Zenarmor Packet Engine

For troubleshooting purposes, Zenarmor Packet Engine could run in Bypass Mode. In this mode, the engine does not apply any security controls (neither web nor application) for traffic and just passes through it on the protected interfaces. In bypass mode, Zenarmor operates like a dummy L2 bridge.

This feature is quite handy to determine the incompatible network driver issues or to troubleshoot a problem that Zenarmor Packet Engine or one of the other system components like Netmap may cause. If the problem still exists in bypass mode, that means the problem is not related to Zenarmor Packet Engine. Rather it might be a netmap or OS problem

To enable bypass mode, click on the Enter Bypass Mode button in the Zenarmor Packet Engine row.

Start/Stop/Restart of a Zenarmor Service

You can start/stop/restart the services in this panel.

  • To stop one of the services, click on the Stop button in the same row as the service.
  • To restart one of the services, click on the Restart button in the same row with the service.

The user is notified by displaying the progress bar for restarting the service.

Progress Bar of Restarting Cloud Agent Service

Figure 12: Progress Bar of Restarting Cloud Agent Service

Enabling Start of a Zenarmor Service on Boot

If you want Zenarmor to be running every time you reboot your router, you will need to ensure you have the “Start on Boot” option enabled. By default, it is set to enabled. If it is not enabled, to be able to start a service on the boot, the toggle button in the Start On Boot row is turned on.

After changing the configuration of the Start on Boot options, the following progress bars are displayed.

Writing Configuration Changes to Disk Progress Bar

Figure 13: Writing Configuration Changes to Disk Progress Bar

Reloading Page After Configuration Changes

Figure 14: Reloading Page After Configuration Changes

When a configuration is changed without any error, the following message is displayed at the top right corner of the window for several seconds.

Successfully Changed Configuration Message

Figure 15: Successfully Changed Configuration Message