Managing Zenarmor Services on OPNsense Firewall
You can view the status of the Zenarmor (Sensei)-related services on the Status page of a node. It provides all critical system-level information you need to manage your node. The following services are listed here:
On the Status page there are four panels;
- Engine Information
- Cloud Node Status
- Network Interfaces
- Services
Viewing Status of The Services
To view the detailed information about the status of the Zenarmor Services, in OPNsense GUI, navigate to Zenarmor-Sensei
→ Status
.
Figure 1: Status Page
Engine Information​
This pane provides details about:
- installed engine version
- last update time of the engine
- installed Application & Rules Database version
- last update time of the database
Figure 2: Engine Information Panel
Checking Updates Manually​
You can check Engine and Database updates manually within the Engine Information Panel.
- To check the update of the engine, click
Check Updates
link in the “Engine Version:” row. - To check the update of the database, click
Check Updates
link in the “App & Rules DB Version:” row.
Figure 3: Checking Updates Progress Bar
If the installed engine is up to date, the following No Update is Available
pop-up message appears. Click on the Close
button to close the window. This will restart the user interface.
Figure 4: No Update is Available For the Engine Pop-Up Message
If the installed database is up to date, the following No update is available
pop-up message appears. Click on the Close
button to close the window. This will restart the user interface.
Figure 5: No Update is Available For the Database Pop-Up Message
When updates are available, the user is notified with a notification message about the update on the dashboard.
Viewing Release Notes​
To see the release notes for the installed version, click on the View Release Notes
link at the end of the “Engine Version:” row.
Figure 6: Viewing Release Notes
Reloading Database​
Under normal circumstances, after an Application DB update, the in-memory application database is automatically synchronized with the packet engine. If you want to do the re-loading manually, you can use this button to force an application database re-load on the packet engine side.
To reload the database, click on the Reload
link next to the “App & Rules DB Version:” row. During the database reloading operation, the following progress bar appears on the screen.
Figure 7: Reloading Application DB Progress Bar
When the reloading database operation is completed without any error, the following message is displayed at the top right corner of the window for several seconds.
Figure 8: Successfully Reloaded DB Message
Cloud Node Status​
Cloud threat intelligence servers can be enabled for querying real-time information on threat intelligence and web categorization. Two Cloud Reputation servers with the best response times are automatically selected and configured by the engine according to their network response times during the installation and/or initial configuration.
Within the Cloud Node Status panel provides detailed information about the followings:
Node Name: Name of the cloud reputation server such as US-West, US-Central, US-East, Europe, Australia, Asia, etc.
Node Status: Availability of the server. (UP/Down)
Average Response Time(ms): Latency between the cloud reputation server and your system.
Success Rate: The connection success rate for the server.
Details: Uptime/Downtime of the server
Figure 9: Cloud Node Status
Note: If one of the nodes has an unhealthy status/connection, a healthy node can be selected/configured manually from the Configuration menu. For detailed information, please refer to “Enabling Real Time Cloud Threat Intelligence” documentation.
Network Interfaces​
The Network Interfaces panel provides the following statistics of the protected interface(s).
Figure 10: Statistics of the Network Interfaces
Metric | Definition |
---|---|
Interfaces | Name of the Network Interface Card |
Bytes IN | Number of good received bytes by the interface |
Bytes OUT | Number of well transmitted bytes by the interface |
Packets IN | Number of good packets received by the interface |
Packets OUT | Number of packets successfully transmitted by the interface. |
Err IN: | Total number of bad packets received on this interface. |
Err OUT | The total number of transmitting problems occurs on the interface. |
TPUT IN | Throughput of the interface for received traffic. |
TPUT OUT | Throughput of the interface for transmitted traffic. |
PPS IN | Number of packets per second received by the interface |
PPS OUT | Number of packets per second transmitted by the interface |
Table 1: Network Interface Metrics
Services​
You can view the status of the Zenarmor-related services in the Services pane. The following services are listed here if they are installed.
- Zenarmor Packet Engine
- Elasticsearch
- MongoDB
- Cloud Agent
Viewing the Status of the Zenarmor Services​
The status of the services is listed under the Status title in the pane. You can check whether one of the services is running or not by viewing this page.
Figure 11: Zenarmor Services
Enabling Bypass Mode for Zenarmor Packet Engine​
For troubleshooting purposes, Zenarmor Packet Engine could run in Bypass Mode. In this mode, the engine does not apply any security controls (neither web nor application) for traffic and just passes through it on the protected interfaces. In bypass mode, Zenarmor operates like a dummy L2 bridge.
This feature is quite handy to determine the incompatible network driver issues or to troubleshoot a problem that Zenarmor Packet Engine or one of the other system components like Netmap may cause. If the problem still exists in bypass mode, that means the problem is not related to Zenarmor Packet Engine. Rather it might be a netmap or OS problem
To enable bypass mode, click on the Enter Bypass Mode
button in the Zenarmor Packet Engine row.
Start/Stop/Restart of a Zenarmor Service​
You can start/stop/restart the services in this panel.
- To stop one of the services, click on the
Stop
button in the same row as the service. - To restart one of the services, click on the
Restart
button in the same row with the service.
The user is notified by displaying the progress bar for restarting the service.
Figure 12: Progress Bar of Restarting Cloud Agent Service
Enabling Start of a Zenarmor Service on Boot​
If you want Zenarmor to be running every time you reboot your router, you will need to ensure you have the “Start on Boot” option enabled. By default, it is set to enabled. If it is not enabled, to be able to start a service on the boot, the toggle button in the Start On Boot row is turned on.
After changing the configuration of the Start on Boot options, the following progress bars are displayed.
Figure 13: Writing Configuration Changes to Disk Progress Bar
Figure 14: Reloading Page After Configuration Changes
When a configuration is changed without any error, the following message is displayed at the top right corner of the window for several seconds.
Figure 15: Successfully Changed Configuration Message