Skip to main content

Zenarmor Security Rules on OPNsense

Zenarmor (Sensei) is developed in a way to give all the controls at your hands. To achieve this, we thrived our best to make almost everything configurable. On the Security screen, you can set your general policy of how threat analysis will work and set the rest on the App Control and Web Control modules.


The engine processes the request, queries to SVN Cloud in real-time and decides whether it will be blocked or allowed. We check against 300+ Million Websites, under 120+ categories in milliseconds.

The Cloud Threat Intelligence data is queried real-time when any connection attempt is made through your network. It allows us to respond to malware and wireless outbreaks in real time and very fast.

Zenarmor: Security Control Settings

Figure 1: Zenarmor: Security Control Settings

Essential Security options are available in Free Edition whereas Advanced Security options which are available through Zenarmor Premium Subscriptions (Home, SOHO, Premium) provide Advanced Threat Protection against the latest malware, viruses and phishing attacks by blocking websites that are known to host malware and viruses and launch phishing attacks. With Sunny Valley`s Advanced Threat Protection feed, users are provided with near-real-time commercial-grade threat tracking and protection.

Essential Security

1. Block Malware Activity

Block sites that are known to host malware.

2. Block Phishing Servers

Block sites that are known to host malicious software being used by phishing campaigns.

3. Block Spam Sites

Block sites which distribute spam.

4. Block Hacking Sites

Block sites which distribute hacking related content.

5. Block Parked Domains

Parked domains are web pages typically with a single page with ads. They do not provide any value to the user. They are used by legitimate domain registrars to monetize the visits of users who land on the main page.

On the other hand, parked domains can also host suspicious and / or malicious content, especially when used by an Ad provider. Ad providers are known to be leveraged by cybercriminals to serve malvertisements.

What's more, landing pages of parked domains are known to serve malware on a large scale.

6. Block Potentially Dangerous Sites

Block sites that are potentially dangerous. Those are the sites that we're not %100 sure that they are malicious but they are displaying suspicious activity which resembles a malicious site.

7. Block Firstly Seen Sites

Firstly Seen sites are the sites our Web Categorization engine did not hear before. We did not even know that they existed.

You can block all sites that we are yet to hear about by clicking this option.


When we see a Firstly Seen Site, it is immediately being queued for processing by our AI based classification system.

AI based classification system tries to classify it. If there is success, the web category is immediately updated and in one hour, this new information is propagated to the entire Cloud Web Categorization & Threat Intelligence System.

If the AI based classification cannot classify the web site, it is marked as "Unknown", and queued again for further processing.

8. Block Undecided and Safe / Not Safe Sites

Undecided sites are the sites that our Web Categorization Service heard of but have not come to a decision yet. They have been processed at least once by our AI based Web Categorization service, but has not been categorized yet.

Undecided Not Safe sites are the subset of these sites that we suspect of a malicious activity.

Advanced Security

Zenarmor Premium blocks suspicious domains including expired domains, hacked and newly registered domains (NRDs) favored by threat actors for launching malicious campaigns. Research shows that NRDs, for example, are risky, revealing malicious usage of NRDs for phishing, malware, and online scams. In addition, Zenarmor Premium also blocks any expired DynDNS sites.

1. Block Recent Malware/Phishing/Virus Outbreaks

Block Malware, Phishing and Virus campaigns which are known to come into existence very recently (within the last 0-2 weeks).

2. Block Botnet C&C

Block Botnet Command and Control Centers.

3. Block Proxy

Proxy sites which are used by attackers to have anonymity.

4. Block Dead Sites

Sites whose registrations have expired. Cybercriminals are known to re-register sites which are no longer being used.

5. Block Dynamic DNS Sites

Malicious sites have been known to use dynamic DNS services. Blocking these sites keep you safe from any possible attacks that might be launched from them.

6. Block Newly Registered Sites

Newly registered domains are an effective tool for threat actors. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent via a URL from a malicious campaign.

7. Block Newly Recovered Sites

Like newly registered sites, sites which have undergone a long period of silence and become recently up might be also be used by the attackers. Sites which has a good reputation history are especially used by cybercriminals to evade reputation-based security mechanisms.

These settings are extremely useful to block some phishing attacks when you are not careful of the URLs you are clicking.

8.Block Botnet DGA Domains

Block Botnet agents trying to contact back their C&C using DGA mechanism.(Will be made available in the future)

9. Block DNS Tunneling

Block DNS Tunnels, which is an effective way of evading network security filtering.(Will be made available in the future)