Sensei comes pre-installed with a
Default policy for the
Default policy configuration is managed by the Sensei engine. A
Premium subscription includes the following features not available in the
Create new policies
Specify the packet direction for protection
Include/exclude VLANs, IP/Network addresses, users, groups to be protected
Time schedule for each policy
Custom Web Controlprofiles
Create Cloud Centralized policies
For more information on the features available for each type of subscription, please refer to plans & pricing.
Although you cannot change the
Default policy, you can still change the
Application Control rules,
Web Control rules, and
Exclusions on the default policy to suit your needs.
When you have a
Premium Edition, you can create new policies to protect your network infrastructure in a more customizable way. For more information about creating a new policy, please refer to Managing policies. After creating a new policy, you must edit it to complete the configuration and identification of the policy rules.
After the creation of a new policy, you must complete the configuration of the policy rules. You can edit the configuration of a policy by clicking on the name of the policy in the policy list view. This will display the policy configuration view as shown in figure 1.
Figure 1. Editing a policy
Once the policy configuration has been completed, you will be able to apply the policy to your firewall.
Please note that all of the criteria listed below are matched with the
AND logical operator. In order for a flow to match your configured policy, all of these criteria need to match the flow information. For instance, if you have a policy configuration specifying the 10.0.0.0/24 network, the em0 interface, and the 'Admins' group, all of these conditions should be met for a policy to be applied. If a packet is identified as belonging to the 'Admins' group but is on the ixl0 interface, the packet will not match this particular policy.
You may configure the following options for a policy:
Status: By default, a newly created policy is set to
disable. You must enable it to activate the new policy on your node.
Name: The name of the policy may be changed by clicking on the name.
Priority: By default, the priority is set to
disable. If you wish to restrict all Internet access at specific time intervals, you can enable this option. When it is enabled, it overrides all rules and blocks all connections. In other words, the
Priorityoption blocks all connections in your network regardless of the policy's app/web/security rules.
Interfaces: The interface(s) that will be protected by the engine may be selected. This option will be available in future releases of the cloud portal.
Packet Direction: The network packet direction in which to apply the rules may be specified for a policy. Packets may be filtered inbound, outbound, or both directions.
VLANs: You may apply policies to specific VLANs on your network. Click on the
+ Add vlanbutton, enter the VLAN ID, and then click on the
Addbutton. (Warning: The VLAN ID must be a number between 1 and 4096.)
Figure 2. Adding a VLAN to the policy
IP / Networks: A policy may be applied to the IPv4/IPv6 addresses that you enter into this option. You can enter a single IPv4/IPv6 address or many IP addresses by specifying their subnet masks. CIDR format is also accepted ( i.e 18.104.22.168/24). Click on the
+ Add IP / Networksbutton, enter an IP address and then click on the
Figure 3. Adding an IP address to the policy
MAC Address: A policy may be applied to the MAC addresses that you enter into this option. Click on the
+ Add MAC Addressbutton, enter a MAC address and then click on the
Figure 4. Adding a MAC address to the policy
Users: To apply policies to specific users, you may select the desired
OPNsense Captive Portalusers.
Groups: Policies may be applied to groups from
OPNsense Captive Portal.
Time Schedules: If you want the policy to be active at a specific time interval, you can create a time schedule for your policy.
Figure 5. Editing the policy configuration
The Sensei Active Directory integration feature provides user-based policy filtering. However, it is only available on the OPNsense platform. For more information on how to integrate Active Directory with Sensei, please refer to the Active Directory Integration Guide.
Sensei also supports OPNsense Captive Portal for username resolution. If your OPNsense Captive portal is enabled, Sensei will automatically have access to the username.
You can define a user/group-based policy by just adding a user or group to the policy on the policy configuration page.
To define a user-based policy:
- Navigate to the
Configurationpage of the policy
Click on the
+ Add userbutton
Enter a username
Click on the
Figure 6. Adding user to the policy
To define a group-based policy:
Navigate to the
Configurationpage of the policy
Click on the
+ Add groupbutton
Enter a group name
Click on the
Figure 7. Adding a group to the policy
After enabling and synchronizing the policy with your firewall, your user/group-based filtering will be activated on your node.
A time schedule may be added to your policy if you want your policy to be active only certain times of the day or days of the week. You may also update or remove schedules which were previously created on the
Policy Configuration page.
To create a new schedule for a policy:
- Click the
Add new schedulebutton. This will open a dialog box for naming the schedule.
Figure 8. Adding a new time schedule for a policy
Enter a name and click on the
Addbutton. This will add the new schedule to the
Select each day you wish to be applied to the schedule. Selected days will be displayed with a solid blue checkmark icon.
Specify the starting and stopping hours for which the policy will be effective.
Figure 9. Time schedule configuration for a policy
You can change the existing time schedule by updating the start/stop hours and selecting/deselecting the days any time after you create the initial schedule.
To remove an existing time schedule, click on the
Remove button with a trash icon. This will open a dialog box for confirming the removal of the schedule. Clicking on
Remove button on the confirmation box will erase the time schedule for the policy.
Figure 10. Removing a time schedule for a policy
After completing Policy Configuration, you can proceed to specify the
Security rules of the policy by clicking on the
Security page allows you to select options for blocking potentially dangerous websites and various types of malware activity.
Free Edition users can only enable the
Essential Security options. The
Advanced Security options are exclusive to
Advanced Threat Protection against the latest viruses, malware, and phishing attacks by preventing users access to websites that are known to host viruses and malware and to launch phishing attacks. With Sunny Valley’s Advanced Threat Protection capabilities, you are provided with commercial-grade threat protection and tracking in near real-time.
Figure 11. Configuring security rules of a policy
For more information about the Essential Security and Advanced Security options, please refer to Security Rules.
After setting the security options, proceed to the application rules section by clicking on the
App Controls tab.
Application filtering for your policy may be managed on the
App Controls page. You can accomplish the following management tasks:
Allow/Block Application Category
Search an application/category
Figure 12. Configuring Application Control rules of a policy
For more information about application control configuration, please refer to Application Control Rules.
After completing the configuration of the Application Control, proceed to define the Web Control rules by clicking on the
Web Controls tab.
Web content filtering rules may be defined on the
Web Controls page.
You can select one of the predefined
Web Profiles or define a custom profile by blocking or allowing the web categories from the list provided.
There are four types of predefined
Permissive: This profile has no restrictions for web browsing.
Moderate Control: Only harmful/high risk web categories such as Illegal Drugs, Violence, Adult, Pornography and Advertisements are blocked in this profile.
High Control: In addition to the categories blocked in the moderate profile, the following categories are blocked in this profile: Forums, Alcohol, Blogs, Gambling, Chats, Dating, Games, Job Search, Online Storage, Social Networks, Software Downloads, Weapons, Military, Swimsuits, Tobacco and Warez Sites.
Custom: You may fully customize the web filtering by using this profile and selecting the categories to block.
Figure 13. Configuring Web Control rules of a policy
Custom Web filtering profile is only available for
Premium subscriptions. If you have the
Free edition, you cannot fully customized web filtering. You can only choose between the Permissive/Moderate/High predefined profiles.
For more information about the web filtering configuration, please refer to Web Control Rules.
After selecting one of the predefined web profiles or customizing a profile, you can proceed to the
Exclusions section to define whitelist and blacklist entries by clicking the
Sometimes you may need to define exceptions for your policy rules. Sensei allows you to define exclusions that take precedence over all Security, Web, App rules.
For example, let us assume that video streaming is not allowed in your company’s network but some of your staff may need to attend an online training program that includes training videos. In such a case, you may allow the staff to access the online training site by adding the domain/IP address to the whitelist temporarily.
You can manage exclusions(whitelist and blacklist) for your policy on the
Exclusions page. You can accomplish the following management tasks:
Add a domain/hostname/IP address to the whitelist for a node
Add a domain/hostname/IP address to the whitelist for all nodes(global)
Add a domain/hostname/IP address to the blacklist for a node
Add a domain/hostname/IP address to the blacklist for all nodes(global)
Search for a domain/hostname/IP address in exclusions
Remove an exclusion
Figure 14. Configuring exclusion rules of a policy
For more information about managing exclusions, please refer to Blacklists and Whitelists: Exclusions.
Don't forget to synchronize your policy with your firewall after configuring policy rules to activate the updated policy.