Skip to main content

FAQ

GENERAL#

Is Sensei open source?#

Sensei consists of two modules:

  • PHP Code & Python Scripts which provide the Web User Interface Functionality. This part is open source.
  • The Packet Engine coded in C++. This part is closed source.

COMPATIBILITY#

Which platforms are supported?#

Our goal is to be able to run Sensei on any networking environment; be it a container, cloud, virtual or bare-metal deployment (firewalls, switches, UTMs) which processes Layer 3-4 traffic.

As of March 2021, OPNsenseĀ®/pfSenseĀ®Ā  firewalls, Centos, Debian, Ubuntu and FreeBSD are among the supported list of platforms.

Product is any-cloud. You can install the product on any Cloud environment.

What is the correct hardware configuration?#

Please refer to Getting Ready section here.

Can I run Sensei on a virtualized environment like Proxmox, VirtualBox, KVM?#

Yes

Are there any compatibility issues with OPNsenseĀ®?#

If you're using OPNsense 20.1.x and later, you should be good to go.

When are you going to have pfSenseĀ® support?#

As of Sensei Release 1.9, pfSenseĀ®Ā is also supported. pfSenseĀ®Ā is based on FreeBSD Operating System. In that regard, you can install the Sensei FreeBSD 12 package for pfSenseĀ® software 2.5.x release series. Get Sensei for FreeBSD

Does Sensei support IPv6?#

Yes

Can I run Sensei on a HA cluster deployment?#

Yes

Is Sensei compatible with 32 bit systems?#

No. Sensei is only available for 64 bit Intel architecture.

I can't see os-sunnyvalley listed under OPNsense Firmware - Plugins#

This is because you are not on a supported platform. See this question.

Can I also run DNS based filtering systems (Pi-hole, unbound) along with my Sensei?#

Yes. You can also run Pi-hole and other DNS based filtering systems along with Sensei as an additional layer of defense.

The only thing you need to be aware of is that if you run these tools on a separate host other than the firewall itself (on which the Sensei is running), you'll need to disable DNS caching.

Reason is cached DNS traffic will NOT be traversing through the firewall; causing Sensei to miss DNS mappings.

For those scenarios, (like Pi-hole) we advise disabling caching on them and use firewall's dns cache as the forwarder.

Can I also run Suricata along with Sensei?#

Yes.

However, if you're running Suricata on IPS mode, make sure you run them on different interfaces since they both use the same packet I/O subsystem (netmap), which can only be used by single process at the same time.

Generally people use Suricata on WAN and Sensei on LAN-facing interfaces.

Reports: some charts are broken#

This is because of broken Elasticsearch/Mongodb indices. Two reasons that we're aware of:

Reason 1: There has been an unexpected power loss on the firewall .e.g. an electricity outage, abnormal shutdown of the firewall etc. these databases do a lot of buffering, writing the buffers to the indices from some time to time. If a partial write is in place than chances are high that your indices might get corrupt.

Solution 1: Go to Sensei -> Configuration -> Reporting & Data. Click Perform health check for indices. It'll take care of the rest for you.

Reason 2: You have enabled Use memory file system for /var from System -> Settings -> Miscellaneous in OPNsense configuration:

Screenshot_from_2019-09-09_10-21-33.png

Solution 2: Make sure you have this setting disabled. After that, go to Sensei -> Configuration -> Reporting & Data. Click Perform health check for indices. You're done.

tip

According to the reports we receive from Sensei users; Elasticsearch seems to be a better alternative as the backend database. If you're using Mongodb backend and experiencing problems, it might be wise to switch to the Elasticsearch backend. Please check the HW requirements to be able run ES backend along with your Sensei deployment.

I do not see dns hostnames for some IP addresses#

If the engine cannot do real-time dns enrichment, this is generally because you're running a DNS server somewhere outside your firewall (like Pi-hole or Active Directory) so that Sensei is missing some/all of your DNS transactions.

If this is the case, we advise your disable "caching" on the external DNS server and set your Firewall's DNS server as a forwarder to the external DNS server. In this way, Sensei will have a chance to witness your DNS transactions.

Please also see the answer to this question: Can I run DNS based filtering systems along with Sensei?

For a little bit of background: Sensei does DNS enrichment in two ways:

Engine doing the mapping realtime:

Engine keeps track of all dns transactions that it can see flowing over itself. When it detects an IP address resolution (either an A/AAAA/CNAME or PTR), packet engine caches the IP addresses and the corresponding fully qualified domain name.

All charts/tabular reports and live session reports display this cached hostname when you view the reports.

Note (July 2020)

Beginning with Sensei 1.6, engine does an active real-time reverse PTR query in case it cannot detect an immediate dns enrichment data from previous attempts(available in all subscription tiers)

UI doing mapping during reports viewing:

This applies to live session reports only: When you view a live session report, while you're browsing over records, UI runs a background job to see if a particular record has its hostname resolved. If it detects an unresolved IP address, it runs a background query to resolve the IP address via the name server you've configured on Sensei -> Configuration -> Reporting and Data.

So, if you do not see a hostname corresponding to the IP address, this means that Sensei was not able to see a DNS request/response which can map this IP address to a hostname. But while you're browsing over the hostname section in Live Session Explorerer screens, Sensei will try it once more by querying the IP address from your configured DNS server.

No Ethernet Interface is being shown in the Interface Configuration#

If you cannot see any Ethernet Interfaces being reported in the Configuration -> Interface Selection menu, chances are high that you're using an ethernet adapter for which netmap, the raw packet I/O interface in FreeBSD, does not have a proper driver support. We're sponsoring the driver support on the netmap project, so there are lots of improvements on this.

Make sure that you're using the latest firewall version and the latest Sensei version.

CONFIGURATION #

Sensei did not detect my WAN interface during interface configuration#

Sensei is meant to be deployed on inner-facing interfaces. Reason is that you'll lose internal IP information if you operate on the WAN interface - due to NAT being applied.

I cannot find my Wireguard or OpenVPN interface in the Interface Configuration#

Sensei can run on any ethernet interface which is netmap compatible. However Wireguard and OpenVPN utilize tunnel (tun) interfaces, which we do not have support for the time being.

We're currently sponsoring a development on netmap(4) project and we hope to make this feature available with OPNsense 20.7.x (In Q3 2020)

Landing Page is not always displayed and browser reports ERR_CONNECTION_CLOSED#

This happens if the blocked connection is not speaking HTTP. Sensei displays Landing Page only if it is an HTTP connection.

For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display the landing page (behavior to change with TLS inspection feature)

For Application control, we do not display since it might be a connection which does not speak HTTP.

Note: Future Sensei versions (expected in 2.0 or 2.1) will be able to overcome this protocol limitation and display a landing page even if the connection is HTTP/TLS.

How do I reset to factory defaults?#

  • Navigate to Sensei > Configuration
  • Click on Uninstall tab
  • Click on Reset to factory defaults button.

When you click on any Sensei submenu, you'll be redirected to the initial Configuration Wizard to start over.

How often are Application & Web Database (threat signatures) updated?#

The majority of our threat signatures are served through our real-time Cloud Infrastructure. This database is queried in real-time and signature updates to this system are almost continuous. We can push a new signature to the Cloud within minutes. ā€‹

Sensei has a local database which caches the most popular domains and doesnā€™t query them. In addition, the queried domains not found in the local database are cached to increase the performance. The cache is updated hourly. ā€‹

The local App database is used for the signatures that are more sophisticated. Since these signatures are complex, they require testing. Generally, we strive to add one or two local signature updates each month. ā€‹

The frequency of updates is independent of the OPNsense update cycle. Updates are handled directly by Sensei. ā€‹

To ensure you receive the latest updates automatically, the toggle button must be enabled for the option Automatically Update Application Database on the Configuration -> Updates & Health page. ā€‹

Sensei Configuration Updates & Health Pane ā€‹ Figure 1: Sensei Configuration Updates & Health Pane.

Some domains are blocked as parked domains/firstly seen sites. But they are not. What should I do?#

For more information about why you should block parked domains and firstly seen sites, click Managing Policies.

You can define exclusions(exceptions) for the domains to prevent them from being blocked by the engine.

To add the domains to the White-list

  1. Navigate to Policies -> Manage the Related Policy -> Web Controls -> User Defined Categories -> Auto Whitelist Host in Sensei < 1.9. (For Sensei > 1.9, navigate to Policies -> Manage the Related Policy -> Exclusions)
  2. Enter the domains/IP Addresses and click Add on the Whitelist Pane.
  3. You may click the check box to Send this recategorization as feedback to Sensei Team to improve web categorization.
  4. Click Save Changes

Managing Exclusions(Whitelist/Blacklist)

Figure 1. Managing Exclusions(Whitelist/Blacklist)

For more information about managing exclusions, please refer to Managing Policies.

info

We highly encourage you to share these false-positive blocked domains with our support team so that they are recategorized not to be blocked.

tip

You can check out the classification or request re-categorization for a domain here.

How do I uninstall the plugin?#

  • Navigate to Sensei > Configuration
  • Click on Uninstall tab
  • Click on Uninstall Sensei packet engine button.
  • Confirm that you want to proceed.

How do I send a bug report?#

Please refer to Reporting a Bug section here.

How do I get support?#

Please refer to Getting support section here

LICENSING#

How much does Sensei cost?#

Free Edition is forever free for OPNsense users.

Premium subscription with much more advanced features is available for purchase. See: How do I purchase a Subscription?

You can find the details about the Premium Subscription and how it compares to the Free Edition

in Plans & Pricing.

How do I know how many devices I have?#

Easy.

Sensei 1.5.2 and later: Click on Upgrade to Premium on the Sensei UI and it'll tell you the number of devices you have.

Sensei 1.5.1 and before: Run Sensei Free Edition for a day, during which time, Sensei will detect all devices passing through your firewall. In the following day, look at the Unique Device Count value in Reports -> Connections -> Conn - Facts chart. It'll tell you how many devices you have and you can decide on the correct subscription size.

Do you offer special discounts for Educational / Non-Profit organizations?#

Sure!. We do have an Edu/Non-Profit program where we offer special discounts. You can easily apply here.

Do you offer special discounts for MSPs?#

Yes. Additional Partner discounts are available. Apply now to become a Sensei Partner.

How do I get a Premium Subscription?#

  • You can easily do so within the Sensei User Interface. You'll need a valid credit card. It only takes 30 seconds to purchase and activate your subscription:

get a Premium Subscription

  • You can contact sales - at - sunnyvalley.io and we'll get you a license right away.
  • You can buy it from the OPNsense Store.
  • You can contact one of our authorized partners and purchase your Sensei subscription.
  • Additional Partner discounts are available. Apply now to become a Sensei Partner.

OPNsenseĀ®Ā is a registered trademark of Deciso B.V.

pfSenseĀ® is a registered trademark of Electric Sheep Fencing LLC.