How does the engine work? What is the relationship between the Zenarmor engine and the OPNsense/L4 firewalls?
Network packets are both processed by both the Zenarmor and OPNsense firewall rules independently. Zenarmor policy / detection / rules engine runs completely independent of the OPNsense pf / ipfw firewalls
For the incoming packets, the Zenarmor engine has precedence over opnsense firewall rules which means that the Zenarmor engine takes and processes the packets before OPNsense/L2-L4 firewall rules. Incoming packets are first inspected by Zenarmor (since Zenarmor jumps into the scene way before the Operating System), and handed over to the Operating System kernel to be processed by the in-kernel firewalls.
What's important to note here is that, in the incoming case, if Zenarmor blocks a packet, it will not be forwarded to the OS kernel/firewall.
In the outgoing scenario, the packets are processed first in the OPNsense/L4 firewall and if some rule matches and blocks a packet, it will not reach Zenarmor to be processed.
Consider the below table for how they behave in each scenario:
| Zenarmor rule matches | OPNsense/L4 FW rule matches | Final action |
|---|---|---|
| No | No | Pass |
| Yes | Yes | Block |
| Yes | No | Block |
| No | Yes | Block |
Figure 1. How incoming packets are processed by Zenarmor engine and OPNsense/L4 firewall
Figure 2. How outgoing packets are processed by OPNsense/L4 firewall and Zenarmor engine
In summary, incoming packets are processed by the Zenarmor engine first, and then if the engine lets them pass they are processed by your OPNsense/L4 firewall. On the other hand, outgoing packets are processed by your OPNsense/L4 firewall first. If the firewall allows the outgoing packets to pass they are processed by the Zenarmor engine. For any network packet to pass, it should not match any rule neither on Zenarmor nor on OPNsense/L4 firewall.
To protect your network from cyber attacks securely and effectively, you should first define L4 rules on your OPNsense/L4 firewall. Then, you should enable next-generation firewall capabilities by configuring policy rules on the Zenarmor engine for application control and web filtering(L7 filtering).
Beware that, Zenarmor rules and OPNsense/L4 firewall rules are independent of each other. You must configure your firewall for L4 filtering and enable L7 filtering by configuring Zenarmor separately.
How does Zenarmor Perform TLS Inspection?
There are two methods of TLS inspection, which differ in their level of detail and the presence or absence of decryption:
- Light-weight (or certificate-based) inspection: Using this mode, Zenarmor examines the initial phases of TLS sessions. These parts are still in clear text and contain pertinent information such as the remote hostname, web category, and remote application type.
There is no requirement for certificate administration as this mode is already accessible across all subscription tiers. Transparency is absolute during lightweight TLS examination.
- Full TLS Inspection (or TLS decrypt/reencrypt): In the Full TLS Inspection process, Zenarmor terminates the SSL connection, decrypts the contents of the packets, performs a thorough packet inspection, and subsequently re-encrypts the contents of the packets. As of yet, the complete functionality of TLS inspection has not been disclosed to the public. Aside from the installation of CA certificates, nothing else will be required; the process will remain extremely transparent.
Zenarmor has recently implemented a rudimentary TLS inspection function that extracts the SNI name from the certificate. By default, it is enabled, and inspected TLS traffic can be viewed in Reports > TLS or Live Sessions > TLS. The packet engine core has already incorporated the fundamental technology for the Full TLS inspection; the administration components are presently undergoing development. The beta version of Full TLS Inspection with Zenarmor 1.16 is anticipated to be made available by the conclusion of 2023.
Certificate-based (also referred to as lightweight) inspection is accessible through paid and free subscription tiers. In contrast, the Business subscription will grant access to comprehensive TLS inspection.