Zenarmor Secure Web Gateway Deployment Guide

A secure web gateway (SWG) is a cyberbarrier that protects an organization from web security threats by enforcing business regulations and restricting unauthorized network traffic. It delivers advanced network security by matching web requests to business requirements in order to limit access to dangerous websites. These websites often include trojans, adware, spyware, and malware, which may put the data and information of both people and organizations at risk. In addition, SWG protects distant personnel and enables them to stay securely linked. It includes essential security technologies such as URL filtering, application control, data loss prevention, antivirus, and SSL inspection to provide powerful online security for organizations.

By deploying a secure web gateway (SWG), you may block unrestricted access to your internal network from the internet. To protect corporate networks from web-based malware, it analyzes network traffic, rejects incoming threats, and prevents data loss.

In this guide, we will explain how to deploy Zenarmor Secure Web Gateway (Zenarmor SWG) on your hardware which may run OPNsense, pfSense software, or any supported Linux distributions like Ubuntu, Debian, CentOS, RHEL, Amazon Linux 2, etc.

What is Zenarmor SWG?

Zenarmor is a quick, effective, and cost-effective network security solution that can be installed on any network within minutes. It is a lightweight, appliance-free engine for deep packet inspection. It delivers extensive reporting and analysis capabilities, a vast database of real-time threat information, increased administration, and flexibility. Utilizing its technologies, detection and reaction to threats are continuously improved.

Zenarmor Secure Web Gateway offers effective protection against potentially risky websites. Zenarmor's AI-based Cloud Threat Intelligence (CTI) is an enormous database that provides protection for 500 million active domains over 60 different categories. This database is continually expanding and being updated with information from a variety of trustworthy sources, including commercial and open-source threat intelligence feeds and web categorization databases, Sunny Valley Networks' Security Operation Center, partners' and customers' feedback, etc. Zenarmor and CTI servers provide immediate, real-time reactions to zero-day cyber threats.

How to Deploy Zenarmor SWG on OPNsense?

To be able to configure your OPNsense node as a secure web gateway and continue to easily manage it, we advise you to have the following 4 network interfaces:

• WAN: Your OPNsense needs this interface to connect repositories, for package installation and update, and Zenconsole, for remote management of the Zenarmor SWG.

• LAN Management: You may use the LAN management interface to access the OPNsense node for administration purposes.

• LAN: Your clients will be located behind this interface, and their internet traffic will pass through the LAN interface. It will be configured as a member of the bridge interface.

• WAN_Bridge: This interface will provide your clients located in LAN with internet access. It will be configured as a member of the bridge interface.

tip

Indeed, you do not need to have separate interfaces for WAN and LAN Management. Instead of dedicating 2 interfaces, you may assign and configure just one interface for internet connectivity and management of your OPNsense node. In this case, you will need a total of 3 interfaces on your Zenarmor Secure Web Gateway:

• WAN and Management
• LAN
• WAN_Bridge

Figure 1. Zenarmor Secure Web Gateway (Zenarmor SWG) Deployment Topology

note

In a typical OPNsense firewall setup, there must be at least two network interfaces. While the first one is used for WAN/internet connection, the second one is used for LAN connection.

In this tutorial, we assumed that you have already configured these interfaces and renamed the LAN interface as "LAN Management". You should be able to access your OPNsense node for management purposes via this interface.

After completing the fresh installation of the OPNsense firewall on your hardware and configuring the WAN and LAN management interfaces depending on your infrastructure, you may easily deploy Zenarmor SWG on your OPNsense node by following 5 steps outlined below:

1. LAN & WAN_Bridge Interface Assignments

2. Zenarmor Plugin Installation

3. Zenarmor Deployment in Bridge Mode

4. Zenconsole Cloud Portal Registration

5. Zenarmor Policy Configuration

1. LAN & WAN_Bridge Interface Assignments

To apply your web filtering rules, Zenarmor SWG configures the LAN interface where your clients are located and the WAN_Bridge interface which has an Internet connection as bridge members. Therefore, you must complete interface assignments on your OPNsense node. You may follow the steps given below for the interface assignment:

1. Navigate to Interfaces > Assignments on OPNsense UI

2. Type a descriptive name like LAN for the network port where the clients are located, like vtnet2, and click on the + Add button.

3. To enable the LAN interface click on the LAN.

Figure 2. Enabling LAN interface

4. Select the Enable Interface option in the Basic Configuration pane to enable the LAN interface. You may leave other settings as default.

5. Click Save to save the LAN interface configuration.

6. Click Apply Changes to activate the settings.

7. Type a descriptive name like WAN for the network port that provides OPNsense node internet connection, like vtnet3, and click on the + Add button.

Figure 3. Interface assignment for the WAN_Bridge

8. To enable the WAN_Bridge interface click on the WAN_Bridge.

Figure 4. Enabling WAN_Bridge Interface

9. Select the Enable Interface option in the Basic Configuration pane to enable the WAN_Bridge interface. You may leave other settings as default.

10. Click Save to save the WAN_Bridge interface configuration.

11. Click Apply Changes to activate the settings.

2. Zenarmor Plugin Installation

You may easily install Zenarmor on your OPNsense firewall by installing the os-sunnyvalley Vendor Repository plugin and os-sensei Zenarmor Next Generation Firewall plugin via the web interface.

3. Zenarmor Deployment in Bridge Mode

Before you can begin using Zenarmor, you will have to complete the initial configuration wizard.

In the Interface Selection step of the Zenarmor initial configuration, you may follow the next instructions to deploy the Zenarmor as a Secure We Gateway on your OPNsense node:

1. Select the Bridge Mode (L2 Mode, Reporting and Blocking available) option in the Deployment Mode pane. This will open a dialog box indicating that Bridge Mode is experimental.

Figure 5. Zenarmor Bridge Mode Selection

2. Click the I understand and I want Bridge Mode button for confirmation.

3. Select WAN_Bridge in the WAN Pair list.

4. Select LAN_Bridge in the LAN Pair list.

Figure 6. Zenarmor Bridge Mode Interface Selection

5. Click the right arrow buttons to move the selected interfaces to the Protected Bridge Interfaces combo box.

6. Click Next to proceed and complete the initial configuration wizard.

4. Zenconsole Cloud Portal Registration

To be able to manage your Zenarmor Secure Web Gateway regardless of your physical location, you may enable cloud management and register your node to the Zenconsole Cloud Management Portal. This step is optional and you can continue to manage your Zenarmor SWG by accessing the OPNsense node via the LAN management interface.

After enabling cloud management and adding your node to your Zenconsole account, you can easily manage your Zenarmor SWG all around the world.

You may view the Zenarmor SWG configuration on Zenconsole by navigating to the Firewall > Settings > Configuration.

Figure 7. Zenarmor SWG Configuration on Zenconsole

5. Zenarmor Policy Configuration

Now, you have completed Zenarmor Secure Web Gateway deployment on your OPNsense firewall. You may quickly define Zenarmor policies to protect your users from web-based attacks and apply your organization's regulations.

Figure 8. Zenarmor SWG Configuration on Policy Zenconsole

How to Deploy Zenarmor SWG on pfSense® Software?

To be able to configure your pfSense® Software node as a secure web gateway and continue to easily manage it, we advise you to have the following 4 network interfaces:

• WAN: Your pfSense® Software needs this interface to connect repositories, for package installation and update, and Zenconsole, for remote management of the Zenarmor SWG.

• LAN Management: You may use the LAN management interface to access the OPNsense node for administration purposes.

• LAN: Your clients will be located behind this interface, and their internet traffic will pass through the LAN interface. It will be configured as a member of the bridge interface.

• WAN_Bridge: This interface will provide your clients located in LAN with internet access. It will be configured as a member of the bridge interface.

tip

Indeed, you do not need to have separate interfaces for WAN and LAN Management. Instead of dedicating 2 interfaces, you may assign and configure just one interface for internet connectivity and management of your OPNsense node. In this case, you will need a total of 3 interfaces on your Zenarmor Secure Web Gateway:

• WAN and Management
• LAN
• WAN_Bridge

Figure 9. Zenarmor Secure Web Gateway (Zenarmor SWG) Deployment Topology

note

In a typical pfSense® Software firewall setup, there must be at least two network interfaces. While the first one is used for WAN/internet connection, the second one is used for LAN connection. In this tutorial, we assumed that you have already configured these interfaces. You should be able to access your OPNsense node for management purposes via the LAN interface.

After completing the fresh installation of the pfSense® Software firewall on your hardware and completing the initial configuration depending on your infrastructure, you may easily deploy Zenarmor SWG on your pfSense® Software node by following 5 steps outlined below:

1. LAN & WAN_Bridge Interface Assignments

2. Zenarmor Installation

3. Zenconsole Cloud Portal Registration

4. Zenarmor Deployment in Bridge Mode

5. Zenarmor Policy Configuration

1. LAN & WAN_Bridge Interface Assignments

To apply your web filtering rules, Zenarmor SWG configures the LAN interface where your clients are located and the WAN_Bridge interface which has an Internet connection as bridge members. Therefore, you must complete interface assignments on your OPNsense node. You may follow the steps given below for the interface assignment:

1. Navigate to Interfaces > Assignments on pfSense® Software UI.

2. Click on the LAN interface to edit your LAN interface, such as vtnet1.

3. Type LANManagement in the Description field to rename the interface.

Figure 10. Renaming LAN interface as LANManagement

4. Click Save button to save the interface configuration.

Figure 11. Applying changes on LANManagement interface

5. Click Apply Changes to activate the settings.

6. Navigate to Interfaces > Assignments on pfSense® Software UI.

7. Select the interface corresponding to the LAN interface where your clients are located, such as vtnet2 in the Available network ports option.

Figure 12. Adding new LAN interface

8. Click the +Add button to add a new interface.

Figure 13. Editing newly added OPT1 interface

9. Click on the OPT1 interface to configure the newly added interface, such as vtnet2.

10. Select the Enable Interface option in the General Configuration pane to enable the interface. You may leave other settings as default.

11. Type a descriptive name like LAN in the Description field.

Figure 14. Enabling LAN interface

12. Click Save to save the LAN interface configuration.

Figure 15. Applying changes on LAN interface

13. Click Apply Changes to activate the settings.

14. Navigate to Interfaces > Assignments on pfSense® Software UI.

15. Select the interface corresponding to the WAN interface that will provide your clients with internet connection, such as vtnet3 in the Available network ports option.

Figure 16. Adding new WANBridge interface

16. Click the +Add button to add a new interface.

Figure 17. Editing newly added OPT2 interface

18. Click on the OPT2 interface to configure the newly added interface, such as vtnet3.

19. Select the Enable Interface option in the General Configuration pane to enable the interface. You may leave other settings as default.

20. Type a descriptive name like WANBridge in the Description field.

Figure 18. Enabling WANBridge interface

21. Click Save to save the WANBridge interface configuration.

Figure 19. Applying changes on WANBridge interface

22. Click Apply Changes to activate the settings. Now, network interfaces configuration is completed. Your interfaces should look similar to the figure given below. You may proceed to the Zenarmor Secure Web Gateway (SWG) installation by following the steps explained in the next section.

Figure 20. Viewing interfaces on pfSense® Software

2. Zenarmor Installation

You may easily install Zenarmor on your pfSense® Software node by running the next command on CLI:

curl https://updates.sunnyvalley.io/getzenarmor | sh

You should see the output similar to the given below:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11359 100 11359 0 0 14128 0 --:--:-- --:--:-- --:--:-- 14128
/usr/local/bin/curl
Running FreeBSD Installation..
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
zenarmor: 1.12.1 [SunnyValley]
Number of packages to be installed: 1
 
The process will require 77 MiB more space.
[1/1] Installing zenarmor-1.12.1...
[1/1] Extracting zenarmor-1.12.1: 100%
Generating Default CA keys and certificates...Generating a RSA private key
...............+++++
..............................+++++
writing new private key to '/usr/local/zenarmor/cert/internal_ca.key'
-----
done
Copy block tamplate ...done
=====
Message from zenarmor-1.12.1:
--
======================================================================
All Rights Reserved - Sunny Valley Networks - 2022-
======================================================================
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
zenarmor-agent: 1.12.1 [SunnyValley]
  
Number of packages to be installed: 1
  
The process will require 76 MiB more space.
[1/1] Installing zenarmor-agent-1.12.1...
[1/1] Extracting zenarmor-agent-1.12.1: 100%
=====
Message from zenarmor-agent-1.12.1:
--
======================================================================
 
ALL installation tasks completed successfully.
*** Note that you need to complete initial configuration ***
You'll need to register this node to Sunny Valley Cloud Portal and
complete the initial configuration. It just takes a minute.

To register:
* Run below command from shell:
# zenarmorctl cloud register

To complete initial setup and start managing this node:

* Head to https://sunnyvalley.cloud/firewalls from your web browser
and follow onscreen instructions to complete setup.
(c) 2020,2021- Sunny Valley Networks - All rights reserved.
======================================================================
-------------------------------------------------
Installation Finished.
Run below commands to register your system to the Cloud Management Portal:
rehash
/usr/local/bin/zenarmorctl cloud register

To make zenarmorctl utility visible for the csh shell, you may run the next command:

rehash

3. Zenconsole Cloud Portal Registration

To be able to manage your Zenarmor Secure Web Gateway regardless of your physical location, you will need to register your pfSense® Software node to the Zenconsole Cloud Management Portal and complete the initial configuration of the Zenarmor Secure Web Gateway. To register your node to the Zenconsole, you may run the following command:

zenarmorctl cloud register

This command will ask your Zenconsole Cloud Management portal credentials for authorization. Therefore, before registering your node to the Zenconsole you must create an account on https://sunnyvalley.cloud.

You should see the output similar to the given below during Zenconsole registration:

INFO[0000] Config file not found. Populating initial config file...
INFO[0000] Saving engine configuration
[2022-12-21T08:04:38][INFO] Core Generation Enabled: true
[2022-12-21T08:04:38][INFO] Git Revision Hash: 1d83038eef53c3dc42459fb32a905f805e98da24
[2022-12-21T08:04:38][INFO] Git Revision Was Saved Into File:/usr/local/zenarmor/log/active/cloud_agent.rev
ZENARMOR(tm) Node Registration Utility

This utility registers your system with Sunny Valley Networks Cloud Portal

We need your Cloud Portal authentication credentials for:
https://sunnyvalley.cloud

If you have not set your password before, you can do that from
'My Account' -> 'Authentication and Security'

Collecting Location Info ........ OK
Please enter your Cloud Portal e-mail: my_email@mycompany.com
Please enter your Cloud Portal password:

Sending registration request...
[2022-12-21T08:05:13][INFO] Node registered!
[2022-12-21T08:05:13][INFO] Saving engine configuration
[2022-12-21T08:05:13][INFO] Cloud IDs were reset...
[2022-12-21T08:05:13][INFO] Node has been successfully registered

Congratulations!

Registration to the Cloud Portal is successfull
Authentication token has been stored in /usr/local/zenarmor/etc/token

You can now visit https://sunnyvalley.cloud and start managing your node!
[2022-12-21T08:05:13][INFO] doServiceControl: svc: zenarmor-agent, act: restart
[2022-12-21T08:05:13][INFO] doServiceControl: Command Output:Starting zenarmoragent.

4. Zenarmor Deployment in Bridge Mode

Before you can begin using Zenarmor SWG, you will have to complete the initial configuration wizard by adding your node to the Zenconsole. To add your pfSense® Software firewall to the Zenconsole and to deploy the Zenarmor as a Secure We Gateway on your node, you may follow the instructions below:

1. Login https://sunnyvalley.cloud.

2. Navigate to the Firewalls > My Firewalls.

3. Click on the pfSense® Software firewall icon on the left sidebar.

4. Type a descriptive name in the Node name field, like Zenarmor HQ SWG.

5. You may select SQLite(local) in the Reporting database dropdown menu.

6. Select Bridge Mode (L2 Mode, Reporting and Blocking) with netmap driver in the Deployment Mode option.

7. You may leave the Number of devices behind this firewall as default or select the appropriate value for your infrastructure.

8. Set security zone to lan for your LAN interface, vtnet2 in our example.

9. Set security zone to wan for your WANBridge interface, vtnet3 in our example.

10. Select lan and wan security zone interfaces to be protected by Zenarmor SWG.

Figure 21. Adding Zenarmor SWG to Zenconsole

11. Click on the Add Firewall button at the end of the page. This will send the configuration to the node.

After your firewall is added to the Zenconsole, you can manage and view it easily from anywhere around the world by signing in to the Zenconsole

Figure 22. Zenarmor SWG Dashboard

5. Zenarmor Policy Configuration

Now, you have completed Zenarmor Secure Web Gateway deployment on your pfSense® Software firewall. You may quickly define Zenarmor policies to protect your users from web-based attacks and apply your organization's regulations.

Figure 23. Zenarmor SWG Policy Configuration on Zenconsole