Skip to main content

Zenconsole Registration & Initial Configuration of Gateways

After deploying Zenarmor® firewall as a gateway on your routing platform (except OPNsense), you must follow the next 2 main steps.

  1. Register your gateway node to the Zenconsole (Zenarmor® Cloud Central Management Portal)
  2. Complete the initial configuration.
tip

If you are using OPNsense firewall, Zenconsole registration and configuration is optional.

Registering Firewall to the Zenconsole

After installing the Zenarmor package in your system, it is necessary to register the system to Zenconsole so that you can enjoy the central cloud management capability.

info

For OPNsense, this step is optional, since Zenarmor OPNsense package has an integrated Management UI

  1. You can either create a new account for the portal or Sign in with Google to the portal.

    Sign-up for a new account from the Cloud Central Management Portal if you have not done already.

    IMPORTANT NOTE

    If you`ve signed up with Google Authentication and did not create a Zenconsole password, you still need to create a password since Google Authentication is not available during the cloud registration stage. Click Cloud Portal Authentication & Password Management Guide for more information about Cloud Portal authentication.

    Your Zenconsole authentication credentials are used for registration.

  2. Run the following command as root or user with sudo privileges in your system.

    Cloud Registration
    sudo zenarmorctl cloud register

    This command will prompt you to enter your Zenconsole username and password:

    Registering to the Zenconsole Cloud Central Management Portal

    Figure 1: Registering to the Zenconsole (Cloud Central Management Portal)

    Enter your information here and registration will be completed.

    warning

    If you are encountering a Zenconsole registration problem, you must ensure that the pop-up blocker on your browser is not enabled.

    In case a pop-up blocker is enabled on your browser, you can not register your OPNsense node to Zenconsole. Since it blocks your OPNsense node to associate with your Zenconsole account via browser.

    You should disable the pop-up blocker.

Initial Configuration of a Firewall for Zenconsole

After installing the Zenarmor packages in your system and registering it to Zenconsole (Zenarmor Cloud Central Management Portal), the initial configuration steps explained below must be completed.

This configuration is necessary to connect your inspection agent to the Zenconsole so that you can start managing it through the central management interface.

  1. Sign In to the Zenconsole.

    Zenconsole Sign In Up Page

    Figure 2: Zenconsole Sign In/Up Page

  2. Click on the Firewalls tab in the Main Menu of the account dashboard page. This will open the firewall configuration page in a new browser tab. To add the firewall to the cloud portal, provide the required information about the node on this configuration page.

    Accessing the Firewalls Page from Account Dashboard

    Figure 3. Accessing the Firewalls Page from Account Dashboard.

  3. First, set a name for the firewall by filling in the Node name field.

    Adding a Firewall

    Figure 4. Adding a Firewall

  4. Select the Reporting database type from the Reporting database drop-down menu. It should be left as SQLite(local) or Elasticsearch (remote). The local Elasticsearch Database is not supported by the Non-OPNsense systems. For OPNsense platforms, you can select local Elasticsearch Database option during the installation and it is installed automatically by Zenarmor Web UI Installation Wizard.

    NOTE:

    The remote Elasticsearch database does not necessarily need to be outside the system you`re installing the Zenarmor on; it can be on the same system. Remote in this regard means the database is not managed by the Zenarmor package.

    info

    Remote Elasticsearch database support is compatible with version 8.9.x to 8.17.1 of Elasticsearch.

    SQLite-local Selection as Reporting Database

    Figure 5. SQLite(local) Selection as Reporting Database

    • If Elasticsearch is selected as a reporting database, Database URL, Database Username and Database Password fields should be filled in with the values used by your system.
    IMPORTANT

    Zenarmor requires unrestricted full access to the Database.

    Remote Elasticsearch Selection as Reporting Database

    Figure 6. Remote Elasticsearch Selection as Reporting Database

  5. Select the Deployment Mode depending on your topology and requirements. If you only see Passive Mode(Reporting Only) and not seeing Routed Modes enabled in the Deployment mode drop-down menu; then this means that you don`t have the netmap kernel module loaded on your system. Some advanced capabilities like Filtering, QoS, and TLS Inspection are only available with this deployment mode.

    Prerequisite

    Before selecting netmap driver deployment options, make sure that the hardware offloadings are disabled on your node. Since Hardware Offloading feature is incompatible with netmap.

    If you have a Linux-based firewall, you may also select Routed mode with Linux NFQ driver. To be able to use the netmap driver on your Linux firewall you must install and load netmap kernel modules.

    If you have a network bridge interface on your firewall. You may select Bridge Mode deployment option as well. This experimental deployment mode allows you to be able to deploy Zenarmor like an Inline Web Secure Gateway.

    Deployment Mode Selection

    Figure 7. Deployment Mode Selection

  6. On Linux systems, Zenarmor automatically creates firewall rules for you by default. It also includes the ability to use user-defined iptables rules, providing customization options for network configuration. To define your own iptables ruleset you may uncheck the Automatically create firewall rules option.

    Creating Firewall Rules on Linux Systems Automatically

    Figure 8. Creating Firewall Rules on Linux Systems Automatically

  7. Zenarmor has a setting to make CPU pinning optional, giving you more flexibility in how you configure your system for optimal performance. By default, Zenarmor is pinned to a dedicated core in order to prevent CPU context-switching overhead. Because if the process wanders between CPU processors, CPU cache misses occur, which has a negative impact on performance.

    You may disable this setting depending on your requirements by clicking on the Do not pin engine packet processors to dedicated CPU cores option.

  8. Zenarmor supports up to 1000 concurrent users on an everyday PC. You can set your Zenarmor deployment size by selecting one of the options under Number of devices behid this firewall drop-down menu.

    You may see detailed information about suggested hardware on Zenarmor Hardware Requirements page.

    Setting Zenarmor Deployment Size on Zenconsole

    Figure 9. Setting Zenarmor Deployment Size on Zenconsole

  9. Select the interfaces that you want to be protected by the engine.

    interfaceselectiononcloud.png

    Figure 10. Protected Interface(s) Selection

    Best Practice

    As a best practice, it is advised to select physical parent interface, such as igb0, instead of VLAN interfaces for protection. This will enable Zenarmor to inspect all subinterfaces of the physical interface including the VLAN interfaces.

    Beware that if you select both VLAN interfaces and their parent interfaces, this will result in unnecessary duplications of effort in packet processing and reporting.

    IMPORTANT

    If you have a Suricata on your node, you must select the LAN interface. Click for more information about running Zenarmor along with Suricata.

  10. Click Set Security Zone drop down menu to assign a tag for the interface. You may set a custom security zone name or select one of the options available, such as dmz, lan, guest, wifi or wan.

    Setting Custom Security Zone

    Figure 11. Setting Custom Security Zone

    caution

    Ensure that the security zone tags are properly specified for each protected interface. Misconfiguring the interface tag might lead to issues with filtering and reporting. For instance, if you designate the LAN tag to your WAN interface, public IP addresses on the Internet that your internal clients connect to will be seen as local devices. This might result in the devices identification function producing results that lack significance.

  11. Click on the Add Firewall button at the end of the page. This will send the configuration to the node. If all is well, the following popup message appears at the right bottom corner of the page.

    Message indicating that your firewall is successfully added

    Figure 12. Message indicating that your firewall is successfully added.

    By adding a firewall you agree to the Terms of Service and EULA.

After your firewall is added to the Zenconsole, you can manage and view it easily from anywhere around the world by signing in to the Zenconsole (Zenarmor Cloud Central Management Portal).

Zenconsole Cloud Central Management Portal Firewall Dashboard

Figure 13. Zenconsole Firewall Dashboard

tip

We advise you to read the Best Practices for Zenarmor Deployment Guide before configuring Zenarmor policies on your network.

Hands-on Video

Here is a video that will guide you through the steps of the registration and initial configuration process for BSD-based and Linux-based systems:

Last updated on by Zenarmor