Skip to main content

Gateway Provisioning

Published on:
.
3 min read

After successfully installing Zenarmor using the one-time installation script on your system, you must complete the gateway provisioning process on Zenconsole by proceeding with the gateway integration wizard.

When you log in to Zenconsole, the dashboard is displayed. If the installation is completed successfully, your newly added gateway appears under Pending Gateways in the left-hand navigation panel.

Figure 1. Pending Gateway in Zenconsole

To complete the gateway provisioning process, follow the steps below.

  1. Open your browser and navigate to Zenconsole.

  2. Enter your username and password.

  3. After logging in, locate your newly added gateway under Pending Gateways in the left-hand navigation panel.

    Figure 2. Pending Gateway in Zenconsole

  4. After selecting the gateway, the Gateway Integration Wizard opens and starts with the Name step. In this step, you define how your gateway will be identified in Zenconsole.

    • Gateway Name: Enter a descriptive name for your gateway. This name will be displayed on the dashboard. You can customize it if needed.
    • Gateway Slug: A unique identifier automatically generated based on the gateway name. It must be unique within your organization and can be customized if needed.
    note

    For the first gateway added to an organization, the gateway name and slug are automatically assigned during installation, and this step may be skipped.

    For subsequent gateways, the Name step will be displayed, allowing you to customize these values.

    Figure 3. Gateway Integration Wizard - Name

  5. Click Next to proceed.

  6. In the Database selection step, you configure how logs and reports will be stored. SQLite and Elasticsearch databases are available options. By default, the Use the default settings option is enabled, and SQLite (local) is selected. No additional configuration is required. This option stores logs directly on the gateway and is recommended for most deployments.

    Figure 4. Gateway Integration Wizard - Database

    • If you need a more scalable or centralized reporting solution, you can disable the Use the default settings option and switch to Elasticsearch (remote). In this case, you must provide the database connection details, including the database URL, username, and password. Ensure that the database is accessible and properly configured, as Zenarmor requires full access to operate correctly.
    NOTE

    The remote Elasticsearch database does not necessarily need to be outside the system you`re installing the Zenarmor on; it can be on the same system. Remote in this regard means the database is not managed by the Zenarmor package.

    info

    Remote Elasticsearch database support is compatible with versions 8.9.x to 8.17.1 of Elasticsearch.

    Figure 5. Elasticsearch Remote Database Configuration Fields

    NOTE

    Zenarmor also provides local Elasticsearch database (ECS) option for OPNsense platform. However, the one-time installation script does not support installing a local Elasticsearch database (ECS). If you want to use a local Elasticsearch instance on your OPNsense node, you can switch from the default SQLite database by following the steps in the Change Reporting Database guide.

  7. Click Next.

  8. In the Interfaces settings step, you configure how Zenarmor will inspect and control network traffic. By default, the recommended deployment mode is selected, and suitable interfaces (typically the LAN interface) are pre-configured. This setup is sufficient for most deployments and requires no additional changes.

    Prerequisite

    Before selecting netmap driver deployment options, make sure that the hardware offloadings are disabled on your node. Since Hardware Offloading* feature is incompatible with netmap.

    Figure 6. Interface Selection Screen with Default Settings Enabled

    You can customize the deployment mode and interfaces by following the next steps:

    a. Disable the Use the default settings option.
    b. Select the Deployment mode that you want. The available deployment modes may vary depending on the platform. For example, Linux-based systems can provide NFQ-based options, while platforms like OPNsense typically use netmap-based modes.

    note

    If you only see Passive Mode and Routed Mode is not available, it indicates that the netmap kernel module is not enabled on your system. Advanced features such as filtering, QoS, and TLS inspection require netmap support.

    If you are using a Linux-based gateway, you may also see additional deployment options such as Routed Mode with Linux NFQ driver. These options are only available on Linux systems.

    To be able to use netmap-based deployment modes on your Linux gateway, you must install and load netmap kernel modules.

    Figure 7. Deployment Mode Options in Gateway Integration Wizard

    note

    Before selecting the netmap driver deployment options, make sure that the hardware offloadings are disabled on your node. Since Hardware Offloading feature is incompatible with netmap.

    c. Under Please choose interfaces to protect, select the interface(s) you want Zenarmor to protect. In most cases, the LAN interface should be selected to ensure client traffic is inspected.

    If needed, you can enable Show WAN interfaces to display WAN interfaces, or click Refresh Interfaces to reload the available network interfaces.

    Best Practice

    As a best practice, it is advised to select physical parent interface instead of VLAN interfaces for protection. This will enable Zenarmor to inspect all subinterfaces of the physical interface, including the VLAN interfaces.

    Beware that if you select both VLAN interfaces and their parent interfaces, this will result in unnecessary duplication of effort in packet processing and reporting.

    IMPORTANT

    If you have a Suricata on your node, you must select the LAN interface. Click for more information about running Zenarmor along with Suricata.

    d. Click the Set Security Zone drop-down menu to assign a tag for the interface. You may set a custom security zone name or select one of the options available, such as dmz, guest, wifi, or wan.

    Figure 8. Security Zone Assignment for Selected Interface

caution

Ensure that the security zone tags are properly specified for each protected interface. Misconfiguring the interface tag might lead to issues with filtering and reporting. For instance, if you designate the LAN tag to your WAN interface, public IP addresses on the Internet that your internal clients connect to will be seen as local devices. This might result in the device's identification function producing results that lack significance.

  1. Click Next to proceed to the final step.
  2. Click the Finish button to apply your settings and complete the integration of the gateway with your organization.

Figure 9. Final Step – Completing Gateway Integration

Once the setup is completed, the gateway will appear in the Global Deployments page in Zenconsole, allowing you to manage and monitor it from anywhere around the world.

tip

We advise you to read the Best Practices for Zenarmor Deployment Guide before configuring Zenarmor policies on your network.

Last updated on by Zenarmor